Document X509v3_{addr,asid}_validate_{path,resource_set}(3)

These were the last four RFC 3779 things that check_complete.pl x509v3 complained about. I will surely tweak and try to improve a few things in the coming days, but the pages should now be stable enough that review efforts will likely not be wasted. Any feedback appreciated.
author: tb <> 2023-09-29 08:57:49 +0000
committer: tb <> 2023-09-29 08:57:49 +0000
commit: 748670f0a586443321b54a6e511fef277ae0d07f (patch)
tree: 829c3398edd47a208c282b5783404c084f76787c /src
parent: a13dfa624381df2e77f5ca31d1187e39a82f9196 (diff)
download: openbsd-748670f0a586443321b54a6e511fef277ae0d07f.tar.gz
openbsd-748670f0a586443321b54a6e511fef277ae0d07f.tar.bz2
openbsd-748670f0a586443321b54a6e511fef277ae0d07f.zip
6 files changed, 217 insertions, 10 deletions
diff --git a/src/lib/libcrypto/man/ASIdentifiers_new.3 b/src/lib/libcrypto/man/ASIdentifiers_new.3
index ae5795c9a3..c67a7c3f17 100644
--- a/src/lib/libcrypto/man/ASIdentifiers_new.3
+++ b/src/lib/libcrypto/man/ASIdentifiers_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ASIdentifiers_new.3,v 1.8 2023/09/28 12:35:31 tb Exp $
+.\" $OpenBSD: ASIdentifiers_new.3,v 1.9 2023/09/29 08:57:49 tb Exp $
 .\"
 .\" Copyright (c) 2021 Theo Buehler <tb@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: September 28 2023 $
+.Dd $Mdocdate: September 29 2023 $
 .Dt ASIDENTIFIERS_NEW 3
 .Os
 .Sh NAME
@@ -116,6 +116,7 @@ or a value <= 0 if an error occurs.
 .Xr X509v3_addr_get_range 3 ,
 .Xr X509v3_addr_inherits 3 ,
 .Xr X509v3_addr_subset 3 ,
+.Xr X509v3_addr_validate_path 3 ,
 .Xr X509v3_asid_add_id_or_range 3
 .Sh STANDARDS
 RFC 3779: X.509 Extensions for IP Addresses and AS Identifiers:
diff --git a/src/lib/libcrypto/man/Makefile b/src/lib/libcrypto/man/Makefile
index e6a97f3004..f42e9327ae 100644
--- a/src/lib/libcrypto/man/Makefile
+++ b/src/lib/libcrypto/man/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.275 2023/09/28 12:35:31 tb Exp $
+# $OpenBSD: Makefile,v 1.276 2023/09/29 08:57:49 tb Exp $
 .include <bsd.own.mk>
@@ -396,6 +396,7 @@ MAN=	\
        X509v3_addr_get_range.3 \
        X509v3_addr_inherits.3 \
        X509v3_addr_subset.3 \
+        X509v3_addr_validate_path.3 \
        X509v3_asid_add_id_or_range.3 \
        X509v3_asid_add_id_or_range.3 \
        X509v3_get_ext_by_NID.3 \
diff --git a/src/lib/libcrypto/man/X509_new.3 b/src/lib/libcrypto/man/X509_new.3
index a669bf0608..3e7fb0a79f 100644
--- a/src/lib/libcrypto/man/X509_new.3
+++ b/src/lib/libcrypto/man/X509_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_new.3,v 1.42 2023/09/28 12:35:31 tb Exp $
+.\" $OpenBSD: X509_new.3,v 1.43 2023/09/29 08:57:49 tb Exp $
 .\" full merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
 .\"
 .\" This file is a derived work.
@@ -66,7 +66,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: September 28 2023 $
+.Dd $Mdocdate: September 29 2023 $
 .Dt X509_NEW 3
 .Os
 .Sh NAME
@@ -246,6 +246,7 @@ if an error occurs.
