=head1 NAME
-X509_STORE_CTX_new, X509_STORE_CTX_cleanup, X509_STORE_CTX_free,
-X509_STORE_CTX_init, X509_STORE_CTX_set0_trusted_stack, X509_STORE_CTX_set_cert,
-X509_STORE_CTX_set0_crls,
+X509_STORE_CTX_new_with_libctx, X509_STORE_CTX_new, X509_STORE_CTX_cleanup,
+X509_STORE_CTX_free, X509_STORE_CTX_init, X509_STORE_CTX_set0_trusted_stack,
+X509_STORE_CTX_set_cert, X509_STORE_CTX_set0_crls,
X509_STORE_CTX_get0_chain, X509_STORE_CTX_set0_verified_chain,
X509_STORE_CTX_get0_param, X509_STORE_CTX_set0_param,
X509_STORE_CTX_get0_untrusted, X509_STORE_CTX_set0_untrusted,
#include <openssl/x509_vfy.h>
+ X509_STORE_CTX *X509_STORE_CTX_new_with_libctx(OPENSSL_CTX *libctx,
+ const char *propq);
X509_STORE_CTX *X509_STORE_CTX_new(void);
void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx);
void X509_STORE_CTX_free(X509_STORE_CTX *ctx);
These functions initialise an B<X509_STORE_CTX> structure for subsequent use
by X509_verify_cert().
-X509_STORE_CTX_new() returns a newly initialised B<X509_STORE_CTX> structure.
+X509_STORE_CTX_new_with_libctx() returns a newly initialised B<X509_STORE_CTX>
+structure associated with the specified library context I<libctx> and property
+query string I<propq>. Any cryptographic algorithms fetched while performing
+processing with the X509_STORE_CTX will use that library context and property
+query string.
+
+X509_STORE_CTX_new() is the same as X509_STORE_CTX_new_with_libctx() except that
+the default library context and a NULL property query string are used.
X509_STORE_CTX_cleanup() internally cleans up an B<X509_STORE_CTX> structure.
The context can then be reused with an new call to X509_STORE_CTX_init().
-X509_STORE_CTX_free() completely frees up B<ctx>. After this call B<ctx>
+X509_STORE_CTX_free() completely frees up I<ctx>. After this call I<ctx>
is no longer valid.
-If B<ctx> is NULL nothing is done.
+If I<ctx> is NULL nothing is done.
-X509_STORE_CTX_init() sets up B<ctx> for a subsequent verification operation.
-It must be called before each call to X509_verify_cert(), i.e. a B<ctx> is only
+X509_STORE_CTX_init() sets up I<ctx> for a subsequent verification operation.
+It must be called before each call to X509_verify_cert(), i.e. a I<ctx> is only
good for one call to X509_verify_cert(); if you want to verify a second
-certificate with the same B<ctx> then you must call X509_STORE_CTX_cleanup()
+certificate with the same I<ctx> then you must call X509_STORE_CTX_cleanup()
and then X509_STORE_CTX_init() again before the second call to
-X509_verify_cert(). The trusted certificate store is set to B<store>, the end
-entity certificate to be verified is set to B<x509> and a set of additional
+X509_verify_cert(). The trusted certificate store is set to I<store>, the end
+entity certificate to be verified is set to I<x509> and a set of additional
certificates (which will be untrusted but may be used to build the chain) in
-B<chain>. Any or all of the B<store>, B<x509> and B<chain> parameters can be
+I<chain>. Any or all of the I<store>, I<x509> and I<chain> parameters can be
B<NULL>.
X509_STORE_CTX_set0_trusted_stack() sets the set of trusted certificates of
-B<ctx> to B<sk>. This is an alternative way of specifying trusted certificates
+I<ctx> to I<sk>. This is an alternative way of specifying trusted certificates
instead of using an B<X509_STORE>.
-X509_STORE_CTX_set_cert() sets the certificate to be verified in B<ctx> to
-B<x>.
+X509_STORE_CTX_set_cert() sets the certificate to be verified in I<ctx> to
+I<x>.
X509_STORE_CTX_set0_verified_chain() sets the validated chain used
-by B<ctx> to be B<chain>.
-Ownership of the chain is transferred to B<ctx> and should not be
+by I<ctx> to be I<chain>.
+Ownership of the chain is transferred to I<ctx> and should not be
free'd by the caller.
X509_STORE_CTX_get0_chain() returns a the internal pointer used by the
-B<ctx> that contains the validated chain.
+I<ctx> that contains the validated chain.
X509_STORE_CTX_set0_crls() sets a set of CRLs to use to aid certificate
-verification to B<sk>. These CRLs will only be used if CRL verification is
+verification to I<sk>. These CRLs will only be used if CRL verification is
enabled in the associated B<X509_VERIFY_PARAM> structure. This might be
used where additional "useful" CRLs are supplied as part of a protocol,
for example in a PKCS#7 structure.
X509_STORE_CTX_get0_param() retrieves an internal pointer
-to the verification parameters associated with B<ctx>.
+to the verification parameters associated with I<ctx>.
X509_STORE_CTX_get0_untrusted() retrieves an internal pointer to the
-stack of untrusted certificates associated with B<ctx>.
+stack of untrusted certificates associated with I<ctx>.
X509_STORE_CTX_set0_untrusted() sets the internal point to the stack
-of untrusted certificates associated with B<ctx> to B<sk>.
+of untrusted certificates associated with I<ctx> to I<sk>.
X509_STORE_CTX_set0_param() sets the internal verification parameter pointer
-to B<param>. After this call B<param> should not be used.
+to I<param>. After this call B<param> should not be used.
X509_STORE_CTX_set_default() looks up and sets the default verification
-method to B<name>. This uses the function X509_VERIFY_PARAM_lookup() to
-find an appropriate set of parameters from B<name>.
+method to I<name>. This uses the function X509_VERIFY_PARAM_lookup() to
+find an appropriate set of parameters from I<name>.
X509_STORE_CTX_get_num_untrusted() returns the number of untrusted certificates
that were used in building the chain following a call to X509_verify_cert().
The X509_STORE_CTX_set0_crls() function was added in OpenSSL 1.0.0.
The X509_STORE_CTX_get_num_untrusted() function was added in OpenSSL 1.1.0.
+The X509_STORE_CTX_new_with_libctx() function was added in OpenSSL 3.0.
=head1 COPYRIGHT