diff options
| author | schwarze <> | 2023-06-08 09:40:17 +0000 |
|---|---|---|
| committer | schwarze <> | 2023-06-08 09:40:17 +0000 |
| commit | ccc698d6521b756838b52dca551ee9cd47bdd283 (patch) | |
| tree | 3eda705a11d0d1827114ebae71151bb978e1586f | |
| parent | d323186428a08aba14848a7b6be0daadfe582ffd (diff) | |
| download | openbsd-ccc698d6521b756838b52dca551ee9cd47bdd283.tar.gz openbsd-ccc698d6521b756838b52dca551ee9cd47bdd283.tar.bz2 openbsd-ccc698d6521b756838b52dca551ee9cd47bdd283.zip | |
From the description of "openssl verify", delete the duplicate and
outdated list of error messages. Instead, refer to the master copy
of that list in X509_STORE_CTX_get_error(3).
Suggested by and OK tb@, and beck@ also agrees with the idea.
| -rw-r--r-- | src/usr.bin/openssl/openssl.1 | 139 |
1 files changed, 9 insertions, 130 deletions
diff --git a/src/usr.bin/openssl/openssl.1 b/src/usr.bin/openssl/openssl.1 index 3005cdd2d8..45ae95fa5b 100644 --- a/src/usr.bin/openssl/openssl.1 +++ b/src/usr.bin/openssl/openssl.1 | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | .\" $OpenBSD: openssl.1,v 1.147 2023/06/07 10:53:30 schwarze Exp $ | 1 | .\" $OpenBSD: openssl.1,v 1.148 2023/06/08 09:40:17 schwarze Exp $ |
| 2 | .\" ==================================================================== | 2 | .\" ==================================================================== |
| 3 | .\" Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. | 3 | .\" Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. |
| 4 | .\" | 4 | .\" |
| @@ -110,7 +110,7 @@ | |||
| 110 | .\" copied and put under another distribution licence | 110 | .\" copied and put under another distribution licence |
| 111 | .\" [including the GNU Public Licence.] | 111 | .\" [including the GNU Public Licence.] |
| 112 | .\" | 112 | .\" |
| 113 | .Dd $Mdocdate: June 7 2023 $ | 113 | .Dd $Mdocdate: June 8 2023 $ |
| 114 | .Dt OPENSSL 1 | 114 | .Dt OPENSSL 1 |
| 115 | .Os | 115 | .Os |
| 116 | .Sh NAME | 116 | .Sh NAME |
| @@ -6058,137 +6058,16 @@ error 24 at 1 depth lookup:invalid CA certificate | |||
| 6058 | .Pp | 6058 | .Pp |
| 6059 | The first line contains the name of the certificate being verified, followed by | 6059 | The first line contains the name of the certificate being verified, followed by |
| 6060 | the subject name of the certificate. | 6060 | the subject name of the certificate. |
| 6061 | The second line contains the error number and the depth. | 6061 | The second line contains the error number as defined by the |
| 6062 | .Dv X509_V_ERR_* | ||
| 6063 | constants in | ||
| 6064 | .In openssl/x509_vfy.h , | ||
| 6065 | the associated error message documented in | ||
| 6066 | .Xr X509_STORE_CTX_get_error 3 , | ||
| 6067 | and the depth. | ||
| 6062 | The depth is the number of the certificate being verified when a | 6068 | The depth is the number of the certificate being verified when a |
| 6063 | problem was detected starting with zero for the certificate being verified | 6069 | problem was detected starting with zero for the certificate being verified |
| 6064 | itself, then 1 for the CA that signed the certificate and so on. | 6070 | itself, then 1 for the CA that signed the certificate and so on. |
| 6065 | Finally a text version of the error number is presented. | ||
| 6066 | .Pp | ||
| 6067 | An exhaustive list of the error codes and messages is shown below; this also | ||
| 6068 | includes the name of the error code as defined in the header file | ||
| 6069 | .In openssl/x509_vfy.h . | ||
| 6070 | Some of the error codes are defined but never returned: these are described as | ||
| 6071 | .Qq unused . | ||
| 6072 | .Bl -tag -width "XXXX" | ||
| 6073 | .It 0 X509_V_OK | ||
| 6074 | The operation was successful. | ||
| 6075 | .It 2 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT | ||
| 6076 | The issuer certificate of an untrusted certificate could not be found. | ||
| 6077 | .It 3 X509_V_ERR_UNABLE_TO_GET_CRL | ||
| 6078 | The CRL of a certificate could not be found. | ||
| 6079 | .It 4 X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE | ||
| 6080 | The certificate signature could not be decrypted. | ||
| 6081 | This means that the actual signature value could not be determined | ||
| 6082 | rather than it not matching the expected value. | ||
| 6083 | This is only meaningful for RSA keys. | ||
| 6084 | .It 5 X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE | ||
| 6085 | The CRL signature could not be decrypted. | ||
| 6086 | This means that the actual signature value could not be determined | ||
| 6087 | rather than it not matching the expected value. | ||
| 6088 | Unused. | ||
| 6089 | .It 6 X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY | ||
| 6090 | The public key in the certificate | ||
| 6091 | .Cm SubjectPublicKeyInfo | ||
| 6092 | could not be read. | ||
| 6093 | .It 7 X509_V_ERR_CERT_SIGNATURE_FAILURE | ||
| 6094 | The signature of the certificate is invalid. | ||
| 6095 | .It 8 X509_V_ERR_CRL_SIGNATURE_FAILURE | ||
| 6096 | The signature of the certificate is invalid. | ||