 .Xr X509v3_addr_get_range 3 ,
 .Xr X509v3_addr_inherits 3 ,
 .Xr X509v3_addr_subset 3 ,
+.Xr X509v3_addr_validate_path 3 ,
 .Xr X509v3_asid_add_id_or_range 3
 .Sh STANDARDS
 RFC 5280: Internet X.509 Public Key Infrastructure Certificate and
diff --git a/src/lib/libcrypto/man/X509v3_addr_add_inherit.3 b/src/lib/libcrypto/man/X509v3_addr_add_inherit.3
index 81e73f76e5..bdfb5c757d 100644
--- a/src/lib/libcrypto/man/X509v3_addr_add_inherit.3
+++ b/src/lib/libcrypto/man/X509v3_addr_add_inherit.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509v3_addr_add_inherit.3,v 1.6 2023/09/28 12:35:31 tb Exp $
+.\" $OpenBSD: X509v3_addr_add_inherit.3,v 1.7 2023/09/29 08:57:49 tb Exp $
 .\"
 .\" Copyright (c) 2023 Theo Buehler <tb@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: September 28 2023 $
+.Dd $Mdocdate: September 29 2023 $
 .Dt X509V3_ADDR_ADD_INHERIT 3
 .Os
 .Sh NAME
@@ -400,6 +400,7 @@ is desired.
 .Xr IPAddressRange_new 3 ,
 .Xr X509_new 3 ,
 .Xr X509v3_addr_get_range 3 ,
+.Xr X509v3_addr_validate_path 3 ,
 .Xr X509v3_asid_add_id_or_range 3
 .Sh STANDARDS
 RFC 3779: X.509 Extensions for IP Addresses and AS Identifiers:
diff --git a/src/lib/libcrypto/man/X509v3_addr_validate_path.3 b/src/lib/libcrypto/man/X509v3_addr_validate_path.3
new file mode 100644
index 0000000000..1315e2013e
--- /dev/null
+++ b/src/lib/libcrypto/man/X509v3_addr_validate_path.3
@@ -0,0 +1,202 @@
+.\" $OpenBSD: X509v3_addr_validate_path.3,v 1.1 2023/09/29 08:57:49 tb Exp $
+.\"
+.\" Copyright (c) 2023 Theo Buehler <tb@openbsd.org>
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\"
+.Dd $Mdocdate: September 29 2023 $
+.Dt X509V3_ADDR_VALIDATE_PATH 3
+.Os
+.Sh NAME
+.Nm X509v3_addr_validate_path ,
+.Nm X509v3_addr_validate_resource_set ,
+.Nm X509v3_asid_validate_path ,
+.Nm X509v3_asid_validate_resource_set
+.Nd RFC 3779 path validation for IP address and AS number delegation
+.Sh SYNOPSIS
+.In openssl/x509v3.h
+.Ft int
+.Fn X509v3_addr_validate_path "X509_STORE_CTX *ctx"
+.Ft int
+.Fo X509v3_addr_validate_resource_set
+.Fa "STACK_OF(X509) *chain"
+.Fa "IPAddrBlocks *addrblocks"
+.Fa "int allow_inheritance"
+.Fc
+.Ft int
+.Fn X509v3_asid_validate_path "X509_STORE_CTX *ctx"
+.Ft int
+.Fo X509v3_asid_validate_resource_set
+.Fa "STACK_OF(X509) *chain"
+.Fa "ASIdentifiers *asid"
+.Fa "int allow_inheritance"
+.Fc
+.Sh DESCRIPTION
+Both RFC 3779 extensions require additional checking in the certification
+path validation.
+.Bl -enum
+.It
+The initial set of allowed IP address and AS number resources is defined in
+the trust anchor; inheritance is not allowed in the trust anchor.
