Document X509v3_{addr,asid}_validate_{path,resource_set}(3)

These were the last four RFC 3779 things that check_complete.pl x509v3 complained about. I will surely tweak and try to improve a few things in the coming days, but the pages should now be stable enough that review efforts will likely not be wasted. Any feedback appreciated.
author: tb <> 2023-09-29 08:57:49 +0000
committer: tb <> 2023-09-29 08:57:49 +0000
commit: 748670f0a586443321b54a6e511fef277ae0d07f (patch)
tree: 829c3398edd47a208c282b5783404c084f76787c /src/lib/libcrypto/man/X509v3_addr_validate_path.3
parent: a13dfa624381df2e77f5ca31d1187e39a82f9196 (diff)
download: openbsd-748670f0a586443321b54a6e511fef277ae0d07f.tar.gz
openbsd-748670f0a586443321b54a6e511fef277ae0d07f.tar.bz2
openbsd-748670f0a586443321b54a6e511fef277ae0d07f.zip
1 files changed, 202 insertions, 0 deletions
diff --git a/src/lib/libcrypto/man/X509v3_addr_validate_path.3 b/src/lib/libcrypto/man/X509v3_addr_validate_path.3
new file mode 100644
index 0000000000..1315e2013e
--- /dev/null
+++ b/src/lib/libcrypto/man/X509v3_addr_validate_path.3
@@ -0,0 +1,202 @@
+.\" $OpenBSD: X509v3_addr_validate_path.3,v 1.1 2023/09/29 08:57:49 tb Exp $
+.\"
+.\" Copyright (c) 2023 Theo Buehler <tb@openbsd.org>
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\"
+.Dd $Mdocdate: September 29 2023 $
+.Dt X509V3_ADDR_VALIDATE_PATH 3
+.Os
+.Sh NAME
+.Nm X509v3_addr_validate_path ,
+.Nm X509v3_addr_validate_resource_set ,
+.Nm X509v3_asid_validate_path ,
+.Nm X509v3_asid_validate_resource_set
+.Nd RFC 3779 path validation for IP address and AS number delegation
+.Sh SYNOPSIS
+.In openssl/x509v3.h
+.Ft int
+.Fn X509v3_addr_validate_path "X509_STORE_CTX *ctx"
+.Ft int
+.Fo X509v3_addr_validate_resource_set
+.Fa "STACK_OF(X509) *chain"
+.Fa "IPAddrBlocks *addrblocks"
+.Fa "int allow_inheritance"
+.Fc
+.Ft int
+.Fn X509v3_asid_validate_path "X509_STORE_CTX *ctx"
+.Ft int
+.Fo X509v3_asid_validate_resource_set
+.Fa "STACK_OF(X509) *chain"
+.Fa "ASIdentifiers *asid"
+.Fa "int allow_inheritance"
+.Fc
+.Sh DESCRIPTION
+Both RFC 3779 extensions require additional checking in the certification
+path validation.
+.Bl -enum
+.It
+The initial set of allowed IP address and AS number resources is defined in
+the trust anchor; inheritance is not allowed in the trust anchor.
+.It
+All IP address delegation or AS number delegation extensions
+must be in canonical form according to
+.Xr X509v3_addr_is_canonical 3
+and
+.Xr X509v3_asid_is_canonical 3 .
+.It
+If the IP address delegation extension is present in a certificate,
+it must also be present in its issuer.
+Similarly for AS identifiers.
+.It
+An issuer may only delegate resources present in its
+RFC 3779 extensions.
+.El
+.Pp
+.Fn X509v3_addr_validate_path
+and
+.Fn X509v3_asid_validate_path
+are called from
+.Xr X509_verify_cert 3
+as part of the verification chain building.
+On encountering an error or a violation of the above rules,
+.Fa error ,
+.Fa error_depth ,
+and
+.Fa current_cert
+are set on
+.Fa ctx
+and the verify callback is called with
+.Fa ok
+set to 0.
+.Dv X509_V_ERR_INVALID_EXTENSION
+indicates a non-canonical resource,
+.Dv X509_V_ERR_UNNESTED_RESOURCE
+indicates a violation of the other rules above.
