|
| 1 | +.\" $OpenBSD: X509_STORE_get_by_subject.3,v 1.1 2021/08/02 16:21:11 schwarze Exp $ |
| 2 | +.\" |
| 3 | +.\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org> |
| 4 | +.\" |
| 5 | +.\" Permission to use, copy, modify, and distribute this software for any |
| 6 | +.\" purpose with or without fee is hereby granted, provided that the above |
| 7 | +.\" copyright notice and this permission notice appear in all copies. |
| 8 | +.\" |
| 9 | +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES |
| 10 | +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF |
| 11 | +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR |
| 12 | +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES |
| 13 | +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN |
| 14 | +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF |
| 15 | +.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
| 16 | +.\" |
| 17 | +.Dd $Mdocdate: August 2 2021 $ |
| 18 | +.Dt X509_STORE_GET_BY_SUBJECT 3 |
| 19 | +.Os |
| 20 | +.Sh NAME |
| 21 | +.Nm X509_STORE_get_by_subject , |
| 22 | +.Nm X509_STORE_get1_certs , |
| 23 | +.Nm X509_STORE_get1_crls , |
| 24 | +.Nm X509_STORE_CTX_get1_issuer |
| 25 | +.Nd retrieve objects from a certificate store |
| 26 | +.Sh SYNOPSIS |
| 27 | +.In openssl/x509_vfy.h |
| 28 | +.Ft int |
| 29 | +.Fo X509_STORE_get_by_subject |
| 30 | +.Fa "X509_STORE_CTX *ctx" |
| 31 | +.Fa "int type" |
| 32 | +.Fa "X509_NAME *name" |
| 33 | +.Fa "X509_OBJECT *object" |
| 34 | +.Fc |
| 35 | +.Ft STACK_OF(X509) * |
| 36 | +.Fo X509_STORE_get1_certs |
| 37 | +.Fa "X509_STORE_CTX *ctx" |
| 38 | +.Fa "X509_NAME *name" |
| 39 | +.Fc |
| 40 | +.Ft STACK_OF(X509_CRL) * |
| 41 | +.Fo X509_STORE_get1_crls |
| 42 | +.Fa "X509_STORE_CTX *ctx" |
| 43 | +.Fa "X509_NAME *name" |
| 44 | +.Fc |
| 45 | +.Ft int |
| 46 | +.Fo X509_STORE_CTX_get1_issuer |
| 47 | +.Fa "X509 **issuer" |
| 48 | +.Fa "X509_STORE_CTX *ctx" |
| 49 | +.Fa "X509 *certificate" |
| 50 | +.Fc |
| 51 | +.Sh DESCRIPTION |
| 52 | +.Fn X509_STORE_get_by_subject |
| 53 | +retrieves the first object having a matching |
| 54 | +.Fa type |
| 55 | +and |
| 56 | +.Fa name |
| 57 | +from the |
| 58 | +.Vt X509_STORE |
| 59 | +associated with the |
| 60 | +.Fa ctx . |
| 61 | +The |
| 62 | +.Fa type |
| 63 | +can be |
| 64 | +.Dv X509_LU_X509 |
| 65 | +to retrieve a certificate or |
| 66 | +.Dv X509_LU_CRL |
| 67 | +to retrieve a revocation list. |
| 68 | +.Pp |
| 69 | +If the store does not yet contain a matching object or if the type is |
| 70 | +.Dv X509_LU_CRL , |
| 71 | +.Xr X509_LOOKUP_by_subject 3 |
| 72 | +is called on |
| 73 | +.Vt X509_LOOKUP |
| 74 | +objects associated with the store until a match is found, |
| 75 | +which may add zero or more objects to the store. |
| 76 | +.Pp |
| 77 | +In case of success, the content of the |
| 78 | +.Fa object |
| 79 | +provided by the caller is overwritten with a pointer to the first |
| 80 | +match, and the reference count of that certificate or revocation |
| 81 | +list is incremented by 1. |
| 82 | +Avoiding a memory leak by making sure the provided |
| 83 | +.Fa object |
| 84 | +is empty is the responsibility of the caller. |
| 85 | +.Pp |
| 86 | +.Fn X509_STORE_get1_certs |
| 87 | +retrieves all certificates matching the subject |
| 88 | +.Vt name |
| 89 | +from the |
| 90 | +.Vt X509_STORE |
| 91 | +associated with |
| 92 | +.Fa ctx . |
| 93 | +If there are none yet, |
| 94 | +.Fn X509_STORE_get_by_subject |
| 95 | +is called to try and add some. |
| 96 | +In case of success, the reference counts of all certificates |
| 97 | +added to the returned array are incremented by 1. |
| 98 | +.Pp |
| 99 | +.Fn X509_STORE_get1_crls |
| 100 | +is similar except that it operates on certificate revocation lists |