+.It
+All IP address delegation or AS number delegation extensions
+must be in canonical form according to
+.Xr X509v3_addr_is_canonical 3
+and
+.Xr X509v3_asid_is_canonical 3 .
+.It
+If the IP address delegation extension is present in a certificate,
+it must also be present in its issuer.
+Similarly for AS identifiers.
+.It
+An issuer may only delegate resources present in its
+RFC 3779 extensions.
+.El
+.Pp
+.Fn X509v3_addr_validate_path
+and
+.Fn X509v3_asid_validate_path
+are called from
+.Xr X509_verify_cert 3
+as part of the verification chain building.
+On encountering an error or a violation of the above rules,
+.Fa error ,
+.Fa error_depth ,
+and
+.Fa current_cert
+are set on
+.Fa ctx
+and the verify callback is called with
+.Fa ok
+set to 0.
+.Dv X509_V_ERR_INVALID_EXTENSION
+indicates a non-canonical resource,
+.Dv X509_V_ERR_UNNESTED_RESOURCE
+indicates a violation of the other rules above.
+In rare circumstances, the error can be
+.Dv X509_V_ERR_UNSPECIFIED
+and for IP address resources
+.Dv X509_V_ERR_OUT_OF_MEM
+is also possible.
+.Pp
+.Fn X509v3_addr_validate_resource_set
+validates the resources in
+.Fa addrblocks
+against a specific certificate
+.Fa chain .
+After checking that
+.Fa addrblocks
+is canonical, its IP addresses are checked to be covered in
+the certificate at depth 0,
+then the chain is walked all the way to the trust anchor
+until an error or a violation of the above rules is encountered.
+.Fa addrblocks
+is allowed to use inheritance according to
+.Xr X509v3_addr_inherits 3
+if and only if
+.Fa allow_inherit
+is non-zero.
+.Pp
+.Fn X509v3_asid_validate_resource_set
+performs similar checks as
+.Fn X509v3_addr_validate_resource_set
+for
+.Fa asid .
+.Sh RETURN VALUES
+All these functions return 1 on successful validation and 0 otherwise.
+.Pa
+For
+.Fn X509v3_addr_validate_path
+and
+.Fn X509v3_asid_validate_path
+a non-empty
+.Fa chain
+and a
+.Fa verify_cb
+must be present on
+.Fa ctx ,
+otherwise they fail and set the
+.Fa error
+on
+.Fa ctx
+to
+.Dv X509_V_ERR_UNSPECIFIED .
+The
+.Fa verify_cb
+is called with the error codes described above
+on most errors encountered during validation.
+Some malformed extensions can lead to an error
+that cannot be intercepted by the callback.
+With the exception of an allocation error,
+no error codes are set on the error stack.
+.Pp
+.Fn X509v3_addr_validate_resource_set
+and
+.Fn X509v3_asid_validate_resource_set
+accept a
+.Dv NULL
+.Fa addrblocks
+or
+.Fa asid
+as valid.
+They fail if
+.Fa chain
+is
+.Dv NULL
+or empty.
+If
+.Fa allow_inheritance
+is 0 ,
+.Fa addrblocks
+or
+.Fa asid
+is checked for inheritance with
+.Xr X509v3_addr_inherits 3
+or
+.Xr X509v3_asid_inherits 3 .
+The remaining failure cases are the same as for
+.Fn X509v3_addr_validate_path
+and
+.Fn X509v3_asid_validate_path .
+They cannot and do not attempt to communicate
+the cause of the error to the caller.
