| Richard Levitte | 4759abc | 2000-09-20 16:55:26 +0000 | [diff] [blame] | 1 | =pod |
| 2 | |
| 3 | =head1 NAME |
| 4 | |
| Dr. Stephen Henson | 696178e | 2016-02-06 03:17:23 +0000 | [diff] [blame] | 5 | SSL_get_peer_cert_chain, SSL_get0_verified_chain - get the X509 certificate |
| 6 | chain of the peer |
| Richard Levitte | 4759abc | 2000-09-20 16:55:26 +0000 | [diff] [blame] | 7 | |
| 8 | =head1 SYNOPSIS |
| 9 | |
| 10 | #include <openssl/ssl.h> |
| 11 | |
| Jeff Trawick | e5676b8 | 2014-04-13 15:10:17 +0200 | [diff] [blame] | 12 | STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *ssl); |
| Dr. Stephen Henson | 696178e | 2016-02-06 03:17:23 +0000 | [diff] [blame] | 13 | STACK_OF(X509) *SSL_get0_verified_chain(const SSL *ssl); |
| Richard Levitte | 4759abc | 2000-09-20 16:55:26 +0000 | [diff] [blame] | 14 | |
| 15 | =head1 DESCRIPTION |
| 16 | |
| Jeff Trawick | e5676b8 | 2014-04-13 15:10:17 +0200 | [diff] [blame] | 17 | SSL_get_peer_cert_chain() returns a pointer to STACK_OF(X509) certificates |
| Dr. Stephen Henson | 696178e | 2016-02-06 03:17:23 +0000 | [diff] [blame] | 18 | forming the certificate chain sent by the peer. If called on the client side, |
| Richard Levitte | 4759abc | 2000-09-20 16:55:26 +0000 | [diff] [blame] | 19 | the stack also contains the peer's certificate; if called on the server |
| Ulf Möller | 52d160d | 2001-02-16 02:09:53 +0000 | [diff] [blame] | 20 | side, the peer's certificate must be obtained separately using |
| Rich Salz | 9b86974 | 2015-08-17 15:21:33 -0400 | [diff] [blame] | 21 | L<SSL_get_peer_certificate(3)>. |
| Richard Levitte | 4759abc | 2000-09-20 16:55:26 +0000 | [diff] [blame] | 22 | If the peer did not present a certificate, NULL is returned. |
| 23 | |
| Markus Triska | 1f164c6 | 2017-01-18 01:40:36 +0100 | [diff] [blame] | 24 | NB: SSL_get_peer_cert_chain() returns the peer chain as sent by the peer: it |
| Dr. Stephen Henson | 696178e | 2016-02-06 03:17:23 +0000 | [diff] [blame] | 25 | only consists of certificates the peer has sent (in the order the peer |
| 26 | has sent them) it is B<not> a verified chain. |
| 27 | |
| 28 | SSL_get0_verified_chain() returns the B<verified> certificate chain |
| 29 | of the peer including the peer's end entity certificate. It must be called |
| 30 | after a session has been successfully established. If peer verification was |
| 31 | not successful (as indicated by SSL_get_verify_result() not returning |
| 32 | X509_V_OK) the chain may be incomplete or invalid. |
| 33 | |
| Richard Levitte | 4759abc | 2000-09-20 16:55:26 +0000 | [diff] [blame] | 34 | =head1 NOTES |
| 35 | |
| Dr. Stephen Henson | 99978d5 | 2016-02-07 23:20:53 +0000 | [diff] [blame] | 36 | If the session is resumed peers do not send certificates so a NULL pointer |
| 37 | is returned by these functions. Applications can call SSL_session_reused() |
| 38 | to determine whether a session is resumed. |
| Richard Levitte | 4759abc | 2000-09-20 16:55:26 +0000 | [diff] [blame] | 39 | |
| Dr. Stephen Henson | 696178e | 2016-02-06 03:17:23 +0000 | [diff] [blame] | 40 | The reference count of each certificate in the returned STACK_OF(X509) object |
| 41 | is not incremented and the returned stack may be invalidated by renegotiation. |
| 42 | If applications wish to use any certificates in the returned chain |
| 43 | indefinitely they must increase the reference counts using X509_up_ref() or |
| 44 | obtain a copy of the whole chain with X509_chain_up_ref(). |
| Richard Levitte | 4759abc | 2000-09-20 16:55:26 +0000 | [diff] [blame] | 45 | |
| 46 | =head1 RETURN VALUES |
| 47 | |
| 48 | The following return values can occur: |
| 49 | |
| 50 | =over 4 |
| 51 | |
| 52 | =item NULL |
| 53 | |
| 54 | No certificate was presented by the peer or no connection was established |
| 55 | or the certificate chain is no longer available when a session is reused. |
| 56 | |
| Jeff Trawick | e5676b8 | 2014-04-13 15:10:17 +0200 | [diff] [blame] | 57 | =item Pointer to a STACK_OF(X509) |
| Richard Levitte | 4759abc | 2000-09-20 16:55:26 +0000 | [diff] [blame] | 58 | |
| 59 | The return value points to the certificate chain presented by the peer. |
| 60 | |
| 61 | =back |
| 62 | |
| 63 | =head1 SEE ALSO |
| 64 | |
| Richard Levitte | b97fdb5 | 2016-11-11 09:33:09 +0100 | [diff] [blame] | 65 | L<ssl(7)>, L<SSL_get_peer_certificate(3)>, L<X509_up_ref(3)>, |
| Dr. Stephen Henson | 696178e | 2016-02-06 03:17:23 +0000 | [diff] [blame] | 66 | L<X509_chain_up_ref(3)> |
| Richard Levitte | 4759abc | 2000-09-20 16:55:26 +0000 | [diff] [blame] | 67 | |
| Rich Salz | e2f9261 | 2016-05-18 11:44:05 -0400 | [diff] [blame] | 68 | =head1 COPYRIGHT |
| 69 | |
| 70 | Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. |
| 71 | |
| Richard Levitte | 4746f25 | 2018-12-06 14:04:44 +0100 | [diff] [blame] | 72 | Licensed under the Apache License 2.0 (the "License"). You may not use |
| Rich Salz | e2f9261 | 2016-05-18 11:44:05 -0400 | [diff] [blame] | 73 | this file except in compliance with the License. You can obtain a copy |
| 74 | in the file LICENSE in the source distribution or at |
| 75 | L<https://www.openssl.org/source/license.html>. |
| 76 | |
| 77 | =cut |
