6 X509_STORE_add_cert, X509_STORE_add_crl, X509_STORE_set_depth,
7 X509_STORE_set_flags, X509_STORE_set_purpose, X509_STORE_set_trust,
9 X509_STORE_load_file_ex, X509_STORE_load_file, X509_STORE_load_path,
10 X509_STORE_load_store_ex, X509_STORE_load_store,
11 X509_STORE_set_default_paths_ex, X509_STORE_set_default_paths,
12 X509_STORE_load_locations_ex, X509_STORE_load_locations
13 - X509_STORE manipulation
17 #include <openssl/x509_vfy.h>
19 typedef x509_store_st X509_STORE;
21 int X509_STORE_add_cert(X509_STORE *ctx, X509 *x);
22 int X509_STORE_add_crl(X509_STORE *ctx, X509_CRL *x);
23 int X509_STORE_set_depth(X509_STORE *store, int depth);
24 int X509_STORE_set_flags(X509_STORE *ctx, unsigned long flags);
25 int X509_STORE_set_purpose(X509_STORE *ctx, int purpose);
26 int X509_STORE_set_trust(X509_STORE *ctx, int trust);
28 X509_LOOKUP *X509_STORE_add_lookup(X509_STORE *store,
29 X509_LOOKUP_METHOD *meth);
31 int X509_STORE_set_default_paths_ex(X509_STORE *ctx, OSSL_LIB_CTX *libctx,
33 int X509_STORE_set_default_paths(X509_STORE *ctx);
34 int X509_STORE_load_file_ex(X509_STORE *ctx, const char *file,
35 OSSL_LIB_CTX *libctx, const char *propq);
36 int X509_STORE_load_file(X509_STORE *ctx, const char *file);
37 int X509_STORE_load_path(X509_STORE *ctx, const char *dir);
38 int X509_STORE_load_store_ex(X509_STORE *ctx, const char *uri,
39 OSSL_LIB_CTX *libctx, const char *propq);
40 int X509_STORE_load_store(X509_STORE *ctx, const char *uri);
41 int X509_STORE_load_locations_ex(X509_STORE *ctx, const char *file,
42 const char *dir, OSSL_LIB_CTX *libctx,
44 int X509_STORE_load_locations(X509_STORE *ctx,
45 const char *file, const char *dir);
49 The B<X509_STORE> structure is intended to be a consolidated mechanism for
50 holding information about X.509 certificates and CRLs, and constructing
51 and validating chains of certificates terminating in trusted roots.
52 It admits multiple lookup mechanisms and efficient scaling performance
53 with large numbers of certificates, and a great deal of flexibility in
54 how validation and policy checks are performed.
56 Details of the chain building and checking process are described in
57 L<openssl-verification-options(1)/Certification Path Building> and
58 L<openssl-verification-options(1)/Certification Path Validation>.
60 L<X509_STORE_new(3)> creates an empty B<X509_STORE> structure, which contains
61 no information about trusted certificates or where such certificates
62 are located on disk, and is generally not usable. Normally, trusted
63 certificates will be added to the B<X509_STORE> to prepare it for use,
64 via mechanisms such as X509_STORE_add_lookup() and X509_LOOKUP_file(), or
65 PEM_read_bio_X509_AUX() and X509_STORE_add_cert(). CRLs can also be added,
66 and many behaviors configured as desired.
68 Once the B<X509_STORE> is suitably configured, X509_STORE_CTX_new() is
69 used to instantiate a single-use B<X509_STORE_CTX> for each chain-building
70 and verification operation. That process includes providing the end-entity
71 certificate to be verified and an additional set of untrusted certificates
72 that may be used in chain-building. As such, it is expected that the
73 certificates included in the B<X509_STORE> are certificates that represent
74 trusted entities such as root certificate authorities (CAs).
75 OpenSSL represents these trusted certificates internally as B<X509> objects
76 with an associated B<X509_CERT_AUX>, as are produced by
77 PEM_read_bio_X509_AUX() and similar routines that refer to X509_AUX.
78 The public interfaces that operate on such trusted certificates still
79 operate on pointers to B<X509> objects, though.