+.Sh SEE ALSO
+.Xr ASIdentifiers_new 3 ,
+.Xr crypto 3 ,
+.Xr IPAddressRange_new 3 ,
+.Xr X509_new 3 ,
+.Xr X509_STORE_CTX_get_error 3 ,
+.Xr X509_verify_cert 3 ,
+.Xr X509v3_addr_add_inherit 3 ,
+.Xr X509v3_addr_inherits 3 ,
+.Xr X509v3_asid_add_id_or_range 3
+.Sh STANDARDS
+RFC 3779: X.509 Extensions for IP Addresses and AS Identifiers:
+.Bl -dash -compact
+.It
+section 2.3: IP Address Delegation Extension Certification Path Validation
+.It
+section 3.3: Autonomous System Identifier Delegation Extension Certification
+Path Validation
+.El
+.Pp
+RFC 5280: Internet X.509 Public Key Infrastructure Certificate
+and Certificate Revocation List (CRL) Profile
+.Bl -dash -compact
+.It
+section 6: Certification Path Validation
+.El
+.Sh HISTORY
+These functions first appeared in OpenSSL 0.9.8e
+and have been available since
+.Ox 7.1 .
diff --git a/src/lib/libcrypto/man/X509v3_asid_add_id_or_range.3 b/src/lib/libcrypto/man/X509v3_asid_add_id_or_range.3
index 1b42a449e1..f6b1c0347f 100644
--- a/src/lib/libcrypto/man/X509v3_asid_add_id_or_range.3
+++ b/src/lib/libcrypto/man/X509v3_asid_add_id_or_range.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509v3_asid_add_id_or_range.3,v 1.6 2023/09/28 12:35:31 tb Exp $
+.\" $OpenBSD: X509v3_asid_add_id_or_range.3,v 1.7 2023/09/29 08:57:49 tb Exp $
 .\"
 .\" Copyright (c) 2021-2023 Theo Buehler <tb@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: September 28 2023 $
+.Dd $Mdocdate: September 29 2023 $
 .Dt X509V3_ASID_ADD_ID_OR_RANGE 3
 .Os
 .Sh NAME
@@ -242,7 +242,8 @@ failure.
 .Xr crypto 3 ,
 .Xr s2i_ASN1_INTEGER 3 ,
 .Xr X509_new 3 ,
-.Xr X509v3_addr_add_inherit 3
+.Xr X509v3_addr_add_inherit 3 ,
+.Xr X509v3_addr_validate_path 3
 .Sh STANDARDS
 RFC 3779: X.509 Extensions for IP Addresses and AS Identifiers,
 .Bl -dash -compact
author	tb <>	2023-09-29 08:57:49 +0000
committer	tb <>	2023-09-29 08:57:49 +0000
commit	748670f0a586443321b54a6e511fef277ae0d07f (patch)
tree	829c3398edd47a208c282b5783404c084f76787c /src
parent	a13dfa624381df2e77f5ca31d1187e39a82f9196 (diff)
download	openbsd-748670f0a586443321b54a6e511fef277ae0d07f.tar.gz openbsd-748670f0a586443321b54a6e511fef277ae0d07f.tar.bz2 openbsd-748670f0a586443321b54a6e511fef277ae0d07f.zip

diff --git a/src/lib/libcrypto/man/ASIdentifiers_new.3 b/src/lib/libcrypto/man/ASIdentifiers_new.3 index ae5795c9a3..c67a7c3f17 100644 --- a/src/lib/libcrypto/man/ASIdentifiers_new.3 +++ b/src/lib/libcrypto/man/ASIdentifiers_new.3
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: ASIdentifiers_new.3,v 1.8 2023/09/28 12:35:31 tb Exp $	1	.\" $OpenBSD: ASIdentifiers_new.3,v 1.9 2023/09/29 08:57:49 tb Exp $
2	.\"	2	.\"
3	.\" Copyright (c) 2021 Theo Buehler <tb@openbsd.org>	3	.\" Copyright (c) 2021 Theo Buehler <tb@openbsd.org>
4	.\"	4	.\"
@@ -14,7 +14,7 @@
14	.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF	14	.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15	.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.	15	.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16	.\"	16	.\"
17	.Dd $Mdocdate: September 28 2023 $	17	.Dd $Mdocdate: September 29 2023 $
18	.Dt ASIDENTIFIERS_NEW 3	18	.Dt ASIDENTIFIERS_NEW 3
19	.Os	19	.Os
20	.Sh NAME	20	.Sh NAME
@@ -116,6 +116,7 @@ or a value <= 0 if an error occurs.
