Document extension caching of X509_check_purpose()

The overwhelming majority of callers of X509_check_purpose() in our tree pass a purpose of -1. In this case X509_check_purpose() acts as a wrapper of x509v3_cache_extensions() which makes sanity checks like non-negativity of ASN.1 integers or canonicity of RFC 3779 extensions as well as checking uniqueness of extensions. from schwarze who beat an initial diff of mine into shape
author: tb <> 2022-12-16 18:02:28 +0000
committer: tb <> 2022-12-16 18:02:28 +0000
commit: 68cfe389d0ebb0d9cc9db2fd372db328d5499e1c (patch)
tree: be7accd18799416ed9e1926d2191a1151d7cad78 /src
parent: e3c1dbeb9eb2028277ed68307ae16673ebabae9b (diff)
download: openbsd-68cfe389d0ebb0d9cc9db2fd372db328d5499e1c.tar.gz
openbsd-68cfe389d0ebb0d9cc9db2fd372db328d5499e1c.tar.bz2
openbsd-68cfe389d0ebb0d9cc9db2fd372db328d5499e1c.zip
1 files changed, 43 insertions, 23 deletions
diff --git a/src/lib/libcrypto/man/X509_check_purpose.3 b/src/lib/libcrypto/man/X509_check_purpose.3
index e0737251eb..ff5ab592b0 100644
--- a/src/lib/libcrypto/man/X509_check_purpose.3
+++ b/src/lib/libcrypto/man/X509_check_purpose.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_check_purpose.3,v 1.7 2021/10/29 14:29:24 schwarze Exp $
+.\" $OpenBSD: X509_check_purpose.3,v 1.8 2022/12/16 18:02:28 tb Exp $
 .\"
 .\" Copyright (c) 2019, 2021 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: October 29 2021 $
+.Dd $Mdocdate: December 16 2022 $
 .Dt X509_CHECK_PURPOSE 3
 .Os
 .Sh NAME
@@ -30,10 +30,26 @@
 .Fc
 .Sh DESCRIPTION
 If the
+.Fa purpose
+argument is \-1,
+.Fn X509_check_purpose
+ignores the
+.Fa ca
+argument and checks that all the extensions of the
+.Fa certificate
+can be parsed and pass minimal sanity checks, in particular that
+extensions that must not occur more than once do not.
+It also makes sure that all extensions are cached in the
+.Vt X509
+object.
+.Pp
+If the
+.Fa purpose
+argument is not \-1 and the
 .Fa ca
 flag is 0,
 .Fn X509_check_purpose
-checks whether the public key contained in the
+additionally checks whether the public key contained in the
 .Fa certificate
 is intended to be used for the given
 .Fa purpose ,
@@ -205,10 +221,12 @@ bits is set, and no other bits are set.
 .El
 .Pp
 If the
+.Fa purpose
+argument is not \-1 and the
 .Fa ca
 flag is non-zero,
 .Fn X509_check_purpose
-instead checks whether the
+instead checks, in addition to the minimal sanity checks, whether the
 .Fa certificate
 can be used as a certificate authority certificate
 in the context of the given
@@ -334,14 +352,6 @@ The check even succeeds if the three other common conditions
 cited above this list are violated.
 .El
 .Pp
-If parsing of any extensions that are present succeeds and the
-.Fa purpose
-argument is \-1,
-.Fn X509_check_purpose
-always succeeds, no matter whether or not the
-.Fa ca
-flag is set.
-.Pp
 If the function
 .Xr X509_PURPOSE_add 3
 was called before
@@ -352,22 +362,28 @@ installed additional, user-supplied checking functions for user-defined
 .Fa purpose
 identifiers not listed above.
 .Sh RETURN VALUES
+If parsing of certificate extensions or sanity checks fail or the
+.Fa purpose
+is invalid,
 .Fn X509_check_purpose
-returns the following values:
+returns \-1 to indicate the error.
