summaryrefslogtreecommitdiff
path: root/src/lib
diff options
context:
space:
mode:
authorschwarze <>2021-07-27 13:27:46 +0000
committerschwarze <>2021-07-27 13:27:46 +0000
commit27cf2de950ce3d3c810395f8588652dad095dc05 (patch)
treeeee9c8391ac257ff0310015caaef419864bff0ba /src/lib
parent7dc459d11ac1d80fa7911ea7c3ccf537ae38b49c (diff)
downloadopenbsd-27cf2de950ce3d3c810395f8588652dad095dc05.tar.gz
openbsd-27cf2de950ce3d3c810395f8588652dad095dc05.tar.bz2
openbsd-27cf2de950ce3d3c810395f8588652dad095dc05.zip
new manual page X509_policy_check(3)
Diffstat (limited to 'src/lib')
-rw-r--r--src/lib/libcrypto/man/Makefile3
-rw-r--r--src/lib/libcrypto/man/X509_check_purpose.35
-rw-r--r--src/lib/libcrypto/man/X509_check_trust.35
-rw-r--r--src/lib/libcrypto/man/X509_new.35
-rw-r--r--src/lib/libcrypto/man/X509_policy_check.3183
-rw-r--r--src/lib/libcrypto/man/X509_policy_tree_level_count.37
6 files changed, 198 insertions, 10 deletions
diff --git a/src/lib/libcrypto/man/Makefile b/src/lib/libcrypto/man/Makefile
index a1ea6af33a..f605de5dbc 100644
--- a/src/lib/libcrypto/man/Makefile
+++ b/src/lib/libcrypto/man/Makefile
@@ -1,4 +1,4 @@
1# $OpenBSD: Makefile,v 1.187 2021/07/26 14:03:43 schwarze Exp $ 1# $OpenBSD: Makefile,v 1.188 2021/07/27 13:27:46 schwarze Exp $
2 2
3.include <bsd.own.mk> 3.include <bsd.own.mk>
4 4
@@ -327,6 +327,7 @@ MAN= \
327 X509_get1_email.3 \ 327 X509_get1_email.3 \
328 X509_keyid_set1.3 \ 328 X509_keyid_set1.3 \
329 X509_new.3 \ 329 X509_new.3 \
330 X509_policy_check.3 \
330 X509_policy_tree_level_count.3 \ 331 X509_policy_tree_level_count.3 \
331 X509_print_ex.3 \ 332 X509_print_ex.3 \
332 X509_sign.3 \ 333 X509_sign.3 \
diff --git a/src/lib/libcrypto/man/X509_check_purpose.3 b/src/lib/libcrypto/man/X509_check_purpose.3
index 56f6109541..fdb58d5b21 100644
--- a/src/lib/libcrypto/man/X509_check_purpose.3
+++ b/src/lib/libcrypto/man/X509_check_purpose.3
@@ -1,4 +1,4 @@
1.\" $OpenBSD: X509_check_purpose.3,v 1.5 2021/07/24 14:33:14 schwarze Exp $ 1.\" $OpenBSD: X509_check_purpose.3,v 1.6 2021/07/27 13:27:46 schwarze Exp $
2.\" 2.\"
3.\" Copyright (c) 2019, 2021 Ingo Schwarze <schwarze@openbsd.org> 3.\" Copyright (c) 2019, 2021 Ingo Schwarze <schwarze@openbsd.org>
4.\" 4.\"
@@ -14,7 +14,7 @@
14.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 14.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 15.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16.\" 16.\"
17.Dd $Mdocdate: July 24 2021 $ 17.Dd $Mdocdate: July 27 2021 $
18.Dt X509_CHECK_PURPOSE 3 18.Dt X509_CHECK_PURPOSE 3
19.Os 19.Os
20.Sh NAME 20.Sh NAME
@@ -382,6 +382,7 @@ can be used as a CA for the
382.Xr EXTENDED_KEY_USAGE_new 3 , 382.Xr EXTENDED_KEY_USAGE_new 3 ,
383.Xr X509_check_trust 3 , 383.Xr X509_check_trust 3 ,
384.Xr X509_new 3 , 384.Xr X509_new 3 ,
385.Xr X509_policy_check 3 ,
385.Xr X509_PURPOSE_set 3 , 386.Xr X509_PURPOSE_set 3 ,
386.Xr X509V3_get_d2i 3 , 387.Xr X509V3_get_d2i 3 ,
387.Xr x509v3.cnf 5 388.Xr x509v3.cnf 5
diff --git a/src/lib/libcrypto/man/X509_check_trust.3 b/src/lib/libcrypto/man/X509_check_trust.3
index 4b625fdfd4..98bfecb3d4 100644