116	.Xr X509v3_addr_get_range 3 ,	116	.Xr X509v3_addr_get_range 3 ,
117	.Xr X509v3_addr_inherits 3 ,	117	.Xr X509v3_addr_inherits 3 ,
118	.Xr X509v3_addr_subset 3 ,	118	.Xr X509v3_addr_subset 3 ,
		119	.Xr X509v3_addr_validate_path 3 ,
119	.Xr X509v3_asid_add_id_or_range 3	120	.Xr X509v3_asid_add_id_or_range 3
120	.Sh STANDARDS	121	.Sh STANDARDS
121	RFC 3779: X.509 Extensions for IP Addresses and AS Identifiers:	122	RFC 3779: X.509 Extensions for IP Addresses and AS Identifiers:


diff --git a/src/lib/libcrypto/man/Makefile b/src/lib/libcrypto/man/Makefile index e6a97f3004..f42e9327ae 100644 --- a/src/lib/libcrypto/man/Makefile +++ b/src/lib/libcrypto/man/Makefile
@@ -1,4 +1,4 @@
1	# $OpenBSD: Makefile,v 1.275 2023/09/28 12:35:31 tb Exp $	1	# $OpenBSD: Makefile,v 1.276 2023/09/29 08:57:49 tb Exp $
2		2
3	.include <bsd.own.mk>	3	.include <bsd.own.mk>
4		4
@@ -396,6 +396,7 @@ MAN= \
396	X509v3_addr_get_range.3 \	396	X509v3_addr_get_range.3 \
397	X509v3_addr_inherits.3 \	397	X509v3_addr_inherits.3 \
398	X509v3_addr_subset.3 \	398	X509v3_addr_subset.3 \
		399	X509v3_addr_validate_path.3 \
399	X509v3_asid_add_id_or_range.3 \	400	X509v3_asid_add_id_or_range.3 \
400	X509v3_asid_add_id_or_range.3 \	401	X509v3_asid_add_id_or_range.3 \
401	X509v3_get_ext_by_NID.3 \	402	X509v3_get_ext_by_NID.3 \


diff --git a/src/lib/libcrypto/man/X509_new.3 b/src/lib/libcrypto/man/X509_new.3 index a669bf0608..3e7fb0a79f 100644 --- a/src/lib/libcrypto/man/X509_new.3 +++ b/src/lib/libcrypto/man/X509_new.3
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: X509_new.3,v 1.42 2023/09/28 12:35:31 tb Exp $	1	.\" $OpenBSD: X509_new.3,v 1.43 2023/09/29 08:57:49 tb Exp $
2	.\" full merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400	2	.\" full merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
3	.\"	3	.\"
4	.\" This file is a derived work.	4	.\" This file is a derived work.
@@ -66,7 +66,7 @@
66	.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED	66	.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
67	.\" OF THE POSSIBILITY OF SUCH DAMAGE.	67	.\" OF THE POSSIBILITY OF SUCH DAMAGE.
68	.\"	68	.\"
69	.Dd $Mdocdate: September 28 2023 $	69	.Dd $Mdocdate: September 29 2023 $
70	.Dt X509_NEW 3	70	.Dt X509_NEW 3
71	.Os	71	.Os
72	.Sh NAME	72	.Sh NAME
@@ -246,6 +246,7 @@ if an error occurs.
