1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
|
.TH "hx509 verification functions" 3 "30 Jul 2011" "Version 1.5" "Heimdalx509library" \" -*- nroff -*-
.ad l
.nh
.SH NAME
hx509 verification functions \-
.SS "Functions"
.in +1c
.ti -1c
.RI "void \fBhx509_context_set_missing_revoke\fP (hx509_context context, int flag)"
.br
.ti -1c
.RI "int \fBhx509_verify_init_ctx\fP (hx509_context context, hx509_verify_ctx *ctx)"
.br
.ti -1c
.RI "void \fBhx509_verify_destroy_ctx\fP (hx509_verify_ctx ctx)"
.br
.ti -1c
.RI "void \fBhx509_verify_attach_anchors\fP (hx509_verify_ctx ctx, hx509_certs set)"
.br
.ti -1c
.RI "void \fBhx509_verify_attach_revoke\fP (hx509_verify_ctx ctx, hx509_revoke_ctx revoke_ctx)"
.br
.ti -1c
.RI "void \fBhx509_verify_set_time\fP (hx509_verify_ctx ctx, time_t t)"
.br
.ti -1c
.RI "void \fBhx509_verify_set_max_depth\fP (hx509_verify_ctx ctx, unsigned int max_depth)"
.br
.ti -1c
.RI "void \fBhx509_verify_set_proxy_certificate\fP (hx509_verify_ctx ctx, int boolean)"
.br
.ti -1c
.RI "void \fBhx509_verify_set_strict_rfc3280_verification\fP (hx509_verify_ctx ctx, int boolean)"
.br
.ti -1c
.RI "int \fBhx509_verify_path\fP (hx509_context context, hx509_verify_ctx ctx, hx509_cert cert, hx509_certs pool)"
.br
.ti -1c
.RI "int \fBhx509_ocsp_verify\fP (hx509_context context, time_t now, hx509_cert cert, int flags, const void *data, size_t length, time_t *expiration)"
.br
.ti -1c
.RI "int \fBhx509_crl_alloc\fP (hx509_context context, hx509_crl *crl)"
.br
.ti -1c
.RI "int \fBhx509_crl_add_revoked_certs\fP (hx509_context context, hx509_crl crl, hx509_certs certs)"
.br
.ti -1c
.RI "int \fBhx509_crl_lifetime\fP (hx509_context context, hx509_crl crl, int delta)"
.br
.ti -1c
.RI "void \fBhx509_crl_free\fP (hx509_context context, hx509_crl *crl)"
.br
.ti -1c
.RI "int \fBhx509_crl_sign\fP (hx509_context context, hx509_cert signer, hx509_crl crl, heim_octet_string *os)"
.br
.in -1c
.SH "Detailed Description"
.PP
.SH "Function Documentation"
.PP
.SS "void hx509_context_set_missing_revoke (hx509_context context, int flag)"
.PP
Selects if the \fBhx509_revoke_verify()\fP function is going to require the existans of a revokation method (OCSP, CRL) or not. Note that \fBhx509_verify_path()\fP, \fBhx509_cms_verify_signed()\fP, and other function call \fBhx509_revoke_verify()\fP.
.PP
\fBParameters:\fP
.RS 4
\fIcontext\fP hx509 context to change the flag for.
.br
\fIflag\fP zero, revokation method required, non zero missing revokation method ok
.RE
.PP
.SS "int hx509_crl_add_revoked_certs (hx509_context context, hx509_crl crl, hx509_certs certs)"
.PP
Add revoked certificate to an CRL context.
.PP
\fBParameters:\fP
.RS 4
\fIcontext\fP a hx509 context.
.br
\fIcrl\fP the CRL to add the revoked certificate to.
.br
\fIcerts\fP keyset of certificate to revoke.
.RE
.PP
\fBReturns:\fP
.RS 4
An hx509 error code, see \fBhx509_get_error_string()\fP.
.RE
.PP
.SS "int hx509_crl_alloc (hx509_context context, hx509_crl * crl)"
.PP
Create a CRL context. Use \fBhx509_crl_free()\fP to free the CRL context.
.PP
\fBParameters:\fP
.RS 4
\fIcontext\fP a hx509 context.
.br
\fIcrl\fP return pointer to a newly allocated CRL context.
.RE
.PP
\fBReturns:\fP
.RS 4
An hx509 error code, see \fBhx509_get_error_string()\fP.
.RE
.PP
.SS "void hx509_crl_free (hx509_context context, hx509_crl * crl)"
.PP
Free a CRL context.
.PP
\fBParameters:\fP
.RS 4
\fIcontext\fP a hx509 context.
.br
\fIcrl\fP a CRL context to free.
.RE
.PP
.SS "int hx509_crl_lifetime (hx509_context context, hx509_crl crl, int delta)"
.PP
Set the lifetime of a CRL context.
.PP
\fBParameters:\fP
.RS 4
\fIcontext\fP a hx509 context.
.br
\fIcrl\fP a CRL context
.br
\fIdelta\fP delta time the certificate is valid, library adds the current time to this.
.RE
.PP
\fBReturns:\fP
.RS 4
An hx509 error code, see \fBhx509_get_error_string()\fP.
.RE
.PP
.SS "int hx509_crl_sign (hx509_context context, hx509_cert signer, hx509_crl crl, heim_octet_string * os)"
.PP
Sign a CRL and return an encode certificate.