81 X509_STORE_add_cert() and X509_STORE_add_crl() add the respective object
82 to the B<X509_STORE>'s local storage. Untrusted objects should not be
83 added in this way. The added object's reference count is incremented by one,
84 hence the caller retains ownership of the object and needs to free it when it
87 X509_STORE_set_depth(), X509_STORE_set_flags(), X509_STORE_set_purpose(),
88 X509_STORE_set_trust(), and X509_STORE_set1_param() set the default values
89 for the corresponding values used in certificate chain validation. Their
90 behavior is documented in the corresponding B<X509_VERIFY_PARAM> manual
91 pages, e.g., L<X509_VERIFY_PARAM_set_depth(3)>.
93 X509_STORE_add_lookup() finds or creates a L<X509_LOOKUP(3)> with the
94 L<X509_LOOKUP_METHOD(3)> I<meth> and adds it to the B<X509_STORE>
95 I<store>. This also associates the B<X509_STORE> with the lookup, so
96 B<X509_LOOKUP> functions can look up objects in that store.
98 X509_STORE_load_file_ex() loads trusted certificate(s) into an
99 B<X509_STORE> from a given file. The library context I<libctx> and property
100 query I<propq> are used when fetching algorithms from providers.
102 X509_STORE_load_file() is similar to X509_STORE_load_file_ex() but
103 uses NULL for the library context I<libctx> and property query I<propq>.
105 X509_STORE_load_path() loads trusted certificate(s) into an
106 B<X509_STORE> from a given directory path.
107 The certificates in the directory must be in hashed form, as
108 documented in L<X509_LOOKUP_hash_dir(3)>.
110 X509_STORE_load_store_ex() loads trusted certificate(s) into an
111 B<X509_STORE> from a store at a given URI. The library context I<libctx> and
112 property query I<propq> are used when fetching algorithms from providers.
114 X509_STORE_load_store() is similar to X509_STORE_load_store_ex() but
115 uses NULL for the library context I<libctx> and property query I<propq>.
117 X509_STORE_load_locations_ex() combines
118 X509_STORE_load_file_ex() and X509_STORE_load_dir() for a given file
119 and/or directory path.
120 It is permitted to specify just a file, just a directory, or both
123 X509_STORE_load_locations() is similar to X509_STORE_load_locations_ex()
124 but uses NULL for the library context I<libctx> and property query I<propq>.
126 X509_STORE_set_default_paths_ex() is somewhat misnamed, in that it does
127 not set what default paths should be used for loading certificates. Instead,
128 it loads certificates into the B<X509_STORE> from the hardcoded default
129 paths. The library context I<libctx> and property query I<propq> are used when
130 fetching algorithms from providers.
132 X509_STORE_set_default_paths() is similar to
133 X509_STORE_set_default_paths_ex() but uses NULL for the library
134 context I<libctx> and property query I<propq>.
138 X509_STORE_add_cert(), X509_STORE_add_crl(), X509_STORE_set_depth(),
139 X509_STORE_set_flags(), X509_STORE_set_purpose(), X509_STORE_set_trust(),
140 X509_STORE_load_file_ex(), X509_STORE_load_file(),
141 X509_STORE_load_path(),
142 X509_STORE_load_store_ex(), X509_STORE_load_store(),
143 X509_STORE_load_locations_ex(), X509_STORE_load_locations(),
144 X509_STORE_set_default_paths_ex() and X509_STORE_set_default_paths()
145 return 1 on success or 0 on failure.
147 X509_STORE_add_lookup() returns the found or created
148 L<X509_LOOKUP(3)>, or NULL on error.
152 L<X509_LOOKUP_hash_dir(3)>.
153 L<X509_VERIFY_PARAM_set_depth(3)>.
154 L<X509_STORE_new(3)>,
155 L<X509_STORE_get0_param(3)>
159 The functions X509_STORE_set_default_paths_ex(),
160 X509_STORE_load_file_ex(), X509_STORE_load_store_ex() and
161 X509_STORE_load_locations_ex() were added in OpenSSL 3.0.
165 Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved.
167 Licensed under the Apache License 2.0 (the "License"). You may not use
168 this file except in compliance with the License. You can obtain a copy
169 in the file LICENSE in the source distribution or at
170 L<https://www.openssl.org/source/license.html>.