246	.Xr X509v3_addr_get_range 3 ,	246	.Xr X509v3_addr_get_range 3 ,
247	.Xr X509v3_addr_inherits 3 ,	247	.Xr X509v3_addr_inherits 3 ,
248	.Xr X509v3_addr_subset 3 ,	248	.Xr X509v3_addr_subset 3 ,
		249	.Xr X509v3_addr_validate_path 3 ,
249	.Xr X509v3_asid_add_id_or_range 3	250	.Xr X509v3_asid_add_id_or_range 3
250	.Sh STANDARDS	251	.Sh STANDARDS
251	RFC 5280: Internet X.509 Public Key Infrastructure Certificate and	252	RFC 5280: Internet X.509 Public Key Infrastructure Certificate and


diff --git a/src/lib/libcrypto/man/X509v3_addr_add_inherit.3 b/src/lib/libcrypto/man/X509v3_addr_add_inherit.3 index 81e73f76e5..bdfb5c757d 100644 --- a/src/lib/libcrypto/man/X509v3_addr_add_inherit.3 +++ b/src/lib/libcrypto/man/X509v3_addr_add_inherit.3
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: X509v3_addr_add_inherit.3,v 1.6 2023/09/28 12:35:31 tb Exp $	1	.\" $OpenBSD: X509v3_addr_add_inherit.3,v 1.7 2023/09/29 08:57:49 tb Exp $
2	.\"	2	.\"
3	.\" Copyright (c) 2023 Theo Buehler <tb@openbsd.org>	3	.\" Copyright (c) 2023 Theo Buehler <tb@openbsd.org>
4	.\"	4	.\"
@@ -14,7 +14,7 @@
14	.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF	14	.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15	.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.	15	.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16	.\"	16	.\"
17	.Dd $Mdocdate: September 28 2023 $	17	.Dd $Mdocdate: September 29 2023 $
18	.Dt X509V3_ADDR_ADD_INHERIT 3	18	.Dt X509V3_ADDR_ADD_INHERIT 3
19	.Os	19	.Os
20	.Sh NAME	20	.Sh NAME
@@ -400,6 +400,7 @@ is desired.
400	.Xr IPAddressRange_new 3 ,	400	.Xr IPAddressRange_new 3 ,
401	.Xr X509_new 3 ,	401	.Xr X509_new 3 ,
402	.Xr X509v3_addr_get_range 3 ,	402	.Xr X509v3_addr_get_range 3 ,
		403	.Xr X509v3_addr_validate_path 3 ,
403	.Xr X509v3_asid_add_id_or_range 3	404	.Xr X509v3_asid_add_id_or_range 3
404	.Sh STANDARDS	405	.Sh STANDARDS
405	RFC 3779: X.509 Extensions for IP Addresses and AS Identifiers:	406	RFC 3779: X.509 Extensions for IP Addresses and AS Identifiers:


diff --git a/src/lib/libcrypto/man/X509v3_addr_validate_path.3 b/src/lib/libcrypto/man/X509v3_addr_validate_path.3 new file mode 100644 index 0000000000..1315e2013e --- /dev/null +++ b/src/lib/libcrypto/man/X509v3_addr_validate_path.3
@@ -0,0 +1,202 @@
		1	.\" $OpenBSD: X509v3_addr_validate_path.3,v 1.1 2023/09/29 08:57:49 tb Exp $
		2	.\"
		3	.\" Copyright (c) 2023 Theo Buehler <tb@openbsd.org>
		4	.\"
		5	.\" Permission to use, copy, modify, and distribute this software for any
		6	.\" purpose with or without fee is hereby granted, provided that the above
		7	.\" copyright notice and this permission notice appear in all copies.