-.Bl -column -1 Failure -compact
+.Pp
-.It \-1 Ta Error Ta Parsing of certificate extensions failed or the
+If the
 .Fa purpose
-is invalid.
+argument is \-1 and parsing and minimal sanity checks succeed,
-.It 0 Ta Failure Ta The
+.Fn X509_check_purpose
-.Fa certificate
+returns 1 to indicate success.
-cannot be used for the
+.Pp
-.Fa purpose .
+Otherwise, it returns the following values:
-.El
 .Pp
 If
 .Fa ca
-is 0, the following values can also be returned:
+is 0:
 .Bl -column -1 Failure -compact
+.It 0 Ta Failure Ta The
+.Fa certificate
+cannot be used for the
+.Fa purpose .
 .It 1 Ta Success Ta The
 .Fa certificate
 can be used for the
@@ -377,8 +393,12 @@ can be used for the
 .Pp
 If
 .Fa ca
-is non-zero, the following values can also be returned:
+is non-zero:
 .Bl -column -1 Failure -compact
+.It 0 Ta Failure Ta The
+.Fa certificate
+cannot be used as a CA for the
+.Fa purpose .
 .It 1 Ta Success Ta The
 .Fa certificate
 can be used as a CA for the
author	tb <>	2022-12-16 18:02:28 +0000
committer	tb <>	2022-12-16 18:02:28 +0000
commit	68cfe389d0ebb0d9cc9db2fd372db328d5499e1c (patch)
tree	be7accd18799416ed9e1926d2191a1151d7cad78 /src
parent	e3c1dbeb9eb2028277ed68307ae16673ebabae9b (diff)
download	openbsd-68cfe389d0ebb0d9cc9db2fd372db328d5499e1c.tar.gz openbsd-68cfe389d0ebb0d9cc9db2fd372db328d5499e1c.tar.bz2 openbsd-68cfe389d0ebb0d9cc9db2fd372db328d5499e1c.zip

diff --git a/src/lib/libcrypto/man/X509_check_purpose.3 b/src/lib/libcrypto/man/X509_check_purpose.3 index e0737251eb..ff5ab592b0 100644 --- a/src/lib/libcrypto/man/X509_check_purpose.3 +++ b/src/lib/libcrypto/man/X509_check_purpose.3
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: X509_check_purpose.3,v 1.7 2021/10/29 14:29:24 schwarze Exp $	1	.\" $OpenBSD: X509_check_purpose.3,v 1.8 2022/12/16 18:02:28 tb Exp $
2	.\"	2	.\"
3	.\" Copyright (c) 2019, 2021 Ingo Schwarze <schwarze@openbsd.org>	3	.\" Copyright (c) 2019, 2021 Ingo Schwarze <schwarze@openbsd.org>
4	.\"	4	.\"
@@ -14,7 +14,7 @@
14	.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF	14	.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15	.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.	15	.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16	.\"	16	.\"
17	.Dd $Mdocdate: October 29 2021 $	17	.Dd $Mdocdate: December 16 2022 $
18	.Dt X509_CHECK_PURPOSE 3	18	.Dt X509_CHECK_PURPOSE 3
19	.Os	19	.Os
20	.Sh NAME	20	.Sh NAME
@@ -30,10 +30,26 @@
30	.Fc	30	.Fc
31	.Sh DESCRIPTION	31	.Sh DESCRIPTION
32	If the	32	If the
		33	.Fa purpose
		34	argument is \-1,
		35	.Fn X509_check_purpose
		36	ignores the
		37	.Fa ca
		38	argument and checks that all the extensions of the
		39	.Fa certificate
		40	can be parsed and pass minimal sanity checks, in particular that
		41	extensions that must not occur more than once do not.
		42	It also makes sure that all extensions are cached in the
		43	.Vt X509
		44	object.
