In x509/x509_purp.c rev. 1.11, tb@ fixed X509_check_purpose(3)

to fail if parsing of a certificate extension failed. Adjust the documentation accordingly. OK tb@
author: schwarze <> 2021-10-29 14:29:24 +0000
committer: schwarze <> 2021-10-29 14:29:24 +0000
commit: ebf7bdd740439b0c094f1a97f94bd885a052642b (patch)
tree: e3d9371e796dd23e4f8f834a6006cbf4c81e0272
parent: a29656fa817ab197672f26c0a966b22f6c9d55c4 (diff)
download: openbsd-ebf7bdd740439b0c094f1a97f94bd885a052642b.tar.gz
openbsd-ebf7bdd740439b0c094f1a97f94bd885a052642b.tar.bz2
openbsd-ebf7bdd740439b0c094f1a97f94bd885a052642b.zip
1 files changed, 18 insertions, 8 deletions
diff --git a/src/lib/libcrypto/man/X509_check_purpose.3 b/src/lib/libcrypto/man/X509_check_purpose.3
index fdb58d5b21..e0737251eb 100644
--- a/src/lib/libcrypto/man/X509_check_purpose.3
+++ b/src/lib/libcrypto/man/X509_check_purpose.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_check_purpose.3,v 1.6 2021/07/27 13:27:46 schwarze Exp $
+.\" $OpenBSD: X509_check_purpose.3,v 1.7 2021/10/29 14:29:24 schwarze Exp $
 .\"
 .\" Copyright (c) 2019, 2021 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: July 27 2021 $
+.Dd $Mdocdate: October 29 2021 $
 .Dt X509_CHECK_PURPOSE 3
 .Os
 .Sh NAME
@@ -40,6 +40,8 @@ is intended to be used for the given
 which can be one of the following integer constants.
 The check succeeds if none of the conditions given in the list below
 are violated.
+It always fails if parsing fails for any extension contained in the
+.Fa certificate .
 .Bl -tag -width 1n
 .It Dv X509_PURPOSE_SSL_CLIENT
 .Bl -dash -width 1n -compact
@@ -173,10 +175,12 @@ contains a Key Usage extension, the
 bit is set.
 .El
 .It Dv X509_PURPOSE_ANY
-The check always succeeds.
+Nothing is required except that, if any extensions are present,
+parsing them needs to succeed.
 .It Dv X509_PURPOSE_OCSP_HELPER
 .\" ocsp_helper, "OCSP helper"
-The check always succeeds.
+Nothing is required except that, if any extensions are present,
+parsing them needs to succeed.
 The application program is expected
 to do the actual checking by other means.
 .It Dv X509_PURPOSE_TIMESTAMP_SIGN
@@ -216,6 +220,10 @@ conditions are violated:
 .It
 If the
 .Fa certificate
+contains any extensions, parsing them succeeds.
+.It
+If the
+.Fa certificate
 contains a Key Usage extension, the
 .Dv keyCertSign
 bit is set.
@@ -320,13 +328,15 @@ or
 bits set.
 .El
 .It Dv X509_PURPOSE_ANY
-The check always succeeds, even if the three common conditions
+Nothing is required except that, if any extensions are present,
+parsing them needs to succeed.
+The check even succeeds if the three other common conditions
 cited above this list are violated.
 .El
 .Pp
-If the
+If parsing of any extensions that are present succeeds and the
 .Fa purpose
-is -1,
+argument is \-1,
 .Fn X509_check_purpose
 always succeeds, no matter whether or not the
 .Fa ca
@@ -345,7 +355,7 @@ identifiers not listed above.
 .Fn X509_check_purpose
 returns the following values:
 .Bl -column -1 Failure -compact
-.It -1 Ta Error Ta The
+.It \-1 Ta Error Ta Parsing of certificate extensions failed or the
 .Fa purpose
 is invalid.