		8	.\"
		9	.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
		10	.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
		11	.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
		12	.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
		13	.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
		14	.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
		15	.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
		16	.\"
		17	.Dd $Mdocdate: September 29 2023 $
		18	.Dt X509V3_ADDR_VALIDATE_PATH 3
		19	.Os
		20	.Sh NAME
		21	.Nm X509v3_addr_validate_path ,
		22	.Nm X509v3_addr_validate_resource_set ,
		23	.Nm X509v3_asid_validate_path ,
		24	.Nm X509v3_asid_validate_resource_set
		25	.Nd RFC 3779 path validation for IP address and AS number delegation
		26	.Sh SYNOPSIS
		27	.In openssl/x509v3.h
		28	.Ft int
		29	.Fn X509v3_addr_validate_path "X509_STORE_CTX *ctx"
		30	.Ft int
		31	.Fo X509v3_addr_validate_resource_set
		32	.Fa "STACK_OF(X509) *chain"
		33	.Fa "IPAddrBlocks *addrblocks"
		34	.Fa "int allow_inheritance"
		35	.Fc
		36	.Ft int
		37	.Fn X509v3_asid_validate_path "X509_STORE_CTX *ctx"
		38	.Ft int
		39	.Fo X509v3_asid_validate_resource_set
		40	.Fa "STACK_OF(X509) *chain"
		41	.Fa "ASIdentifiers *asid"
		42	.Fa "int allow_inheritance"
		43	.Fc
		44	.Sh DESCRIPTION
		45	Both RFC 3779 extensions require additional checking in the certification
		46	path validation.
		47	.Bl -enum
		48	.It
		49	The initial set of allowed IP address and AS number resources is defined in
		50	the trust anchor; inheritance is not allowed in the trust anchor.
		51	.It
		52	All IP address delegation or AS number delegation extensions
		53	must be in canonical form according to
		54	.Xr X509v3_addr_is_canonical 3
		55	and
		56	.Xr X509v3_asid_is_canonical 3 .
		57	.It
		58	If the IP address delegation extension is present in a certificate,
		59	it must also be present in its issuer.
		60	Similarly for AS identifiers.
		61	.It
		62	An issuer may only delegate resources present in its
		63	RFC 3779 extensions.
		64	.El
		65	.Pp
		66	.Fn X509v3_addr_validate_path
		67	and
		68	.Fn X509v3_asid_validate_path
		69	are called from
		70	.Xr X509_verify_cert 3
		71	as part of the verification chain building.
		72	On encountering an error or a violation of the above rules,
		73	.Fa error ,
		74	.Fa error_depth ,
		75	and
		76	.Fa current_cert
		77	are set on
		78	.Fa ctx
		79	and the verify callback is called with
		80	.Fa ok
		81	set to 0.
		82	.Dv X509_V_ERR_INVALID_EXTENSION
		83	indicates a non-canonical resource,
		84	.Dv X509_V_ERR_UNNESTED_RESOURCE
		85	indicates a violation of the other rules above.
		86	In rare circumstances, the error can be
		87	.Dv X509_V_ERR_UNSPECIFIED
		88	and for IP address resources
		89	.Dv X509_V_ERR_OUT_OF_MEM
		90	is also possible.
		91	.Pp
		92	.Fn X509v3_addr_validate_resource_set
		93	validates the resources in
		94	.Fa addrblocks
		95	against a specific certificate
		96	.Fa chain .
		97	After checking that
		98	.Fa addrblocks
		99	is canonical, its IP addresses are checked to be covered in
		100	the certificate at depth 0,
		101	then the chain is walked all the way to the trust anchor
		102	until an error or a violation of the above rules is encountered.
		103	.Fa addrblocks
		104	is allowed to use inheritance according to
		105	.Xr X509v3_addr_inherits 3
		106	if and only if
		107	.Fa allow_inherit
		108	is non-zero.
		109	.Pp
		110	.Fn X509v3_asid_validate_resource_set
		111	performs similar checks as
		112	.Fn X509v3_addr_validate_resource_set
		113	for
		114	.Fa asid .
