remove CMS manuals; beck@ agress with the general idea

author: schwarze <> 2016-09-05 10:43:42 +0000
committer: schwarze <> 2016-09-05 10:43:42 +0000
commit: 8bc3352bee3f743c2b8f9fd9c743fca60706336c (patch)
tree: 8ddbb216e39c4571145c2d202a95596f977cdfe0 /src/lib/libcrypto/man/CMS_verify.3
parent: de12fbc1ebd942810e5ca1e55d7a6e213023f318 (diff)
download: openbsd-8bc3352bee3f743c2b8f9fd9c743fca60706336c.tar.gz
openbsd-8bc3352bee3f743c2b8f9fd9c743fca60706336c.tar.bz2
openbsd-8bc3352bee3f743c2b8f9fd9c743fca60706336c.zip
1 files changed, 0 insertions, 188 deletions
diff --git a/src/lib/libcrypto/man/CMS_verify.3 b/src/lib/libcrypto/man/CMS_verify.3
deleted file mode 100644
index 0ab1baf6b3..0000000000
--- a/src/lib/libcrypto/man/CMS_verify.3
+++ /dev/null
@@ -1,188 +0,0 @@
-.Dd $Mdocdate: November 11 2015 $
-.Dt CMS_VERIFY 3
-.Os
-.Sh NAME
-.Nm CMS_verify ,
-.Nm CMS_get0_signers
-.Nd verify a CMS SignedData structure
-.Sh SYNOPSIS
-.In openssl/cms.h
-.Ft int
-.Fo CMS_verify
-.Fa "CMS_ContentInfo *cms"
-.Fa "STACK_OF(X509) *certs"
-.Fa "X509_STORE *store"
-.Fa "BIO *indata"
-.Fa "BIO *out"
-.Fa "unsigned int flags"
-.Fc
-.Ft STACK_OF(X509) *
-.Fo CMS_get0_signers
-.Fa "CMS_ContentInfo *cms"
-.Fc
-.Sh DESCRIPTION
-.Fn CMS_verify
-verifies a CMS SignedData structure.
-.Fa cms
-is the
-.Vt CMS_ContentInfo
-structure to verify.
-.Fa certs
-is a set of certificates in which to search for the signing
-certificate(s).
-.Fa store
-is a trusted certificate store used for chain verification.
-.Fa indata
-is the detached content if the content is not present in
-.Fa cms .
-The content is written to
-.Fa out
-if it is not
-.Dv NULL .
-.Pp
-.Fa flags
-is an optional set of flags, which can be used to modify the verify
-operation.
-.Pp
-.Fn CMS_get0_signers
-retrieves the signing certificate(s) from
-.Fa cms ,
-it must be called after a successful
-.Fn CMS_verify
-operation.
-.Sh VERIFY PROCESS
-Normally the verify process proceeds as follows.
-.Pp
-Initially some sanity checks are performed on
-.Fa cms .
-The type of
-.Fa cms
-must be SignedData.
-There must be at least one signature on the data and if the content is
-detached
-.Fa indata
-cannot be
-.Dv NULL .
-.Pp
-An attempt is made to locate all the signing certificate(s), first
-looking in the
-.Fa certs
-parameter (if it is not
-.Dv NULL )
-and then looking in any certificates contained in the
-.Fa cms
-structure itself.
-If no signing certificate can be located, the operation fails.
-.Pp
-Each signing certificate is chain verified using the
-.Sy smimesign
-purpose and the supplied trusted certificate store.
-Any internal certificates in the message are used as untrusted CAs.
-If CRL checking is enabled in
-.Fa store ,
-any internal CRLs are used in addition to attempting to look them up in
-.Fa store .
-If any chain verify fails, an error code is returned.
-.Pp
-Finally the signed content is read (and written to
-.Fa out
-is it is not
-.Dv NULL )
-and the signature is checked.
-.Pp
-If all signatures verify correctly, then the function is successful.
-.Pp
-Any of the following flags (OR'ed together) can be passed in the
-.Fa flags
-parameter to change the default verify behaviour.
-.Pp
-If
-.Dv CMS_NOINTERN
-is set, the certificates in the message itself are not searched when
-locating the signing certificate(s).
-This means that all the signing certificates must be in the
-.Fa certs
-parameter.
-.Pp
-If
-.Dv CMS_NOCRL
-is set, and CRL checking is enabled in
-.Fa store ,
-then any CRLs in the message itself are ignored.
-.Pp
-If the
-.Dv CMS_TEXT
-flag is set, MIME headers for type
-.Sy text/plain
-are deleted from the content.
-If the content is not of type
-.Sy text/plain ,
-then an error is returned.
-.Pp
-If
-.Dv CMS_NO_SIGNER_CERT_VERIFY
-is set, the signing certificates are not verified.
