Sortix cross-nightly manual
This manual documents Sortix cross-nightly. You can instead view this document in the latest official manual.
NAME
X509_check_trust, X509_TRUST_set_default — check whether a certificate is trustedSYNOPSIS
#include <openssl/x509.h>X509_check_trust(X509 *certificate, int trust, int flags);
(*X509_TRUST_set_default(int (*handler)(int, X509 *, int)))(int trust, X509 *certificate, int flags);
DESCRIPTION
X509_check_trust() checks whether the certificate is marked as trusted for the purpose corresponding to the requested trust identifier.- If X509_add1_reject_object(3) was previously called on the certificate with the ASN.1 object identifier corresponding to the requested trust identifier, X509_TRUST_REJECTED is returned.
- If X509_add1_trust_object(3) was previously called on the certificate with the ASN.1 object identifier corresponding to the requested trust identifier, X509_TRUST_TRUSTED is returned.
- If X509_add1_reject_object(3) or X509_add1_trust_object(3) were previously called on the certificate, but neither of them with the ASN.1 object identifier corresponding to the requested trust identifier, X509_TRUST_UNTRUSTED is returned.
- This so-called “compatibility” step is skipped by some of the trust checking functions. If neither X509_add1_reject_object(3) nor X509_add1_trust_object(3) was previously called on the certificate and if the certificate is a self-signed, X509_TRUST_TRUSTED is returned.
- Otherwise, X509_TRUST_UNTRUSTED is returned.
trust identifier |
ASN.1 NID | compat |
X509_TRUST_SSL_CLIENT | NID_client_auth | use |
X509_TRUST_SSL_SERVER | NID_server_auth | use |
X509_TRUST_EMAIL | NID_email_protect | use |
X509_TRUST_OBJECT_SIGN | NID_code_sign | use |
X509_TRUST_OCSP_SIGN | NID_OCSP_sign | skip |
X509_TRUST_OCSP_REQUEST | NID_ad_OCSP | skip |
X509_TRUST_TSA | NID_time_stamp | use |
X509_TRUST_COMPAT | none | only |
0 | NID_anyExtendedKeyUsage | special |
-1 | none | trusted |
invalid |
trust argument |
skip |
- X509_TRUST_COMPAT
- X509_add1_reject_object(3) and X509_add1_trust_object(3) settings are completely ignored and all steps before the compatibility step are skipped. The certificate is trusted if and only if it is self-signed.
- 0
- The third step in the standard algorithm is skipped, and the compatibility step is used even if X509_add1_reject_object(3) or X509_add1_trust_object(3) were called with ASN.1 object identifiers not corresponding to NID_anyExtendedKeyUsage.
- -1
- The certificate is not inspected and X509_TRUST_TRUSTED is always returned.
- invalid
- If the trust argument is neither 0 nor -1 nor valid as a trust identifier, it is re-interpreted as an ASN.1 NID and used itself for the standard algorithm. The compatibility step is skipped in this case.
RETURN VALUES
X509_check_trust() returns the following values:- X509_TRUST_TRUSTED
- The certificate is explicitly or implicitly trusted for the requested purpose.
- X509_TRUST_REJECTED
- The certificate is explicitly rejected for the requested purpose.
- X509_TRUST_UNTRUSTED
- The certificate is neither trusted nor explicitly rejected, which implies that it is not trusted.