+In rare circumstances, the error can be
+.Dv X509_V_ERR_UNSPECIFIED
+and for IP address resources
+.Dv X509_V_ERR_OUT_OF_MEM
+is also possible.
+.Pp
+.Fn X509v3_addr_validate_resource_set
+validates the resources in
+.Fa addrblocks
+against a specific certificate
+.Fa chain .
+After checking that
+.Fa addrblocks
+is canonical, its IP addresses are checked to be covered in
+the certificate at depth 0,
+then the chain is walked all the way to the trust anchor
+until an error or a violation of the above rules is encountered.
+.Fa addrblocks
+is allowed to use inheritance according to
+.Xr X509v3_addr_inherits 3
+if and only if
+.Fa allow_inherit
+is non-zero.
+.Pp
+.Fn X509v3_asid_validate_resource_set
+performs similar checks as
+.Fn X509v3_addr_validate_resource_set
+for
+.Fa asid .
+.Sh RETURN VALUES
+All these functions return 1 on successful validation and 0 otherwise.
+.Pa
+For
+.Fn X509v3_addr_validate_path
+and
+.Fn X509v3_asid_validate_path
+a non-empty
+.Fa chain
+and a
+.Fa verify_cb
+must be present on
+.Fa ctx ,
+otherwise they fail and set the
+.Fa error
+on
+.Fa ctx
+to
+.Dv X509_V_ERR_UNSPECIFIED .
+The
+.Fa verify_cb
+is called with the error codes described above
+on most errors encountered during validation.
+Some malformed extensions can lead to an error
+that cannot be intercepted by the callback.
+With the exception of an allocation error,
+no error codes are set on the error stack.
+.Pp
+.Fn X509v3_addr_validate_resource_set
+and
+.Fn X509v3_asid_validate_resource_set
+accept a
+.Dv NULL
+.Fa addrblocks
+or
+.Fa asid
+as valid.
+They fail if
+.Fa chain
+is
+.Dv NULL
+or empty.
+If
+.Fa allow_inheritance
+is 0 ,
+.Fa addrblocks
+or
+.Fa asid
+is checked for inheritance with
+.Xr X509v3_addr_inherits 3
+or
+.Xr X509v3_asid_inherits 3 .
+The remaining failure cases are the same as for
+.Fn X509v3_addr_validate_path
+and
+.Fn X509v3_asid_validate_path .
+They cannot and do not attempt to communicate
+the cause of the error to the caller.
+.Sh SEE ALSO
+.Xr ASIdentifiers_new 3 ,
+.Xr crypto 3 ,
+.Xr IPAddressRange_new 3 ,
+.Xr X509_new 3 ,
+.Xr X509_STORE_CTX_get_error 3 ,
+.Xr X509_verify_cert 3 ,
+.Xr X509v3_addr_add_inherit 3 ,
+.Xr X509v3_addr_inherits 3 ,
+.Xr X509v3_asid_add_id_or_range 3
+.Sh STANDARDS
+RFC 3779: X.509 Extensions for IP Addresses and AS Identifiers:
+.Bl -dash -compact
+.It
+section 2.3: IP Address Delegation Extension Certification Path Validation
+.It
+section 3.3: Autonomous System Identifier Delegation Extension Certification
+Path Validation
+.El
+.Pp
+RFC 5280: Internet X.509 Public Key Infrastructure Certificate
+and Certificate Revocation List (CRL) Profile
+.Bl -dash -compact
+.It
+section 6: Certification Path Validation
+.El
+.Sh HISTORY
+These functions first appeared in OpenSSL 0.9.8e
+and have been available since
+.Ox 7.1 .