| 6097 | .It 9 X509_V_ERR_CERT_NOT_YET_VALID | ||
| 6098 | The certificate is not yet valid: the | ||
| 6099 | .Cm notBefore | ||
| 6100 | date is after the current time. | ||
| 6101 | .It 10 X509_V_ERR_CERT_HAS_EXPIRED | ||
| 6102 | The certificate has expired; that is, the | ||
| 6103 | .Cm notAfter | ||
| 6104 | date is before the current time. | ||
| 6105 | .It 11 X509_V_ERR_CRL_NOT_YET_VALID | ||
| 6106 | The CRL is not yet valid. | ||
| 6107 | .It 12 X509_V_ERR_CRL_HAS_EXPIRED | ||
| 6108 | The CRL has expired. | ||
| 6109 | .It 13 X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD | ||
| 6110 | The certificate | ||
| 6111 | .Cm notBefore | ||
| 6112 | field contains an invalid time. | ||
| 6113 | .It 14 X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD | ||
| 6114 | The certificate | ||
| 6115 | .Cm notAfter | ||
| 6116 | field contains an invalid time. | ||
| 6117 | .It 15 X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD | ||
| 6118 | The CRL | ||
| 6119 | .Cm thisUpdate | ||
| 6120 | field contains an invalid time. | ||
| 6121 | The error code is misnamed and the error message confusingly talks about | ||
| 6122 | .Dq lastUpdate | ||
| 6123 | instead of | ||
| 6124 | .Dq thisUpdate | ||
| 6125 | for historical reasons. | ||
| 6126 | .It 16 X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD | ||
| 6127 | The CRL | ||
| 6128 | .Cm nextUpdate | ||
| 6129 | field contains an invalid time. | ||
| 6130 | .It 17 X509_V_ERR_OUT_OF_MEM | ||
| 6131 | An error occurred trying to allocate memory. | ||
| 6132 | This should never happen. | ||
| 6133 | .It 18 X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT | ||
| 6134 | The passed certificate is self-signed and the same certificate cannot be | ||
| 6135 | found in the list of trusted certificates. | ||
| 6136 | .It 19 X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN | ||
| 6137 | The certificate chain could be built up using the untrusted certificates but | ||
| 6138 | the root could not be found locally. | ||
| 6139 | .It 20 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY | ||
| 6140 | The issuer certificate of a locally looked up certificate could not be found. | ||
| 6141 | This normally means the list of trusted certificates is not complete. | ||
| 6142 | .It 21 X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE | ||
| 6143 | No signatures could be verified because the chain contains only one | ||
| 6144 | certificate and it is not self-signed. | ||
| 6145 | .It 22 X509_V_ERR_CERT_CHAIN_TOO_LONG | ||
| 6146 | The certificate chain length is greater than the supplied maximum depth. | ||
| 6147 | Unused. | ||
| 6148 | .It 23 X509_V_ERR_CERT_REVOKED | ||
| 6149 | The certificate has been revoked. | ||
| 6150 | .It 24 X509_V_ERR_INVALID_CA | ||
| 6151 | A CA certificate is invalid. | ||
| 6152 | Either it is not a CA or its extensions are not consistent | ||
| 6153 | with the supplied purpose. | ||
| 6154 | .It 25 X509_V_ERR_PATH_LENGTH_EXCEEDED | ||
| 6155 | The | ||
| 6156 | .Cm basicConstraints | ||
| 6157 | pathlength parameter has been exceeded. | ||
| 6158 | .It 26 X509_V_ERR_INVALID_PURPOSE | ||
| 6159 | The supplied certificate cannot be used for the specified purpose. | ||
| 6160 | .It 27 X509_V_ERR_CERT_UNTRUSTED | ||
| 6161 | The root CA is not marked as trusted for the specified purpose. | ||
| 6162 | .It 28 X509_V_ERR_CERT_REJECTED | ||
| 6163 | The root CA is marked to reject the specified purpose. | ||
| 6164 | .It 29 X509_V_ERR_SUBJECT_ISSUER_MISMATCH | ||
| 6165 | The current candidate issuer certificate was rejected because its subject name | ||
| 6166 | did not match the issuer name of the current certificate. | ||
| 6167 | Only displayed when the | ||
| 6168 | .Fl issuer_checks | ||
| 6169 | option is set. | ||
| 6170 | .It 30 X509_V_ERR_AKID_SKID_MISMATCH | ||
| 6171 | The current candidate issuer certificate was rejected because its subject key | ||
| 6172 | identifier was present and did not match the authority key identifier current | ||
| 6173 | certificate. | ||
| 6174 | Only displayed when the | ||
| 6175 | .Fl issuer_checks | ||
| 6176 | option is set. | ||
| 6177 | .It 31 X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH | ||
| 6178 | The current candidate issuer certificate was rejected because its issuer name | ||
| 6179 | and serial number were present and did not match the authority key identifier | ||
| 6180 | of the current certificate. | ||
| 6181 | Only displayed when the | ||
| 6182 | .Fl issuer_checks | ||
| 6183 | option is set. | ||
| 6184 | .It 32 X509_V_ERR_KEYUSAGE_NO_CERTSIGN | ||
| 6185 | The current candidate issuer certificate was rejected because its | ||
| 6186 | .Cm keyUsage | ||
| 6187 | extension does not permit certificate signing. | ||
| 6188 | .It 50 X509_V_ERR_APPLICATION_VERIFICATION | ||
| 6189 | An application specific error. | ||
| 6190 | Unused. | ||
| 6191 | .El | ||
| 6192 | .Tg version | 6071 | .Tg version |
| 6193 | .Sh VERSION | 6072 | .Sh VERSION |
| 6194 | .Nm openssl version | 6073 | .Nm openssl version |