--- a/src/lib/libcrypto/man/X509_check_trust.3
+++ b/src/lib/libcrypto/man/X509_check_trust.3
@@ -1,4 +1,4 @@
1.\" $OpenBSD: X509_check_trust.3,v 1.1 2021/07/24 14:33:14 schwarze Exp $ 1.\" $OpenBSD: X509_check_trust.3,v 1.2 2021/07/27 13:27:46 schwarze Exp $
2.\" 2.\"
3.\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org> 3.\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
4.\" 4.\"
@@ -14,7 +14,7 @@
14.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 14.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 15.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16.\" 16.\"
17.Dd $Mdocdate: July 24 2021 $ 17.Dd $Mdocdate: July 27 2021 $
18.Dt X509_CHECK_TRUST 3 18.Dt X509_CHECK_TRUST 3
19.Os 19.Os
20.Sh NAME 20.Sh NAME
@@ -200,6 +200,7 @@ which implies that it is not trusted.
200.Xr X509_CERT_AUX_new 3 , 200.Xr X509_CERT_AUX_new 3 ,
201.Xr X509_check_purpose 3 , 201.Xr X509_check_purpose 3 ,
202.Xr X509_new 3 , 202.Xr X509_new 3 ,
203.Xr X509_policy_check 3 ,
203.Xr X509_TRUST_set 3 , 204.Xr X509_TRUST_set 3 ,
204.Xr X509_VERIFY_PARAM_set_trust 3 205.Xr X509_VERIFY_PARAM_set_trust 3
205.Sh HISTORY 206.Sh HISTORY
diff --git a/src/lib/libcrypto/man/X509_new.3 b/src/lib/libcrypto/man/X509_new.3
index 304045f657..8a1da448c4 100644
--- a/src/lib/libcrypto/man/X509_new.3
+++ b/src/lib/libcrypto/man/X509_new.3
@@ -1,4 +1,4 @@
1.\" $OpenBSD: X509_new.3,v 1.27 2021/07/26 14:03:43 schwarze Exp $ 1.\" $OpenBSD: X509_new.3,v 1.28 2021/07/27 13:27:46 schwarze Exp $
2.\" full merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400 2.\" full merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
3.\" 3.\"
4.\" This file is a derived work. 4.\" This file is a derived work.
@@ -66,7 +66,7 @@
66.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 66.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
67.\" OF THE POSSIBILITY OF SUCH DAMAGE. 67.\" OF THE POSSIBILITY OF SUCH DAMAGE.
68.\" 68.\"
69.Dd $Mdocdate: July 26 2021 $ 69.Dd $Mdocdate: July 27 2021 $
70.Dt X509_NEW 3 70.Dt X509_NEW 3
71.Os 71.Os
72.Sh NAME 72.Sh NAME
@@ -193,6 +193,7 @@ if an error occurs.
193.Xr X509_get_version 3 , 193.Xr X509_get_version 3 ,
194.Xr X509_INFO_new 3 , 194.Xr X509_INFO_new 3 ,
195.Xr X509_NAME_new 3 , 195.Xr X509_NAME_new 3 ,
196.Xr X509_policy_check 3 ,
196.Xr X509_policy_tree_level_count 3 , 197.Xr X509_policy_tree_level_count 3 ,
197.Xr X509_print_ex 3 , 198.Xr X509_print_ex 3 ,
198.Xr X509_PUBKEY_new 3 , 199.Xr X509_PUBKEY_new 3 ,
diff --git a/src/lib/libcrypto/man/X509_policy_check.3 b/src/lib/libcrypto/man/X509_policy_check.3
new file mode 100644
index 0000000000..f245099228
--- /dev/null
+++ b/src/lib/libcrypto/man/X509_policy_check.3
@@ -0,0 +1,183 @@
1.\" $OpenBSD: X509_policy_check.3,v 1.1 2021/07/27 13:27:46 schwarze Exp $
2.\"
3.\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
4.\"
5.\" Permission to use, copy, modify, and distribute this software for any
6.\" purpose with or without fee is hereby granted, provided that the above
7.\" copyright notice and this permission notice appear in all copies.