-.Pp
-If
-.Dv CMS_NO_ATTR_VERIFY
-is set, the signed attributes signature is not verified.
-.Pp
-If
-.Dv CMS_NO_CONTENT_VERIFY
-is set, then the content digest is not checked.
-.Sh NOTES
-One application of
-.Dv CMS_NOINTERN
-is to only accept messages signed by a small number of certificates.
-The acceptable certificates would be passed in the
-.Fa certs
-parameter.
-In this case, if the signer is not one of the certificates supplied in
-.Fa certs ,
-then the verify will fail because the signer cannot be found.
-.Pp
-In some cases the standard techniques for looking up and validating
-certificates are not appropriate: for example an application may wish to
-lookup certificates in a database or perform customised verification.
-This can be achieved by setting and verifying the signers certificates
-manually using the signed data utility functions.
-.Pp
-Care should be taken when modifying the default verify behaviour, for
-example setting
-.Dv CMS_NO_CONTENT_VERIFY
-will totally disable all content verification and any modified content
-will be considered valid.
-This combination is however useful if one merely wishes to write the
-content to
-.Fa out
-and its validity is not considered important.
-.Pp
-Chain verification should arguably be performed using the signing time
-rather than the current time.
-However since the signing time is supplied by the signer it cannot be
-trusted without additional evidence (such as a trusted timestamp).
-.Sh RETURN VALUES
-.Fn CMS_verify
-returns 1 for a successful verification and zero if an error occurred.
-.Pp
-.Fn CMS_get0_signers
-returns all signers or
-.Dv NULL
-if an error occurred.
-.Pp
-The error can be obtained from
-.Xr ERR_get_error 3 .
-.Sh SEE ALSO
-.Xr CMS_sign 3 ,
-.Xr ERR_get_error 3
-.Sh HISTORY
-.Fn CMS_verify
-was added to OpenSSL 0.9.8.
-.Sh BUGS
-The trusted certificate store is not searched for the signing
-certificate, this is primarily due to the inadequacies of the current
-.Vt X509_STORE
-functionality.
-.Pp
-The lack of single pass processing means that the signed content must
-all be held in memory if it is not detached.
author	schwarze <>	2016-09-05 10:43:42 +0000
committer	schwarze <>	2016-09-05 10:43:42 +0000
commit	8bc3352bee3f743c2b8f9fd9c743fca60706336c (patch)
tree	8ddbb216e39c4571145c2d202a95596f977cdfe0 /src/lib/libcrypto/man/CMS_verify.3
parent	de12fbc1ebd942810e5ca1e55d7a6e213023f318 (diff)
download	openbsd-8bc3352bee3f743c2b8f9fd9c743fca60706336c.tar.gz openbsd-8bc3352bee3f743c2b8f9fd9c743fca60706336c.tar.bz2 openbsd-8bc3352bee3f743c2b8f9fd9c743fca60706336c.zip

diff --git a/src/lib/libcrypto/man/CMS_verify.3 b/src/lib/libcrypto/man/CMS_verify.3 deleted file mode 100644 index 0ab1baf6b3..0000000000 --- a/src/lib/libcrypto/man/CMS_verify.3 +++ /dev/null
@@ -1,188 +0,0 @@
1	.Dd $Mdocdate: November 11 2015 $
2	.Dt CMS_VERIFY 3
3	.Os
4	.Sh NAME
5	.Nm CMS_verify ,
6	.Nm CMS_get0_signers
7	.Nd verify a CMS SignedData structure
8	.Sh SYNOPSIS
9	.In openssl/cms.h
10	.Ft int
11	.Fo CMS_verify
12	.Fa "CMS_ContentInfo *cms"
13	.Fa "STACK_OF(X509) *certs"
14	.Fa "X509_STORE *store"
15	.Fa "BIO *indata"
16	.Fa "BIO *out"
17	.Fa "unsigned int flags"
18	.Fc
19	.Ft STACK_OF(X509) *
20	.Fo CMS_get0_signers
21	.Fa "CMS_ContentInfo *cms"
22	.Fc
23	.Sh DESCRIPTION
24	.Fn CMS_verify
25	verifies a CMS SignedData structure.
26	.Fa cms
27	is the
28	.Vt CMS_ContentInfo
29	structure to verify.
30	.Fa certs
31	is a set of certificates in which to search for the signing
32	certificate(s).
33	.Fa store
34	is a trusted certificate store used for chain verification.
35	.Fa indata
36	is the detached content if the content is not present in
37	.Fa cms .
38	The content is written to
39	.Fa out
40	if it is not
41	.Dv NULL .
42	.Pp
43	.Fa flags
44	is an optional set of flags, which can be used to modify the verify
45	operation.