		45	.Pp
		46	If the
		47	.Fa purpose
		48	argument is not \-1 and the
33	.Fa ca	49	.Fa ca
34	flag is 0,	50	flag is 0,
35	.Fn X509_check_purpose	51	.Fn X509_check_purpose
36	checks whether the public key contained in the	52	additionally checks whether the public key contained in the
37	.Fa certificate	53	.Fa certificate
38	is intended to be used for the given	54	is intended to be used for the given
39	.Fa purpose ,	55	.Fa purpose ,
@@ -205,10 +221,12 @@ bits is set, and no other bits are set.
205	.El	221	.El
206	.Pp	222	.Pp
207	If the	223	If the
		224	.Fa purpose
		225	argument is not \-1 and the
208	.Fa ca	226	.Fa ca
209	flag is non-zero,	227	flag is non-zero,
210	.Fn X509_check_purpose	228	.Fn X509_check_purpose
211	instead checks whether the	229	instead checks, in addition to the minimal sanity checks, whether the
212	.Fa certificate	230	.Fa certificate
213	can be used as a certificate authority certificate	231	can be used as a certificate authority certificate
214	in the context of the given	232	in the context of the given
@@ -334,14 +352,6 @@ The check even succeeds if the three other common conditions
334	cited above this list are violated.	352	cited above this list are violated.
335	.El	353	.El
336	.Pp	354	.Pp
337	If parsing of any extensions that are present succeeds and the
338	.Fa purpose
339	argument is \-1,
340	.Fn X509_check_purpose
341	always succeeds, no matter whether or not the
342	.Fa ca
343	flag is set.
344	.Pp
345	If the function	355	If the function
346	.Xr X509_PURPOSE_add 3	356	.Xr X509_PURPOSE_add 3
347	was called before	357	was called before
@@ -352,22 +362,28 @@ installed additional, user-supplied checking functions for user-defined
352	.Fa purpose	362	.Fa purpose
353	identifiers not listed above.	363	identifiers not listed above.
354	.Sh RETURN VALUES	364	.Sh RETURN VALUES
		365	If parsing of certificate extensions or sanity checks fail or the
		366	.Fa purpose
		367	is invalid,
355	.Fn X509_check_purpose	368	.Fn X509_check_purpose
356	returns the following values:	369	returns \-1 to indicate the error.
357	.Bl -column -1 Failure -compact	370	.Pp
358	.It \-1 Ta Error Ta Parsing of certificate extensions failed or the	371	If the
359	.Fa purpose	372	.Fa purpose
360	is invalid.	373	argument is \-1 and parsing and minimal sanity checks succeed,
361	.It 0 Ta Failure Ta The	374	.Fn X509_check_purpose
362	.Fa certificate	375	returns 1 to indicate success.
363	cannot be used for the	376	.Pp
364	.Fa purpose .	377	Otherwise, it returns the following values:
365	.El
366	.Pp	378	.Pp
367	If	379	If
368	.Fa ca	380	.Fa ca
369	is 0, the following values can also be returned:	381	is 0:
370	.Bl -column -1 Failure -compact	382	.Bl -column -1 Failure -compact
		383	.It 0 Ta Failure Ta The
		384	.Fa certificate
		385	cannot be used for the
		386	.Fa purpose .
371	.It 1 Ta Success Ta The	387	.It 1 Ta Success Ta The
372	.Fa certificate	388	.Fa certificate
373	can be used for the	389	can be used for the
@@ -377,8 +393,12 @@ can be used for the
377	.Pp	393	.Pp
378	If	394	If
379	.Fa ca	395	.Fa ca
380	is non-zero, the following values can also be returned:	396	is non-zero:
381	.Bl -column -1 Failure -compact	397	.Bl -column -1 Failure -compact
		398	.It 0 Ta Failure Ta The
		399	.Fa certificate
		400	cannot be used as a CA for the
		401	.Fa purpose .
382	.It 1 Ta Success Ta The	402	.It 1 Ta Success Ta The
383	.Fa certificate	403	.Fa certificate
384	can be used as a CA for the	404	can be used as a CA for the