8.\"
9.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16.\"
17.Dd $Mdocdate: July 27 2021 $
18.Dt X509_POLICY_CHECK 3
19.Os
20.Sh NAME
21.Nm X509_policy_check
22.Nd construct X.509 valid policy tree
23.Sh SYNOPSIS
24.In openssl/x509_vfy.h
25.Ft int
26.Fo X509_policy_check
27.Fa "X509_POLICY_TREE **ptree"
28.Fa "int *pexplicit_policy"
29.Fa "STACK_OF(X509) *certs"
30.Fa "STACK_OF(ASN1_OBJECT) *policy_oids"
31.Fa "unsigned int flags"
32.Fc
33.Sh DESCRIPTION
34.Fn X509_policy_check
35performs those parts of Basic Certification Path Validation
36described in RFC 5280 section 6.1 that are related to the
37construction of the valid policy tree.
38.Pp
39The
40.Fa certs
41input argument contains the prospective certification path
42according to RFC 5280 paragraph 6.1.1(a), starting with the
43target certificate and ending with the trust anchor.
44If a policy tree is returned, the reference count of each of the
45.Fa certs
46is incremented by 1.
47.Pp
48The
49.Fa policy_oids
50input argument contains the
51.Va user-initial-policy-set
52according to RFC 5280 section 6.1.1(c).
53.Pp
54The
55.Fa flags
56argument can contain zero or more of the following constants, OR'ed together:
57.Bl -tag -width Ds
58.It Dv X509_V_FLAG_EXPLICIT_POLICY
59Set
60.Va initial-explicit-policy
61as defined by RFC 5280 paragraph 6.1.1(f).
62It requires the path to be valid for at least one of the
63.Fa policy_oids .
64.It Dv X509_V_FLAG_INHIBIT_ANY
65Set
66.Va initial-any-policy-inhibit
67as defined by RFC 5280 paragraph 6.1.1(g).
68It causes the
69.Sy anyPolicy
70OID to be skipped if it is encountered in a certificate.
71.It Dv X509_V_FLAG_INHIBIT_MAP
72Set
73.Va initial-policy-mapping-inhibit
74as defined by RFC 5280 paragraph 6.1.1(e).
75It disables policy mapping in the certification path.
76.El
77.Pp
78Upon success, a pointer to the
79.Vt valid_policy_tree
80output value mentioned in RFC 5280 section 6.1.6 is returned in
81.Pf * Fa ptree .
82It contains one level for each of the
83.Fa certs ,
84in reverse order: level 0 corresponds to the trust anchor,
85the last level corresponds to the target certificate.
86Level 0 is initialized to contain a single node with a
87.Fa valid_policy
88of
89.Sy anyPolicy ,
90an empty
91.Fa qualifier_set ,
92and an
93.Fa expected_policy_set
94containing only
95.Sy anyPolicy .
96.Pp
97The storage location pointed to by
98.Fa pexplicit_policy
99is set as specified in RFC 5280 paragraphs 6.1.2(d), 6.1.4(h), 6.1.4(i),
1006.1.5(a), and 6.1.5(b).
101In case of failure, it may or may not get set, representing a partial result.
102.Sh RETURN VALUES
103.Fn X509_policy_check
104returns these values:
105.Bl -tag -width 2n
106.It \-2
107Validation failed because
108.Dv X509_V_FLAG_EXPLICIT_POLICY
109was requested but the resulting policy tree
110or the resulting user policy set would have been empty.
111In this case,
112.Pf * Fa pexplicit_policy
113is set to 1.
114If the resulting tree is empty,
115.Pf * Fa ptree
116is set to
117.Dv NULL ;
118otherwise, it is set to the resulting tree.