| 101 | +rather than on certificates and that it always calls |
| 102 | +.Fn X509_STORE_get_by_subject , |
| 103 | +even if the |
| 104 | +.Vt X509_STORE |
| 105 | +already contains a matching revocation list. |
| 106 | +.Pp |
| 107 | +.Fn X509_STORE_CTX_get1_issuer |
| 108 | +retrieves the |
| 109 | +.Fa issuer |
| 110 | +CA certificate for the given |
| 111 | +.Fa certificate |
| 112 | +from the |
| 113 | +.Vt X509_STORE |
| 114 | +associated with |
| 115 | +.Fa ctx . |
| 116 | +Internally, the issuer name is retrieved with |
| 117 | +.Xr X509_get_issuer_name 3 |
| 118 | +and the candidate issuer CA certificate with |
| 119 | +.Fn X509_STORE_get_by_subject |
| 120 | +using that issuer name. |
| 121 | +.Xr X509_check_issued 3 |
| 122 | +or a user-supplied replacement function is used to check whether the |
| 123 | +.Fa certificate |
| 124 | +was indeed issued using the |
| 125 | +.Fa issuer |
| 126 | +CA certificate before returning it. |
| 127 | +If verification parameters associated with |
| 128 | +.Fa ctx |
| 129 | +encourage checking of validity times, CAs with a valid time are |
| 130 | +preferred, but if no matching CA has a valid time, one with an |
| 131 | +invalid time is accepted anyway. |
| 132 | +.Sh RETURN VALUES |
| 133 | +.Fn X509_STORE_get_by_subject |
| 134 | +returns 1 if a match is found or 0 on failure. |
| 135 | +In addition to simply not finding a match, |
| 136 | +it may also fail due to memory allocation failure in |
| 137 | +.Xr X509_LOOKUP_by_subject 3 . |
| 138 | +If |
| 139 | +.Fa ctx |
| 140 | +contains any |
| 141 | +.Vt X509_LOOKUP |
| 142 | +object using a user-defined |
| 143 | +.Vt X509_LOOKUP_METHOD , |
| 144 | +it might also return negative values for internal errors. |
| 145 | +.Pp |
| 146 | +.Fn X509_STORE_get1_certs |
| 147 | +returns a newly allocated and populated array of certificates or |
| 148 | +.Dv NULL |
| 149 | +on failure. |
| 150 | +It fails if no match is found, if |
| 151 | +.Fn X509_STORE_get_by_subject |
| 152 | +fails, or if memory allocation fails. |
| 153 | +.Pp |
| 154 | +.Fn X509_STORE_get1_crls |
| 155 | +returns a newly allocated and populated array of CRLs or |
| 156 | +.Dv NULL |
| 157 | +on failure. |
| 158 | +It fails if |
| 159 | +.Fn X509_STORE_get_by_subject |
| 160 | +finds no new match, even if the associated |
| 161 | +.Vt X509_STORE |
| 162 | +already contains matching CRLs, or if memory allocation fails. |
| 163 | +.Pp |
| 164 | +.Fn X509_STORE_CTX_get1_issuer |
| 165 | +returns 1 if a matching |
| 166 | +.Fa issuer |
| 167 | +CA certificate is found or 0 otherwise. |
| 168 | +If |
| 169 | +.Fa ctx |
| 170 | +contains any |
| 171 | +.Vt X509_LOOKUP |
| 172 | +object using a user-defined |
| 173 | +.Vt X509_LOOKUP_METHOD , |
| 174 | +it might also return negative values for internal errors. |
| 175 | +.Sh SEE ALSO |
| 176 | +.Xr STACK_OF 3 , |
| 177 | +.Xr X509_check_issued 3 , |
| 178 | +.Xr X509_CRL_new 3 , |
| 179 | +.Xr X509_get_issuer_name 3 , |
| 180 | +.Xr X509_LOOKUP_by_subject 3 , |
| 181 | +.Xr X509_NAME_new 3 , |
| 182 | +.Xr X509_new 3 , |
| 183 | +.Xr X509_OBJECT_retrieve_by_subject 3 , |
| 184 | +.Xr X509_STORE_CTX_new 3 , |
| 185 | +.Xr X509_VERIFY_PARAM_set_flags 3 |
| 186 | +.Sh HISTORY |
| 187 | +.Fn X509_STORE_get_by_subject |
| 188 | +first appeared in SSLeay 0.8.0 and has been available since |
| 189 | +.Ox 2.4 . |
| 190 | +.Pp |
| 191 | +.Fn X509_STORE_CTX_get1_issuer |
| 192 | +first appeared in OpenSSL 0.9.6 and has been available since |
| 193 | +.Ox 2.9 . |
| 194 | +.Pp |
| 195 | +.Fn X509_STORE_get1_certs |
| 196 | +and |
| 197 | +.Fn X509_STORE_get1_crls |
| 198 | +first appeared in OpenSSL 1.0.0 and have been available since |
| 199 | +.Ox 4.9 . |
0 commit comments