|
Packit |
c4476c |
=pod
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
=head1 NAME
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
X509_LOOKUP_hash_dir, X509_LOOKUP_file,
|
|
Packit |
c4476c |
X509_load_cert_file,
|
|
Packit |
c4476c |
X509_load_crl_file,
|
|
Packit |
c4476c |
X509_load_cert_crl_file - Default OpenSSL certificate
|
|
Packit |
c4476c |
lookup methods
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
=head1 SYNOPSIS
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
#include <openssl/x509_vfy.h>
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
X509_LOOKUP_METHOD *X509_LOOKUP_hash_dir(void);
|
|
Packit |
c4476c |
X509_LOOKUP_METHOD *X509_LOOKUP_file(void);
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
int X509_load_cert_file(X509_LOOKUP *ctx, const char *file, int type);
|
|
Packit |
c4476c |
int X509_load_crl_file(X509_LOOKUP *ctx, const char *file, int type);
|
|
Packit |
c4476c |
int X509_load_cert_crl_file(X509_LOOKUP *ctx, const char *file, int type);
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
=head1 DESCRIPTION
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
B<X509_LOOKUP_hash_dir> and B<X509_LOOKUP_file> are two certificate
|
|
Packit |
c4476c |
lookup methods to use with B<X509_STORE>, provided by OpenSSL library.
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
Users of the library typically do not need to create instances of these
|
|
Packit |
c4476c |
methods manually, they would be created automatically by
|
|
Packit |
c4476c |
L<X509_STORE_load_locations(3)> or
|
|
Packit |
c4476c |
L<SSL_CTX_load_verify_locations(3)>
|
|
Packit |
c4476c |
functions.
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
Internally loading of certificates and CRLs is implemented via functions
|
|
Packit |
c4476c |
B<X509_load_cert_crl_file>, B<X509_load_cert_file> and
|
|
Packit |
c4476c |
B<X509_load_crl_file>. These functions support parameter I<type>, which
|
|
Packit |
c4476c |
can be one of constants B<FILETYPE_PEM>, B<FILETYPE_ASN1> and
|
|
Packit |
c4476c |
B<FILETYPE_DEFAULT>. They load certificates and/or CRLs from specified
|
|
Packit |
c4476c |
file into memory cache of B<X509_STORE> objects which given B<ctx>
|
|
Packit |
c4476c |
parameter is associated with.
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
Functions B<X509_load_cert_file> and
|
|
Packit |
c4476c |
B<X509_load_crl_file> can load both PEM and DER formats depending of
|
|
Packit |
c4476c |
type value. Because DER format cannot contain more than one certificate
|
|
Packit |
c4476c |
or CRL object (while PEM can contain several concatenated PEM objects)
|
|
Packit |
c4476c |
B<X509_load_cert_crl_file> with B<FILETYPE_ASN1> is equivalent to
|
|
Packit |
c4476c |
B<X509_load_cert_file>.
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
Constant B<FILETYPE_DEFAULT> with NULL filename causes these functions
|
|
Packit |
c4476c |
to load default certificate store file (see
|
|
Packit |
c4476c |
L<X509_STORE_set_default_paths(3)>.
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
Functions return number of objects loaded from file or 0 in case of
|
|
Packit |
c4476c |
error.
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
Both methods support adding several certificate locations into one
|
|
Packit |
c4476c |
B<X509_STORE>.
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
This page documents certificate store formats used by these methods and
|
|
Packit |
c4476c |
caching policy.
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
=head2 File Method
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
The B<X509_LOOKUP_file> method loads all the certificates or CRLs
|
|
Packit |
c4476c |
present in a file into memory at the time the file is added as a
|
|
Packit |
c4476c |
lookup source.
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
File format is ASCII text which contains concatenated PEM certificates
|
|
Packit |
c4476c |
and CRLs.
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
This method should be used by applications which work with a small
|
|
Packit |
c4476c |
set of CAs.