author	tb <>	2023-09-29 08:57:49 +0000
committer	tb <>	2023-09-29 08:57:49 +0000
commit	748670f0a586443321b54a6e511fef277ae0d07f (patch)
tree	829c3398edd47a208c282b5783404c084f76787c /src/lib/libcrypto/man/X509v3_addr_validate_path.3
parent	a13dfa624381df2e77f5ca31d1187e39a82f9196 (diff)
download	openbsd-748670f0a586443321b54a6e511fef277ae0d07f.tar.gz openbsd-748670f0a586443321b54a6e511fef277ae0d07f.tar.bz2 openbsd-748670f0a586443321b54a6e511fef277ae0d07f.zip

diff --git a/src/lib/libcrypto/man/X509v3_addr_validate_path.3 b/src/lib/libcrypto/man/X509v3_addr_validate_path.3 new file mode 100644 index 0000000000..1315e2013e --- /dev/null +++ b/src/lib/libcrypto/man/X509v3_addr_validate_path.3
@@ -0,0 +1,202 @@
	1	.\" $OpenBSD: X509v3_addr_validate_path.3,v 1.1 2023/09/29 08:57:49 tb Exp $
	2	.\"
	3	.\" Copyright (c) 2023 Theo Buehler <tb@openbsd.org>
	4	.\"
	5	.\" Permission to use, copy, modify, and distribute this software for any
	6	.\" purpose with or without fee is hereby granted, provided that the above
	7	.\" copyright notice and this permission notice appear in all copies.
	8	.\"
	9	.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
	10	.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
	11	.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
	12	.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
	13	.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
	14	.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
	15	.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
	16	.\"
	17	.Dd $Mdocdate: September 29 2023 $
	18	.Dt X509V3_ADDR_VALIDATE_PATH 3
	19	.Os
	20	.Sh NAME
	21	.Nm X509v3_addr_validate_path ,
	22	.Nm X509v3_addr_validate_resource_set ,
	23	.Nm X509v3_asid_validate_path ,
	24	.Nm X509v3_asid_validate_resource_set
	25	.Nd RFC 3779 path validation for IP address and AS number delegation
	26	.Sh SYNOPSIS
	27	.In openssl/x509v3.h
	28	.Ft int
	29	.Fn X509v3_addr_validate_path "X509_STORE_CTX *ctx"
	30	.Ft int
	31	.Fo X509v3_addr_validate_resource_set
	32	.Fa "STACK_OF(X509) *chain"
	33	.Fa "IPAddrBlocks *addrblocks"
	34	.Fa "int allow_inheritance"
	35	.Fc
	36	.Ft int
	37	.Fn X509v3_asid_validate_path "X509_STORE_CTX *ctx"
	38	.Ft int
	39	.Fo X509v3_asid_validate_resource_set
	40	.Fa "STACK_OF(X509) *chain"
	41	.Fa "ASIdentifiers *asid"
	42	.Fa "int allow_inheritance"
	43	.Fc
	44	.Sh DESCRIPTION
	45	Both RFC 3779 extensions require additional checking in the certification
	46	path validation.
	47	.Bl -enum
	48	.It
	49	The initial set of allowed IP address and AS number resources is defined in
	50	the trust anchor; inheritance is not allowed in the trust anchor.
	51	.It
	52	All IP address delegation or AS number delegation extensions
	53	must be in canonical form according to
	54	.Xr X509v3_addr_is_canonical 3
	55	and
	56	.Xr X509v3_asid_is_canonical 3 .
	57	.It
	58	If the IP address delegation extension is present in a certificate,
	59	it must also be present in its issuer.
	60	Similarly for AS identifiers.
	61	.It
	62	An issuer may only delegate resources present in its
	63	RFC 3779 extensions.
	64	.El
	65	.Pp
	66	.Fn X509v3_addr_validate_path
	67	and
	68	.Fn X509v3_asid_validate_path
	69	are called from
	70	.Xr X509_verify_cert 3
	71	as part of the verification chain building.
	72	On encountering an error or a violation of the above rules,
	73	.Fa error ,
	74	.Fa error_depth ,
	75	and
	76	.Fa current_cert
	77	are set on
	78	.Fa ctx
	79	and the verify callback is called with
	80	.Fa ok
	81	set to 0.
	82	.Dv X509_V_ERR_INVALID_EXTENSION
	83	indicates a non-canonical resource,
	84	.Dv X509_V_ERR_UNNESTED_RESOURCE
	85	indicates a violation of the other rules above.
