evp_rand: documentation

[openssl.git] / doc / man3 / X509_STORE_CTX_set_verify_cb.pod

diff --git a/doc/man3/X509_STORE_CTX_set_verify_cb.pod b/doc/man3/X509_STORE_CTX_set_verify_cb.pod
index f8e5501bbc8220c99577f121c86bf6c2a5309934..3c081e1de744d65fdde39dd0f1de298e07db315b 100644 (file)
--- a/doc/man3/X509_STORE_CTX_set_verify_cb.pod
+++ b/doc/man3/X509_STORE_CTX_set_verify_cb.pod
@@ -14,14 +14,16 @@ X509_STORE_CTX_get_check_issued,
 X509_STORE_CTX_get_get_issuer,
 X509_STORE_CTX_get_verify_cb,
 X509_STORE_CTX_set_verify_cb,
-X509_STORE_CTX_verify_cb
-- get and set verification callback
+X509_STORE_CTX_verify_cb,
+X509_STORE_CTX_print_verify_cb
+- get and set X509_STORE_CTX components such as verification callback
 
 =head1 SYNOPSIS
 
  #include <openssl/x509_vfy.h>
 
  typedef int (*X509_STORE_CTX_verify_cb)(int, X509_STORE_CTX *);
+ int X509_STORE_CTX_print_verify_cb(int ok, X509_STORE_CTX *ctx);
 
  X509_STORE_CTX_verify_cb X509_STORE_CTX_get_verify_cb(X509_STORE_CTX *ctx);
 
@@ -63,6 +65,12 @@ structure and receive additional information about the error, for example
 by calling X509_STORE_CTX_get_current_cert(). Additional application data can
 be passed to the callback via the B<ex_data> mechanism.
 
+X509_STORE_CTX_print_verify_cb() is a verification callback function that,
+when a certificate verification has failed, adds an entry to the error queue
+with code B<X509_R_CERTIFICATE_VERIFICATION_FAILED> and with diagnostic details,
+including the most relevant fields of the target certificate that failed to
+verify and, if appropriate, of the available untrusted and trusted certificates.
+
 X509_STORE_CTX_get_verify_cb() returns the value of the current callback
 for the specific B<ctx>.
 
@@ -76,7 +84,7 @@ from the corresponding B<X509_STORE>, please see
 L<X509_STORE_set_verify(3)> for more information.
 
 
-=head1 WARNING
+=head1 WARNINGS
 
 In general a verification callback should B<NOT> unconditionally return 1 in
 all circumstances because this will allow verification to succeed no matter
@@ -122,6 +130,7 @@ expired just one specific case:
  {
      int err = X509_STORE_CTX_get_error(ctx);
      X509 *err_cert = X509_STORE_CTX_get_current_cert(ctx);
+
      if (err == X509_V_ERR_CERT_HAS_EXPIRED) {
          if (check_is_acceptable_expired_cert(err_cert)
              return 1;
@@ -191,18 +200,21 @@ L<X509_STORE_CTX_get_ex_new_index(3)>
 
 =head1 HISTORY
 
+The
 X509_STORE_CTX_get_get_issuer(),
 X509_STORE_CTX_get_check_issued(), X509_STORE_CTX_get_check_revocation(),
 X509_STORE_CTX_get_get_crl(), X509_STORE_CTX_get_check_crl(),
 X509_STORE_CTX_get_cert_crl(), X509_STORE_CTX_get_check_policy(),
 X509_STORE_CTX_get_lookup_certs(), X509_STORE_CTX_get_lookup_crls()
-and X509_STORE_CTX_get_cleanup() were added in OpenSSL 1.1.0.
+and X509_STORE_CTX_get_cleanup() functions were added in OpenSSL 1.1.0.
+
+X509_STORE_CTX_print_verify_cb() was added in OpenSSL 3.0.
 
 =head1 COPYRIGHT
 
-Copyright 2009-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2009-2020 The OpenSSL Project Authors. All Rights Reserved.
 
-Licensed under the OpenSSL license (the "License").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
 in the file LICENSE in the source distribution or at
 L<https://www.openssl.org/source/license.html>.