46	.Pp
47	.Fn CMS_get0_signers
48	retrieves the signing certificate(s) from
49	.Fa cms ,
50	it must be called after a successful
51	.Fn CMS_verify
52	operation.
53	.Sh VERIFY PROCESS
54	Normally the verify process proceeds as follows.
55	.Pp
56	Initially some sanity checks are performed on
57	.Fa cms .
58	The type of
59	.Fa cms
60	must be SignedData.
61	There must be at least one signature on the data and if the content is
62	detached
63	.Fa indata
64	cannot be
65	.Dv NULL .
66	.Pp
67	An attempt is made to locate all the signing certificate(s), first
68	looking in the
69	.Fa certs
70	parameter (if it is not
71	.Dv NULL )
72	and then looking in any certificates contained in the
73	.Fa cms
74	structure itself.
75	If no signing certificate can be located, the operation fails.
76	.Pp
77	Each signing certificate is chain verified using the
78	.Sy smimesign
79	purpose and the supplied trusted certificate store.
80	Any internal certificates in the message are used as untrusted CAs.
81	If CRL checking is enabled in
82	.Fa store ,
83	any internal CRLs are used in addition to attempting to look them up in
84	.Fa store .
85	If any chain verify fails, an error code is returned.
86	.Pp
87	Finally the signed content is read (and written to
88	.Fa out
89	is it is not
90	.Dv NULL )
91	and the signature is checked.
92	.Pp
93	If all signatures verify correctly, then the function is successful.
94	.Pp
95	Any of the following flags (OR'ed together) can be passed in the
96	.Fa flags
97	parameter to change the default verify behaviour.
98	.Pp
99	If
100	.Dv CMS_NOINTERN
101	is set, the certificates in the message itself are not searched when
102	locating the signing certificate(s).
103	This means that all the signing certificates must be in the
104	.Fa certs
105	parameter.
106	.Pp
107	If
108	.Dv CMS_NOCRL
109	is set, and CRL checking is enabled in
110	.Fa store ,
111	then any CRLs in the message itself are ignored.
112	.Pp
113	If the
114	.Dv CMS_TEXT
115	flag is set, MIME headers for type
116	.Sy text/plain
117	are deleted from the content.
118	If the content is not of type
119	.Sy text/plain ,
120	then an error is returned.
121	.Pp
122	If
123	.Dv CMS_NO_SIGNER_CERT_VERIFY
124	is set, the signing certificates are not verified.
125	.Pp
126	If
127	.Dv CMS_NO_ATTR_VERIFY
128	is set, the signed attributes signature is not verified.
129	.Pp
130	If
131	.Dv CMS_NO_CONTENT_VERIFY
132	is set, then the content digest is not checked.
133	.Sh NOTES
134	One application of
135	.Dv CMS_NOINTERN
136	is to only accept messages signed by a small number of certificates.
137	The acceptable certificates would be passed in the
138	.Fa certs
139	parameter.
140	In this case, if the signer is not one of the certificates supplied in
141	.Fa certs ,
142	then the verify will fail because the signer cannot be found.
143	.Pp
144	In some cases the standard techniques for looking up and validating
145	certificates are not appropriate: for example an application may wish to
146	lookup certificates in a database or perform customised verification.
147	This can be achieved by setting and verifying the signers certificates
148	manually using the signed data utility functions.
149	.Pp
150	Care should be taken when modifying the default verify behaviour, for
151	example setting
152	.Dv CMS_NO_CONTENT_VERIFY
153	will totally disable all content verification and any modified content
154	will be considered valid.
155	This combination is however useful if one merely wishes to write the
156	content to
157	.Fa out
158	and its validity is not considered important.
159	.Pp
160	Chain verification should arguably be performed using the signing time
161	rather than the current time.
162	However since the signing time is supplied by the signer it cannot be
163	trusted without additional evidence (such as a trusted timestamp).
164	.Sh RETURN VALUES
165	.Fn CMS_verify
166	returns 1 for a successful verification and zero if an error occurred.
167	.Pp
168	.Fn CMS_get0_signers
169	returns all signers or
170	.Dv NULL
171	if an error occurred.
172	.Pp
173	The error can be obtained from
174	.Xr ERR_get_error 3 .
175	.Sh SEE ALSO
176	.Xr CMS_sign 3 ,
177	.Xr ERR_get_error 3
178	.Sh HISTORY
179	.Fn CMS_verify
180	was added to OpenSSL 0.9.8.
181	.Sh BUGS
182	The trusted certificate store is not searched for the signing
183	certificate, this is primarily due to the inadequacies of the current
184	.Vt X509_STORE
185	functionality.
186	.Pp
187	The lack of single pass processing means that the signed content must
188	all be held in memory if it is not detached.