From c96548737363689e6444e424b39279e14c61c80d Mon Sep 17 00:00:00 2001 From: Viktor Dukhovni Date: Wed, 27 Apr 2016 14:36:48 -0400 Subject: [PATCH] Implement X509_STORE_CTX_set_current_cert() accessor Reviewed-by: Rich Salz --- crypto/x509/x509_vfy.c | 5 +++++ doc/crypto/X509_STORE_CTX_get_error.pod | 29 ++++++++++++++++++++----- include/openssl/x509_vfy.h | 1 + 3 files changed, 29 insertions(+), 6 deletions(-) diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index 30eabcb558..2b17b29f1d 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -1999,6 +1999,11 @@ X509 *X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx) return ctx->current_cert; } +void X509_STORE_CTX_set_current_cert(X509_STORE_CTX *ctx, X509 *x) +{ + ctx->current_cert = x; +} + STACK_OF(X509) *X509_STORE_CTX_get0_chain(X509_STORE_CTX *ctx) { return ctx->chain; diff --git a/doc/crypto/X509_STORE_CTX_get_error.pod b/doc/crypto/X509_STORE_CTX_get_error.pod index 8c3975c6e2..5ca3cdcbdd 100644 --- a/doc/crypto/X509_STORE_CTX_get_error.pod +++ b/doc/crypto/X509_STORE_CTX_get_error.pod @@ -4,8 +4,10 @@ X509_STORE_CTX_get_error, X509_STORE_CTX_set_error, X509_STORE_CTX_get_error_depth, X509_STORE_CTX_set_error_depth, -X509_STORE_CTX_get_current_cert, X509_STORE_CTX_get0_cert, -X509_STORE_CTX_get1_chain, X509_verify_cert_error_string - get or set certificate verification status information +X509_STORE_CTX_get_current_cert, X509_STORE_CTX_set_current_cert, +X509_STORE_CTX_get0_cert, X509_STORE_CTX_get1_chain, +X509_verify_cert_error_string - get or set certificate verification status +information =head1 SYNOPSIS @@ -13,10 +15,11 @@ X509_STORE_CTX_get1_chain, X509_verify_cert_error_string - get or set certificat #include int X509_STORE_CTX_get_error(X509_STORE_CTX *ctx); - void X509_STORE_CTX_set_error(X509_STORE_CTX *ctx,int s); + void X509_STORE_CTX_set_error(X509_STORE_CTX *ctx, int s); int X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx); void X509_STORE_CTX_set_error_depth(X509_STORE_CTX *ctx, int depth); X509 *X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx); + void X509_STORE_CTX_set_current_cert(X509_STORE_CTX *ctx, X509 *x); X509 *X509_STORE_CTX_get0_cert(X509_STORE_CTX *ctx); STACK_OF(X509) *X509_STORE_CTX_get1_chain(X509_STORE_CTX *ctx); @@ -44,11 +47,23 @@ X509_STORE_CTX_set_error_depth() sets the error B. This can be used in combination with X509_STORE_CTX_set_error() to set the depth at which an error condition was detected. -X509_STORE_CTX_get0_cert() returns the leaf certificate being verified. - X509_STORE_CTX_get_current_cert() returns the certificate in B which caused the error or B if no certificate is relevant. +X509_STORE_CTX_set_current_cert() sets the certificate B in B which +caused the error. +This value is not intended to remain valid for very long, and remains owned by +the caller. +It may be examined by a verification callback invoked to handle each error +encountered during chain verification and is no longer required after such a +callback. +If a callback wishes the save the certificate for use after it returns, it +needs to increment its reference count via L. +Once such a I certificate is no longer needed it can be freed with +L. + +X509_STORE_CTX_get0_cert() returns the leaf certificate being verified. + X509_STORE_CTX_get1_chain() returns a complete validate chain if a previous call to X509_verify_cert() is successful. If the call to X509_verify_cert() is B successful the returned chain may be incomplete or invalid. The @@ -307,7 +322,9 @@ thread safe but will never happen unless an invalid code is passed. =head1 SEE ALSO -L +L, +L, +L. =head1 HISTORY diff --git a/include/openssl/x509_vfy.h b/include/openssl/x509_vfy.h index 6df09ebf0d..65370b4aef 100644 --- a/include/openssl/x509_vfy.h +++ b/include/openssl/x509_vfy.h @@ -372,6 +372,7 @@ void X509_STORE_CTX_set_error(X509_STORE_CTX *ctx, int s); int X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx); void X509_STORE_CTX_set_error_depth(X509_STORE_CTX *ctx, int depth); X509 *X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx); +void X509_STORE_CTX_set_current_cert(X509_STORE_CTX *ctx, X509 *x); X509 *X509_STORE_CTX_get0_current_issuer(X509_STORE_CTX *ctx); X509_CRL *X509_STORE_CTX_get0_current_crl(X509_STORE_CTX *ctx); X509_STORE_CTX *X509_STORE_CTX_get0_parent_ctx(X509_STORE_CTX *ctx); -- 2.34.1