[openssl-commits] [openssl] master update
Rich Salz
rsalz at openssl.org
Thu Apr 28 17:52:16 UTC 2016
The branch master has been updated
via d5553b4cb5da81c157040fb9d1bedeeed0cf4703 (commit)
via c96548737363689e6444e424b39279e14c61c80d (commit)
from 68423b146151a15c5373a24506506c588ae08729 (commit)
- Log -----------------------------------------------------------------
commit d5553b4cb5da81c157040fb9d1bedeeed0cf4703
Author: Viktor Dukhovni <openssl-users at dukhovni.org>
Date: Wed Apr 27 14:37:19 2016 -0400
make update
Recycling an unused slot.
Reviewed-by: Rich Salz <rsalz at openssl.org>
commit c96548737363689e6444e424b39279e14c61c80d
Author: Viktor Dukhovni <openssl-users at dukhovni.org>
Date: Wed Apr 27 14:36:48 2016 -0400
Implement X509_STORE_CTX_set_current_cert() accessor
Reviewed-by: Rich Salz <rsalz at openssl.org>
-----------------------------------------------------------------------
Summary of changes:
crypto/x509/x509_vfy.c | 5 +++++
doc/crypto/X509_STORE_CTX_get_error.pod | 29 +++++++++++++++++++++++------
include/openssl/x509_vfy.h | 1 +
util/libcrypto.num | 1 +
4 files changed, 30 insertions(+), 6 deletions(-)
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 30eabcb..2b17b29 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -1999,6 +1999,11 @@ X509 *X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx)
return ctx->current_cert;
}
+void X509_STORE_CTX_set_current_cert(X509_STORE_CTX *ctx, X509 *x)
+{
+ ctx->current_cert = x;
+}
+
STACK_OF(X509) *X509_STORE_CTX_get0_chain(X509_STORE_CTX *ctx)
{
return ctx->chain;
diff --git a/doc/crypto/X509_STORE_CTX_get_error.pod b/doc/crypto/X509_STORE_CTX_get_error.pod
index 8c3975c..5ca3cdc 100644
--- a/doc/crypto/X509_STORE_CTX_get_error.pod
+++ b/doc/crypto/X509_STORE_CTX_get_error.pod
@@ -4,8 +4,10 @@
X509_STORE_CTX_get_error, X509_STORE_CTX_set_error,
X509_STORE_CTX_get_error_depth, X509_STORE_CTX_set_error_depth,
-X509_STORE_CTX_get_current_cert, X509_STORE_CTX_get0_cert,
-X509_STORE_CTX_get1_chain, X509_verify_cert_error_string - get or set certificate verification status information
+X509_STORE_CTX_get_current_cert, X509_STORE_CTX_set_current_cert,
+X509_STORE_CTX_get0_cert, X509_STORE_CTX_get1_chain,
+X509_verify_cert_error_string - get or set certificate verification status
+information
=head1 SYNOPSIS
@@ -13,10 +15,11 @@ X509_STORE_CTX_get1_chain, X509_verify_cert_error_string - get or set certificat
#include <openssl/x509_vfy.h>
int X509_STORE_CTX_get_error(X509_STORE_CTX *ctx);
- void X509_STORE_CTX_set_error(X509_STORE_CTX *ctx,int s);
+ void X509_STORE_CTX_set_error(X509_STORE_CTX *ctx, int s);
int X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx);
void X509_STORE_CTX_set_error_depth(X509_STORE_CTX *ctx, int depth);
X509 *X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx);
+ void X509_STORE_CTX_set_current_cert(X509_STORE_CTX *ctx, X509 *x);
X509 *X509_STORE_CTX_get0_cert(X509_STORE_CTX *ctx);
STACK_OF(X509) *X509_STORE_CTX_get1_chain(X509_STORE_CTX *ctx);
@@ -44,11 +47,23 @@ X509_STORE_CTX_set_error_depth() sets the error B<depth>.
This can be used in combination with X509_STORE_CTX_set_error() to set the
depth at which an error condition was detected.
-X509_STORE_CTX_get0_cert() returns the leaf certificate being verified.
-
X509_STORE_CTX_get_current_cert() returns the certificate in B<ctx> which
caused the error or B<NULL> if no certificate is relevant.
+X509_STORE_CTX_set_current_cert() sets the certificate B<x> in B<ctx> which
+caused the error.
+This value is not intended to remain valid for very long, and remains owned by
+the caller.
+It may be examined by a verification callback invoked to handle each error
+encountered during chain verification and is no longer required after such a
+callback.
+If a callback wishes the save the certificate for use after it returns, it
+needs to increment its reference count via L<X509_up_ref(3)>.
+Once such a I<saved> certificate is no longer needed it can be freed with
+L<X509_free(3)>.
+
+X509_STORE_CTX_get0_cert() returns the leaf certificate being verified.
+
X509_STORE_CTX_get1_chain() returns a complete validate chain if a previous
call to X509_verify_cert() is successful. If the call to X509_verify_cert()
is B<not> successful the returned chain may be incomplete or invalid. The
@@ -307,7 +322,9 @@ thread safe but will never happen unless an invalid code is passed.
=head1 SEE ALSO
-L<X509_verify_cert(3)>
+L<X509_verify_cert(3)>,
+L<X509_up_ref(3)>,
+L<X509_free(3)>.
=head1 HISTORY
diff --git a/include/openssl/x509_vfy.h b/include/openssl/x509_vfy.h
index 6df09eb..65370b4 100644
--- a/include/openssl/x509_vfy.h
+++ b/include/openssl/x509_vfy.h
@@ -372,6 +372,7 @@ void X509_STORE_CTX_set_error(X509_STORE_CTX *ctx, int s);
int X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx);
void X509_STORE_CTX_set_error_depth(X509_STORE_CTX *ctx, int depth);
X509 *X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx);
+void X509_STORE_CTX_set_current_cert(X509_STORE_CTX *ctx, X509 *x);
X509 *X509_STORE_CTX_get0_current_issuer(X509_STORE_CTX *ctx);
X509_CRL *X509_STORE_CTX_get0_current_crl(X509_STORE_CTX *ctx);
X509_STORE_CTX *X509_STORE_CTX_get0_parent_ctx(X509_STORE_CTX *ctx);
diff --git a/util/libcrypto.num b/util/libcrypto.num
index fbdd1d7..1f254ba 100644
--- a/util/libcrypto.num
+++ b/util/libcrypto.num
@@ -4201,6 +4201,7 @@ X509_STORE_CTX_get0_untrusted 4074 1_1_0 EXIST::FUNCTION:
X509_STORE_CTX_set_error_depth 4075 1_1_0 EXIST::FUNCTION:
X509_STORE_CTX_get0_cert 4076 1_1_0 EXIST::FUNCTION:
X509_STORE_CTX_set_verify 4077 1_1_0 EXIST::FUNCTION:
+X509_STORE_CTX_set_current_cert 4078 1_1_0 EXIST::FUNCTION:
X509_STORE_CTX_get_verify 4079 1_1_0 EXIST::FUNCTION:
X509_STORE_CTX_get_verify_cb 4080 1_1_0 EXIST::FUNCTION:
X509_STORE_CTX_set0_verified_chain 4081 1_1_0 EXIST::FUNCTION:
More information about the openssl-commits
mailing list