NAME

SYNOPSIS

void
X509_STORE_CTX_set_flags(X509_STORE_CTX *ctx, unsigned long flags);

void
X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, unsigned long dummy, time_t time);

void
X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth);

int
X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust);

int
X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose);

int
X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose, int purpose, int trust);

X509_VERIFY_PARAM *
X509_STORE_CTX_get0_param(X509_STORE_CTX *ctx);

void
X509_STORE_CTX_set0_param(X509_STORE_CTX *ctx, X509_VERIFY_PARAM *param);

int
X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, const char *name);

DESCRIPTION

X509_STORE_CTX_set_flags() sets the internal verification parameter flags to flags. See X509_VERIFY_PARAM_set_flags(3) for a description of the verification flags.

X509_STORE_CTX_set_time() sets the verification time using X509_VERIFY_PARAM_set_time(3). The dummy argument is ignored.

X509_STORE_CTX_set_depth() sets the maximum verification depth using X509_VERIFY_PARAM_set_depth(3). That is the maximum number of untrusted CA certificates that can appear in a chain.

X509_STORE_CTX_set_trust() sets the trust identifier that can also be set using X509_VERIFY_PARAM_set_trust(3). If the trust argument is 0 or invalid or the trust identifier is already set to a non-zero value in the X509_VERIFY_PARAM object, no action occurs. Here and in the following, X509_TRUST_DEFAULT counts as invalid.

X509_STORE_CTX_set_purpose() sets the purpose identifier that can also be set using X509_VERIFY_PARAM_set_purpose(3). If the purpose argument is 0 or any failure occurs, nothing is changed.

In the following, the trust identifier contained in the X509_PURPOSE object associated with purpose is called the “associated trust”.

The function fails if the purpose argument or the associated trust is not 0 but invalid; otherwise, X509_STORE_CTX_set_purpose() also does the equivalent of calling X509_STORE_CTX_set_trust() with the associated trust.

If the purpose identifier is already set to a non-zero value in the X509_VERIFY_PARAM object, it is not changed, even if the purpose argument is valid, too.

X509_STORE_CTX_purpose_inherit() is similar to X509_STORE_CTX_set_purpose(), with the following modifications:

• If the purpose argument is 0, def_purpose is used instead.
• If the associated trust is X509_TRUST_DEFAULT, the trust associated with def_purpose is used instead, or if def_purpose is 0 or invalid, the function fails.
• If the trust argument is not 0, it is used instead of the associated trust, and the equivalent of calling X509_STORE_CTX_set_trust() is done even if both purpose and def_purpose are 0. Even if the trust argument is not 0, if the (then unused) associated trust is X509_TRUST_DEFAULT, def_purpose is still required to be valid.

Note that, even if all arguments are valid and the return value is 1, it is possible that nothing changed, or that only either one of the purpose and trust identifiers were set, or that both were set. It can also happen that the purpose identifier gets set according to the purpose argument, but the trust identifier gets set according to the def_purpose argument in the same call.

The intended way of using this function is to pass the purpose and trust attributes of another structure of an arbitrary type as the purpose and trust arguments, and to provide def_purpose as a fallback in case the settings in the other structure are incomplete.

X509_STORE_CTX_get0_param() retrieves an internal pointer to the verification parameters associated with ctx.

X509_STORE_CTX_set0_param() sets the internal verification parameter pointer to param. After this call param should not be used.

X509_STORE_CTX_set_default() looks up and sets the default verification method to name. This uses the function X509_VERIFY_PARAM_lookup(3) to find an appropriate set of parameters from name and copies them using X509_VERIFY_PARAM_inherit(3).

RETURN VALUES

X509_STORE_CTX_set_purpose() returns 1 if both the purpose argument and the associated trust are 0 or valid. It returns 0 if either the purpose argument or the associated trust is not 0 but invalid. A return value of 1 does not imply that any data was changed.

X509_STORE_CTX_purpose_inherit() returns 0 if:

• The purpose argument is not 0 and invalid.
• The purpose argument is 0 and the def_purpose argument is not 0 and invalid.
• The associated trust is X509_TRUST_DEFAULT and the def_purpose argument is 0 or invalid, or the trust identifier associated with it is not 0 but invalid.
• The trust argument is not 0 and invalid.
• The trust argument is 0 and the associated trust is neither 0 nor X509_TRUST_DEFAULT but invalid.

Otherwise, X509_STORE_CTX_purpose_inherit() returns 1, which does not imply that any data was changed.

X509_STORE_CTX_get0_param() returns a pointer to an X509_VERIFY_PARAM structure or NULL if an error occurred.

X509_STORE_CTX_set_default() returns 1 for success or 0 if an error occurred.

ERRORS

X509_R_UNKNOWN_TRUST_ID “unknown trust id”

The trust argument or the trust identifier associated with purpose or def_purpose is not 0 but invalid,

X509_R_UNKNOWN_PURPOSE_ID “unknown purpose id”

The purpose argument is not 0 and invalid. Or it is 0 and the def_purpose argument is not 0 and invalid. Or the associated trust is X509_TRUST_DEFAULT and def_purpose is 0 or invalid.

The other functions provide no diagnostics.

SEE ALSO

HISTORY

X509_STORE_CTX_set_trust(), X509_STORE_CTX_set_purpose(), and X509_STORE_CTX_purpose_inherit() first appeared in OpenSSL 0.9.5 and have been available since OpenBSD 2.7.

X509_STORE_CTX_set_flags() and X509_STORE_CTX_set_time() first appeared in OpenSSL 0.9.6 and have been available since OpenBSD 2.9.

X509_STORE_CTX_get0_param(), X509_STORE_CTX_set0_param(), and X509_STORE_CTX_set_default() first appeared in OpenSSL 0.9.8 and have been available since OpenBSD 4.5.