API Reference | developer.brewmp.com API Reference | developer.brewmp.com

Developer

API Reference

X509TRUSTOVERRIDE

Brew Release
Brew MP 1.0.2
See Also
IX509CHAIN_Verify
Description
Structure to specify that certain trust checks be skipped
Members
  • uCertID  : Comes from X509BasicCert data structure. If uCertID is all zero, 
                  then the override applies to all certs in the chain. Note that this 
    			  is a bit dangerous, though necessary in some cases. When using certs 
    			  without SSL, say for verify digital signatures, verifying the hostname 
    			  and checking dates are unecessary. The way to turn off this checking 
    			  is an override of these two two checks on all certs in the chain.
  • uOverrideBits : a map of bits from X509CHAIN_ indicating what trust failures to override.
Definition
  •    typedef struct {
          uint32  uCertID;       
          uint32  uOverrideBits;
       } X509TrustOverride;
    
Comments
One of these represents a set of trust overrides for a particular certificate. This is used by adding an option with this structure as the value, and WEBOPT_X509_OVERRIDE as the ID. The option may be added to IX509Chain, or may be passed in to the arguments to IX509CHAIN_Verify(). Trust override records are useful for storing trust overrides for the short or long term. That is this binary format won't be changed from release to release of Brew. The same macros/constants are used for indicating trust errors and overrides. The following explains how the bits are used as trust overrides. The generally disable some part of the trust' checking. X509CHAIN_OVERRIDE_ALL Override all trust processing. This is dangerous. X509CHAIN_CERT_TRUST Trust this certificate as a root during chaining operation X509CHAIN_LONG_CHAIN Doesn't work as an override. Use WEBOPT_X509_MAX_CHAIN instead X509CHAIN_CERT_EXIPRED Don't check the dates on the cert (but still try to parse them) X509CHAIN_BAD_DATE Turn off all attempts to examine dates in cert X509CHAIN_HOST_MISMATCH Don't try to compare the names X509CHAIN_NO_TARGET_HOST Same as X509CHAIN_HOST_MISMATCH. Don't try to check the hostname X509CHAIN_NO_HOST_IN_CERT Same as X509CHAIN_HOST_MISMATCH. Don't try to check the hostname. X509CHAIN_BAD_SIGNATURE Don't attempt to verify the signature on this cert; no heavy crypto. X509CHAIN_CERT_HASH_UNKNOWN Same as X509CHAIN_SEVER_CERT_SIG_BAD X509CHAIN_CERT_HASH_UNSUPP Same as X509CHAIN_SEVER_CERT_SIG_BAD X509CHAIN_SIGNER_KEY_BAD Stops signature verification on certs *signed* by this cert X509CHAIN_CRITICAL_EXTENSION Will still try to check the extensions that are understood but will silently ignore the ones not understood X509CHAIN_BASIC_CONST Don't check the basic constraints X509CHAIN_EXT_KEY_USE Extened key use extension will be ignored if it is not critical X509CHAIN_CRIT_EXT_KEY_USE Extended key use will be completely ignored X509CHAIN_KEY_USE Disables all key usage processing X509CHAIN_INTEGER_ID Ignore integer ID checking X509CHAIN_NON_LEAF_EXT_KEY_USE When set, extended key use is checked on the root and intermediate certs. If not set checking is only done on the leaf certs. This is really just a flag, not a trust override, nor is it ever returned as an error. X509CHAIN_FROM_DATE Ignores the check on the "from" date of the cert chain.