119.It \-1
120At least one of the
121.Fa certs
122contains invalid or inconsistent extensions.
123.Pf * Fa ptree
124is set to
125.Dv NULL
126and
127.Pf * Fa pexplicit_policy
128to 0.
129.It 0
130Internal error.
131For example, setting up the policy caches failed, or memory allocation
132failed while constructing the tree.
133.Pf * Fa ptree
134is set to
135.Dv NULL
136and
137.Pf * Fa pexplicit_policy
138may be set to 0 or to a partial result.
139.It 1
140Validation succeeded and
141.Pf * Fa ptree
142and
143.Pf * Fa pexplicit_policy
144have been set.
145In the special cases that the
146.Fa certs
147argument contains exactly one certificate or that
148.Dv X509_V_FLAG_EXPLICIT_POLICY
149was not requested and the resulting policy tree would have been empty,
150.Pf * Fa ptree
151is set to
152.Dv NULL
153and
154.Pf * Fa pexplicit_policy
155to 0.
156.It 2
157.Dv X509_V_FLAG_EXPLICIT_POLICY
158was not requested and at least one of the certificates contains no
159certificate policies.
160.Pf * Fa ptree
161is set to
162.Dv NULL
163and
164.Pf * Fa pexplicit_policy
165to 0.
166.El
167.Sh SEE ALSO
168.Xr ASN1_OBJECT_new 3 ,
169.Xr OBJ_nid2obj 3 ,
170.Xr STACK_OF 3 ,
171.Xr X509_check_purpose 3 ,
172.Xr X509_check_trust 3 ,
173.Xr X509_new 3 ,
174.Xr X509_policy_tree_level_count 3 ,
175.Xr X509_verify_cert 3
176.Sh STANDARDS
177RFC 5280: Internet X.509 Public Key Infrastructure Certificate
178and Certificate Revocation List (CRL) Profile,
179section 6.1: Basic Path Validation
180.Sh HISTORY
181.Fn X509_policy_check
182first appeared in OpenSSL 0.9.8 and has been available since
183.Ox 4.5 .
diff --git a/src/lib/libcrypto/man/X509_policy_tree_level_count.3 b/src/lib/libcrypto/man/X509_policy_tree_level_count.3
index 523cb55f1d..87fb423439 100644
--- a/src/lib/libcrypto/man/X509_policy_tree_level_count.3
+++ b/src/lib/libcrypto/man/X509_policy_tree_level_count.3
@@ -1,4 +1,4 @@
1.\" $OpenBSD: X509_policy_tree_level_count.3,v 1.1 2021/07/26 14:03:43 schwarze Exp $ 1.\" $OpenBSD: X509_policy_tree_level_count.3,v 1.2 2021/07/27 13:27:46 schwarze Exp $
2.\" 2.\"
3.\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org> 3.\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
4.\" 4.\"
@@ -14,7 +14,7 @@
14.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 14.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 15.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16.\" 16.\"
17.Dd $Mdocdate: July 26 2021 $ 17.Dd $Mdocdate: July 27 2021 $
18.Dt X509_POLICY_TREE_LEVEL_COUNT 3 18.Dt X509_POLICY_TREE_LEVEL_COUNT 3
19.Os 19.Os
20.Sh NAME 20.Sh NAME
@@ -149,7 +149,8 @@ The parent node is always located on the previous level.
149.Xr OBJ_obj2txt 3 , 149.Xr OBJ_obj2txt 3 ,
150.Xr POLICYQUALINFO_new 3 , 150.Xr POLICYQUALINFO_new 3 ,
151.Xr STACK_OF 3 , 151.Xr STACK_OF 3 ,
152.Xr X509_new 3 152.Xr X509_new 3 ,
153.Xr X509_policy_check 3
153.Sh STANDARDS 154.Sh STANDARDS
154RFC 5280: Internet X.509 Public Key Infrastructure Certificate 155RFC 5280: Internet X.509 Public Key Infrastructure Certificate
155and Certificate Revocation List (CRL) Profile, 156and Certificate Revocation List (CRL) Profile,
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-23 16:52:50 +0000