.PP
\fBParameters:\fP
.RS 4
\fIcontext\fP a hx509 context.
.br
\fIsigner\fP certificate to sign the CRL with
.br
\fIcrl\fP the CRL to sign
.br
\fIos\fP return the signed and encoded CRL, free with free_heim_octet_string()
.RE
.PP
\fBReturns:\fP
.RS 4
An hx509 error code, see \fBhx509_get_error_string()\fP.
.RE
.PP
.SS "int hx509_ocsp_verify (hx509_context context, time_t now, hx509_cert cert, int flags, const void * data, size_t length, time_t * expiration)"
.PP
Verify that the certificate is part of the OCSP reply and it's not expired. Doesn't verify signature the OCSP reply or it's done by a authorized sender, that is assumed to be already done.
.PP
\fBParameters:\fP
.RS 4
\fIcontext\fP a hx509 context
.br
\fInow\fP the time right now, if 0, use the current time.
.br
\fIcert\fP the certificate to verify
.br
\fIflags\fP flags control the behavior
.br
\fIdata\fP pointer to the encode ocsp reply
.br
\fIlength\fP the length of the encode ocsp reply
.br
\fIexpiration\fP return the time the OCSP will expire and need to be rechecked.
.RE
.PP
\fBReturns:\fP
.RS 4
An hx509 error code, see \fBhx509_get_error_string()\fP.
.RE
.PP
.SS "void hx509_verify_attach_anchors (hx509_verify_ctx ctx, hx509_certs set)"
.PP
Set the trust anchors in the verification context, makes an reference to the keyset, so the consumer can free the keyset independent of the destruction of the verification context (ctx). If there already is a keyset attached, it's released.
.PP
\fBParameters:\fP
.RS 4
\fIctx\fP a verification context
.br
\fIset\fP a keyset containing the trust anchors.
.RE
.PP
.SS "void hx509_verify_attach_revoke (hx509_verify_ctx ctx, hx509_revoke_ctx revoke_ctx)"
.PP
Attach an revocation context to the verfication context, , makes an reference to the revoke context, so the consumer can free the revoke context independent of the destruction of the verification context. If there is no revoke context, the verification process is NOT going to check any verification status.
.PP
\fBParameters:\fP
.RS 4
\fIctx\fP a verification context.
.br
\fIrevoke_ctx\fP a revoke context.
.RE
.PP
.SS "void hx509_verify_destroy_ctx (hx509_verify_ctx ctx)"
.PP
Free an hx509 verification context.
.PP
\fBParameters:\fP
.RS 4
\fIctx\fP the context to be freed.
.RE
.PP
.SS "int hx509_verify_init_ctx (hx509_context context, hx509_verify_ctx * ctx)"
.PP
Allocate an verification context that is used fo control the verification process.
.PP
\fBParameters:\fP
.RS 4
\fIcontext\fP A hx509 context.
.br
\fIctx\fP returns a pointer to a hx509_verify_ctx object.
.RE
.PP
\fBReturns:\fP
.RS 4
An hx509 error code, see \fBhx509_get_error_string()\fP.
.RE
.PP
.SS "int hx509_verify_path (hx509_context context, hx509_verify_ctx ctx, hx509_cert cert, hx509_certs pool)"
.PP
Build and verify the path for the certificate to the trust anchor specified in the verify context. The path is constructed from the certificate, the pool and the trust anchors.
.PP
\fBParameters:\fP
.RS 4
\fIcontext\fP A hx509 context.
.br
\fIctx\fP A hx509 verification context.
.br
\fIcert\fP the certificate to build the path from.
.br
\fIpool\fP A keyset of certificates to build the chain from.
.RE
.PP
\fBReturns:\fP
.RS 4
An hx509 error code, see \fBhx509_get_error_string()\fP.
.RE
.PP
.SS "void hx509_verify_set_max_depth (hx509_verify_ctx ctx, unsigned int max_depth)"
.PP
Set the maximum depth of the certificate chain that the path builder is going to try.
.PP
\fBParameters:\fP
.RS 4
\fIctx\fP a verification context
.br
\fImax_depth\fP maxium depth of the certificate chain, include trust anchor.
.RE
.PP
.SS "void hx509_verify_set_proxy_certificate (hx509_verify_ctx ctx, int boolean)"
.PP
Allow or deny the use of proxy certificates
.PP
\fBParameters:\fP
.RS 4
\fIctx\fP a verification context
.br
\fIboolean\fP if non zero, allow proxy certificates.
.RE
.PP
.SS "void hx509_verify_set_strict_rfc3280_verification (hx509_verify_ctx ctx, int boolean)"
.PP
Select strict RFC3280 verification of certificiates. This means checking key usage on CA certificates, this will make version 1 certificiates unuseable.
.PP
\fBParameters:\fP
.RS 4
\fIctx\fP a verification context
.br
\fIboolean\fP if non zero, use strict verification.
.RE
.PP
.SS "void hx509_verify_set_time (hx509_verify_ctx ctx, time_t t)"
.PP
Set the clock time the the verification process is going to use. Used to check certificate in the past and future time. If not set the current time will be used.
.PP
\fBParameters:\fP
.RS 4
\fIctx\fP a verification context.
.br
\fIt\fP the time the verifiation is using.
.RE
.PP
|
