Document filesystem-based X509_STORE APIs

This includes the somewhat odd "defaults" API, which I've currently left kind of handwavy. We should eventually decide what to do with this, be it remove it, decide /etc/ssl is a fine default, or do something else entirely. But I'll leave that to future us. (If nothing else, we really should make it return an error on Windows and macOS. It's really just Linux where /etc/ssl is a plausible platform API.) Bug: 426 Change-Id: Iacd2bb903f452ffe236a7a0b97e3072b5dcd8516 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/66388 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Bob Beck <bbe@google.com>
ValeriiaYevtushenkoDex · Feb 26, 2024 · ae1c1a4 · ae1c1a4
1 parent 9d7535f
commit ae1c1a4
Show file tree

Hide file tree

Showing 2 changed files with 210 additions and 126 deletions.
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
@@ -2678,19 +2678,17 @@ OPENSSL_EXPORT void SSL_CTX_set_cert_store(SSL_CTX *ctx, X509_STORE *store);
 // SSL_CTX_get_cert_store returns |ctx|'s certificate store.
 OPENSSL_EXPORT X509_STORE *SSL_CTX_get_cert_store(const SSL_CTX *ctx);
 
-// SSL_CTX_set_default_verify_paths loads the OpenSSL system-default trust
-// anchors into |ctx|'s store. It returns one on success and zero on failure.
+// SSL_CTX_set_default_verify_paths calls |X509_STORE_set_default_paths| on
+// |ctx|'s store. See that function for details.
+//
+// Using this function is not recommended. In OpenSSL, these defaults are
+// determined by OpenSSL's install prefix. There is no corresponding concept for
+// BoringSSL. Future versions of BoringSSL may change or remove this
+// functionality.
 OPENSSL_EXPORT int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx);
 
-// SSL_CTX_load_verify_locations loads trust anchors into |ctx|'s store from
-// |ca_file| and |ca_dir|, either of which may be NULL. If |ca_file| is passed,
-// it is opened and PEM-encoded CA certificates are read. If |ca_dir| is passed,
-// it is treated as a directory in OpenSSL's hashed directory format. It returns
-// one on success and zero on failure.
-//
-// See
-// https://www.openssl.org/docs/man1.1.0/man3/SSL_CTX_load_verify_locations.html
-// for documentation on the directory format.
+// SSL_CTX_load_verify_locations calls |X509_STORE_load_locations| on |ctx|'s
+// store. See that function for details.
 OPENSSL_EXPORT int SSL_CTX_load_verify_locations(SSL_CTX *ctx,
                                                  const char *ca_file,
                                                  const char *ca_dir);