 .It 0 Ta Failure Ta The
author	schwarze <>	2021-10-29 14:29:24 +0000
committer	schwarze <>	2021-10-29 14:29:24 +0000
commit	ebf7bdd740439b0c094f1a97f94bd885a052642b (patch)
tree	e3d9371e796dd23e4f8f834a6006cbf4c81e0272
parent	a29656fa817ab197672f26c0a966b22f6c9d55c4 (diff)
download	openbsd-ebf7bdd740439b0c094f1a97f94bd885a052642b.tar.gz openbsd-ebf7bdd740439b0c094f1a97f94bd885a052642b.tar.bz2 openbsd-ebf7bdd740439b0c094f1a97f94bd885a052642b.zip

diff --git a/src/lib/libcrypto/man/X509_check_purpose.3 b/src/lib/libcrypto/man/X509_check_purpose.3 index fdb58d5b21..e0737251eb 100644 --- a/src/lib/libcrypto/man/X509_check_purpose.3 +++ b/src/lib/libcrypto/man/X509_check_purpose.3
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: X509_check_purpose.3,v 1.6 2021/07/27 13:27:46 schwarze Exp $	1	.\" $OpenBSD: X509_check_purpose.3,v 1.7 2021/10/29 14:29:24 schwarze Exp $
2	.\"	2	.\"
3	.\" Copyright (c) 2019, 2021 Ingo Schwarze <schwarze@openbsd.org>	3	.\" Copyright (c) 2019, 2021 Ingo Schwarze <schwarze@openbsd.org>
4	.\"	4	.\"
@@ -14,7 +14,7 @@
14	.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF	14	.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15	.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.	15	.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16	.\"	16	.\"
17	.Dd $Mdocdate: July 27 2021 $	17	.Dd $Mdocdate: October 29 2021 $
18	.Dt X509_CHECK_PURPOSE 3	18	.Dt X509_CHECK_PURPOSE 3
19	.Os	19	.Os
20	.Sh NAME	20	.Sh NAME
@@ -40,6 +40,8 @@ is intended to be used for the given
40	which can be one of the following integer constants.	40	which can be one of the following integer constants.
41	The check succeeds if none of the conditions given in the list below	41	The check succeeds if none of the conditions given in the list below
42	are violated.	42	are violated.
		43	It always fails if parsing fails for any extension contained in the
		44	.Fa certificate .
43	.Bl -tag -width 1n	45	.Bl -tag -width 1n
44	.It Dv X509_PURPOSE_SSL_CLIENT	46	.It Dv X509_PURPOSE_SSL_CLIENT
45	.Bl -dash -width 1n -compact	47	.Bl -dash -width 1n -compact
@@ -173,10 +175,12 @@ contains a Key Usage extension, the
173	bit is set.	175	bit is set.
174	.El	176	.El
175	.It Dv X509_PURPOSE_ANY	177	.It Dv X509_PURPOSE_ANY
176	The check always succeeds.	178	Nothing is required except that, if any extensions are present,
		179	parsing them needs to succeed.
177	.It Dv X509_PURPOSE_OCSP_HELPER	180	.It Dv X509_PURPOSE_OCSP_HELPER
178	.\" ocsp_helper, "OCSP helper"	181	.\" ocsp_helper, "OCSP helper"
179	The check always succeeds.	182	Nothing is required except that, if any extensions are present,
		183	parsing them needs to succeed.
180	The application program is expected	184	The application program is expected
181	to do the actual checking by other means.	185	to do the actual checking by other means.
182	.It Dv X509_PURPOSE_TIMESTAMP_SIGN	186	.It Dv X509_PURPOSE_TIMESTAMP_SIGN
@@ -216,6 +220,10 @@ conditions are violated:
216	.It	220	.It
217	If the	221	If the
218	.Fa certificate	222	.Fa certificate
		223	contains any extensions, parsing them succeeds.
		224	.It
		225	If the
		226	.Fa certificate
219	contains a Key Usage extension, the	227	contains a Key Usage extension, the
220	.Dv keyCertSign	228	.Dv keyCertSign
221	bit is set.	229	bit is set.
@@ -320,13 +328,15 @@ or
320	bits set.	328	bits set.
321	.El	329	.El
322	.It Dv X509_PURPOSE_ANY	330	.It Dv X509_PURPOSE_ANY
323	The check always succeeds, even if the three common conditions	331	Nothing is required except that, if any extensions are present,
		332	parsing them needs to succeed.
		333	The check even succeeds if the three other common conditions
324	cited above this list are violated.	334	cited above this list are violated.
325	.El	335	.El
326	.Pp	336	.Pp
327	If the	337	If parsing of any extensions that are present succeeds and the
328	.Fa purpose	338	.Fa purpose
329	is -1,	339	argument is \-1,
330	.Fn X509_check_purpose	340	.Fn X509_check_purpose
331	always succeeds, no matter whether or not the	341	always succeeds, no matter whether or not the
332	.Fa ca	342	.Fa ca
@@ -345,7 +355,7 @@ identifiers not listed above.
345	.Fn X509_check_purpose	355	.Fn X509_check_purpose
346	returns the following values:	356	returns the following values:
347	.Bl -column -1 Failure -compact	357	.Bl -column -1 Failure -compact
348	.It -1 Ta Error Ta The	358	.It \-1 Ta Error Ta Parsing of certificate extensions failed or the
349	.Fa purpose	359	.Fa purpose
350	is invalid.	360	is invalid.
351	.It 0 Ta Failure Ta The	361	.It 0 Ta Failure Ta The