5 X509_STORE_CTX_set_verify_cb - set verification callback
9 #include <openssl/x509_vfy.h>
11 void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx,
12 int (*verify_cb)(int ok, X509_STORE_CTX *ctx));
16 X509_STORE_CTX_set_verify_cb() sets the verification callback of B<ctx> to
17 B<verify_cb> overwriting any existing callback.
19 The verification callback can be used to customise the operation of certificate
20 verification, either by overriding error conditions or logging errors for
23 However a verification callback is B<not> essential and the default operation
26 The B<ok> parameter to the callback indicates the value the callback should
27 return to retain the default behaviour. If it is zero then and error condition
28 is indicated. If it is 1 then no error occurred. If the flag
29 B<X509_V_FLAG_NOTIFY_POLICY> is set then B<ok> is set to 2 to indicate the
30 policy checking is complete.
32 The B<ctx> parameter to the callback is the B<X509_STORE_CTX> structure that
33 is performing the verification operation. A callback can examine this
34 structure and receive additional information about the error, for example
35 by calling X509_STORE_CTX_get_current_cert(). Additional application data can
36 be passed to the callback via the B<ex_data> mechanism.
40 In general a verification callback should B<NOT> unconditionally return 1 in
41 all circumstances because this will allow verification to succeed no matter
42 what the error. This effectively removes all security from the application
43 because B<any> certificate (including untrusted generated ones) will be
48 The verification callback can be set and inherited from the parent structure
49 performing the operation. In some cases (such as S/MIME verification) the
50 B<X509_STORE_CTX> structure is created and destroyed internally and the
51 only way to set a custom verification callback is by inheriting it from the
52 associated B<X509_STORE>.
56 X509_STORE_CTX_set_verify_cb() does not return a value.
60 Default callback operation:
62 int verify_callback(int ok, X509_STORE_CTX *ctx)
67 Simple example, suppose a certificate in the chain is expired and we wish
68 to continue after this error:
70 int verify_callback(int ok, X509_STORE_CTX *ctx)
72 /* Tolerate certificate expiration */
73 if (X509_STORE_CTX_get_error(ctx) == X509_V_ERR_CERT_HAS_EXPIRED)
75 /* Otherwise don't override */
79 More complex example, we don't wish to continue after B<any> certificate has
80 expired just one specific case:
82 int verify_callback(int ok, X509_STORE_CTX *ctx)
84 int err = X509_STORE_CTX_get_error(ctx);
85 X509 *err_cert = X509_STORE_CTX_get_current_cert(ctx);
86 if (err == X509_V_ERR_CERT_HAS_EXPIRED)
88 if (check_is_acceptable_expired_cert(err_cert)
94 Full featured logging callback. In this case the B<bio_err> is assumed to be
95 a global logging B<BIO>, an alternative would to store a BIO in B<ctx> using
98 int verify_callback(int ok, X509_STORE_CTX *ctx)
103 err_cert = X509_STORE_CTX_get_current_cert(ctx);
104 err = X509_STORE_CTX_get_error(ctx);
105 depth = X509_STORE_CTX_get_error_depth(ctx);
107 BIO_printf(bio_err,"depth=%d ",depth);
110 X509_NAME_print_ex(bio_err, X509_get_subject_name(err_cert),
112 BIO_puts(bio_err, "\n");
115 BIO_puts(bio_err, "<no cert>\n");
117 BIO_printf(bio_err,"verify error:num=%d:%s\n",err,
118 X509_verify_cert_error_string(err));
121 case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
122 BIO_puts(bio_err,"issuer= ");
123 X509_NAME_print_ex(bio_err, X509_get_issuer_name(err_cert),
125 BIO_puts(bio_err, "\n");
127 case X509_V_ERR_CERT_NOT_YET_VALID:
128 case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
129 BIO_printf(bio_err,"notBefore=");
130 ASN1_TIME_print(bio_err,X509_get_notBefore(err_cert));
131 BIO_printf(bio_err,"\n");
133 case X509_V_ERR_CERT_HAS_EXPIRED:
134 case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
135 BIO_printf(bio_err,"notAfter=");
136 ASN1_TIME_print(bio_err,X509_get_notAfter(err_cert));
137 BIO_printf(bio_err,"\n");
139 case X509_V_ERR_NO_EXPLICIT_POLICY:
140 policies_print(bio_err, ctx);
143 if (err == X509_V_OK && ok == 2)
144 /* print out policies */
146 BIO_printf(bio_err,"verify return:%d\n",ok);
152 L<X509_STORE_CTX_get_error(3)|X509_STORE_CTX_get_error(3)>
153 L<X509_STORE_set_verify_cb_func(3)|X509_STORE_set_verify_cb_func(3)>
154 L<X509_STORE_CTX_get_ex_new_index(3)|X509_STORE_CTX_get_ex_new_index(3)>
158 X509_STORE_CTX_set_verify_cb() is available in all versions of SSLeay and