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
=head2 Hashed Directory Method
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
B<X509_LOOKUP_hash_dir> is a more advanced method, which loads
|
|
Packit |
c4476c |
certificates and CRLs on demand, and caches them in memory once
|
|
Packit |
c4476c |
they are loaded. As of OpenSSL 1.0.0, it also checks for newer CRLs
|
|
Packit |
c4476c |
upon each lookup, so that newer CRLs are as soon as they appear in
|
|
Packit |
c4476c |
the directory.
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
The directory should contain one certificate or CRL per file in PEM format,
|
|
Packit |
c4476c |
with a file name of the form I<hash>.I<N> for a certificate, or
|
|
Packit |
c4476c |
I<hash>.B<r>I<N> for a CRL.
|
|
Packit |
c4476c |
The I<hash> is the value returned by the L<X509_NAME_hash(3)> function applied
|
|
Packit |
c4476c |
to the subject name for certificates or issuer name for CRLs.
|
|
Packit |
c4476c |
The hash can also be obtained via the B<-hash> option of the L<x509(1)> or
|
|
Packit |
c4476c |
L<crl(1)> commands.
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
The .I<N> or .B<r>I<N> suffix is a sequence number that starts at zero, and is
|
|
Packit |
c4476c |
incremented consecutively for each certificate or CRL with the same I<hash>
|
|
Packit |
c4476c |
value.
|
|
Packit |
c4476c |
Gaps in the sequence numbers are not supported, it is assumed that there are no
|
|
Packit |
c4476c |
more objects with the same hash beyond the first missing number in the
|
|
Packit |
c4476c |
sequence.
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
Sequence numbers make it possible for the directory to contain multiple
|
|
Packit |
c4476c |
certificates with same subject name hash value.
|
|
Packit |
c4476c |
For example, it is possible to have in the store several certificates with same
|
|
Packit |
c4476c |
subject or several CRLs with same issuer (and, for example, different validity
|
|
Packit |
c4476c |
period).
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
When checking for new CRLs once one CRL for given hash value is
|
|
Packit |
c4476c |
loaded, hash_dir lookup method checks only for certificates with
|
|
Packit |
c4476c |
sequence number greater than that of the already cached CRL.
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
Note that the hash algorithm used for subject name hashing changed in OpenSSL
|
|
Packit |
c4476c |
1.0.0, and all certificate stores have to be rehashed when moving from OpenSSL
|
|
Packit |
c4476c |
0.9.8 to 1.0.0.
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
OpenSSL includes a L<rehash(1)> utility which creates symlinks with correct
|
|
Packit |
c4476c |
hashed names for all files with .pem suffix in a given directory.
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
=head1 RETURN VALUES
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
X509_LOOKUP_hash_dir() and X509_LOOKUP_file() always return a valid
|
|
Packit |
c4476c |
B<X509_LOOKUP_METHOD> structure.
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
X509_load_cert_file(), X509_load_crl_file() and X509_load_cert_crl_file() return
|
|
Packit |
c4476c |
the number of loaded objects or 0 on error.
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
=head1 SEE ALSO
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
L<PEM_read_PrivateKey(3)>,
|
|
Packit |
c4476c |
L<X509_STORE_load_locations(3)>,
|
|
Packit |
c4476c |
L<X509_store_add_lookup(3)>,
|
|
Packit |
c4476c |
L<SSL_CTX_load_verify_locations(3)>,
|
|
Packit |
c4476c |
L<X509_LOOKUP_meth_new(3)>,
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
=head1 COPYRIGHT
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved.
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
Licensed under the OpenSSL license (the "License"). You may not use
|
|
Packit |
c4476c |
this file except in compliance with the License. You can obtain a copy
|
|
Packit |
c4476c |
in the file LICENSE in the source distribution or at
|
|
Packit |
c4476c |
L<https://www.openssl.org/source/license.html>.
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
=cut
|