	86	In rare circumstances, the error can be
	87	.Dv X509_V_ERR_UNSPECIFIED
	88	and for IP address resources
	89	.Dv X509_V_ERR_OUT_OF_MEM
	90	is also possible.
	91	.Pp
	92	.Fn X509v3_addr_validate_resource_set
	93	validates the resources in
	94	.Fa addrblocks
	95	against a specific certificate
	96	.Fa chain .
	97	After checking that
	98	.Fa addrblocks
	99	is canonical, its IP addresses are checked to be covered in
	100	the certificate at depth 0,
	101	then the chain is walked all the way to the trust anchor
	102	until an error or a violation of the above rules is encountered.
	103	.Fa addrblocks
	104	is allowed to use inheritance according to
	105	.Xr X509v3_addr_inherits 3
	106	if and only if
	107	.Fa allow_inherit
	108	is non-zero.
	109	.Pp
	110	.Fn X509v3_asid_validate_resource_set
	111	performs similar checks as
	112	.Fn X509v3_addr_validate_resource_set
	113	for
	114	.Fa asid .
	115	.Sh RETURN VALUES
	116	All these functions return 1 on successful validation and 0 otherwise.
	117	.Pa
	118	For
	119	.Fn X509v3_addr_validate_path
	120	and
	121	.Fn X509v3_asid_validate_path
	122	a non-empty
	123	.Fa chain
	124	and a
	125	.Fa verify_cb
	126	must be present on
	127	.Fa ctx ,
	128	otherwise they fail and set the
	129	.Fa error
	130	on
	131	.Fa ctx
	132	to
	133	.Dv X509_V_ERR_UNSPECIFIED .
	134	The
	135	.Fa verify_cb
	136	is called with the error codes described above
	137	on most errors encountered during validation.
	138	Some malformed extensions can lead to an error
	139	that cannot be intercepted by the callback.
	140	With the exception of an allocation error,
	141	no error codes are set on the error stack.
	142	.Pp
	143	.Fn X509v3_addr_validate_resource_set
	144	and
	145	.Fn X509v3_asid_validate_resource_set
	146	accept a
	147	.Dv NULL
	148	.Fa addrblocks
	149	or
	150	.Fa asid
	151	as valid.
	152	They fail if
	153	.Fa chain
	154	is
	155	.Dv NULL
	156	or empty.
	157	If
	158	.Fa allow_inheritance
	159	is 0 ,
	160	.Fa addrblocks
	161	or
	162	.Fa asid
	163	is checked for inheritance with
	164	.Xr X509v3_addr_inherits 3
	165	or
	166	.Xr X509v3_asid_inherits 3 .
	167	The remaining failure cases are the same as for
	168	.Fn X509v3_addr_validate_path
	169	and
	170	.Fn X509v3_asid_validate_path .
	171	They cannot and do not attempt to communicate
	172	the cause of the error to the caller.
	173	.Sh SEE ALSO
	174	.Xr ASIdentifiers_new 3 ,
	175	.Xr crypto 3 ,
	176	.Xr IPAddressRange_new 3 ,
	177	.Xr X509_new 3 ,
	178	.Xr X509_STORE_CTX_get_error 3 ,
	179	.Xr X509_verify_cert 3 ,
	180	.Xr X509v3_addr_add_inherit 3 ,
	181	.Xr X509v3_addr_inherits 3 ,
	182	.Xr X509v3_asid_add_id_or_range 3
	183	.Sh STANDARDS
	184	RFC 3779: X.509 Extensions for IP Addresses and AS Identifiers:
	185	.Bl -dash -compact
	186	.It
	187	section 2.3: IP Address Delegation Extension Certification Path Validation
	188	.It
	189	section 3.3: Autonomous System Identifier Delegation Extension Certification
	190	Path Validation
	191	.El
	192	.Pp
	193	RFC 5280: Internet X.509 Public Key Infrastructure Certificate
	194	and Certificate Revocation List (CRL) Profile
	195	.Bl -dash -compact
	196	.It
	197	section 6: Certification Path Validation
	198	.El
	199	.Sh HISTORY
	200	These functions first appeared in OpenSSL 0.9.8e
	201	and have been available since
	202	.Ox 7.1 .