		115	.Sh RETURN VALUES
		116	All these functions return 1 on successful validation and 0 otherwise.
		117	.Pa
		118	For
		119	.Fn X509v3_addr_validate_path
		120	and
		121	.Fn X509v3_asid_validate_path
		122	a non-empty
		123	.Fa chain
		124	and a
		125	.Fa verify_cb
		126	must be present on
		127	.Fa ctx ,
		128	otherwise they fail and set the
		129	.Fa error
		130	on
		131	.Fa ctx
		132	to
		133	.Dv X509_V_ERR_UNSPECIFIED .
		134	The
		135	.Fa verify_cb
		136	is called with the error codes described above
		137	on most errors encountered during validation.
		138	Some malformed extensions can lead to an error
		139	that cannot be intercepted by the callback.
		140	With the exception of an allocation error,
		141	no error codes are set on the error stack.
		142	.Pp
		143	.Fn X509v3_addr_validate_resource_set
		144	and
		145	.Fn X509v3_asid_validate_resource_set
		146	accept a
		147	.Dv NULL
		148	.Fa addrblocks
		149	or
		150	.Fa asid
		151	as valid.
		152	They fail if
		153	.Fa chain
		154	is
		155	.Dv NULL
		156	or empty.
		157	If
		158	.Fa allow_inheritance
		159	is 0 ,
		160	.Fa addrblocks
		161	or
		162	.Fa asid
		163	is checked for inheritance with
		164	.Xr X509v3_addr_inherits 3
		165	or
		166	.Xr X509v3_asid_inherits 3 .
		167	The remaining failure cases are the same as for
		168	.Fn X509v3_addr_validate_path
		169	and
		170	.Fn X509v3_asid_validate_path .
		171	They cannot and do not attempt to communicate
		172	the cause of the error to the caller.
		173	.Sh SEE ALSO
		174	.Xr ASIdentifiers_new 3 ,
		175	.Xr crypto 3 ,
		176	.Xr IPAddressRange_new 3 ,
		177	.Xr X509_new 3 ,
		178	.Xr X509_STORE_CTX_get_error 3 ,
		179	.Xr X509_verify_cert 3 ,
		180	.Xr X509v3_addr_add_inherit 3 ,
		181	.Xr X509v3_addr_inherits 3 ,
		182	.Xr X509v3_asid_add_id_or_range 3
		183	.Sh STANDARDS
		184	RFC 3779: X.509 Extensions for IP Addresses and AS Identifiers:
		185	.Bl -dash -compact
		186	.It
		187	section 2.3: IP Address Delegation Extension Certification Path Validation
		188	.It
		189	section 3.3: Autonomous System Identifier Delegation Extension Certification
		190	Path Validation
		191	.El
		192	.Pp
		193	RFC 5280: Internet X.509 Public Key Infrastructure Certificate
		194	and Certificate Revocation List (CRL) Profile
		195	.Bl -dash -compact
		196	.It
		197	section 6: Certification Path Validation
		198	.El
		199	.Sh HISTORY
		200	These functions first appeared in OpenSSL 0.9.8e
		201	and have been available since
		202	.Ox 7.1 .


diff --git a/src/lib/libcrypto/man/X509v3_asid_add_id_or_range.3 b/src/lib/libcrypto/man/X509v3_asid_add_id_or_range.3 index 1b42a449e1..f6b1c0347f 100644 --- a/src/lib/libcrypto/man/X509v3_asid_add_id_or_range.3 +++ b/src/lib/libcrypto/man/X509v3_asid_add_id_or_range.3
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: X509v3_asid_add_id_or_range.3,v 1.6 2023/09/28 12:35:31 tb Exp $	1	.\" $OpenBSD: X509v3_asid_add_id_or_range.3,v 1.7 2023/09/29 08:57:49 tb Exp $
2	.\"	2	.\"
3	.\" Copyright (c) 2021-2023 Theo Buehler <tb@openbsd.org>	3	.\" Copyright (c) 2021-2023 Theo Buehler <tb@openbsd.org>
4	.\"	4	.\"
@@ -14,7 +14,7 @@
14	.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF	14	.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15	.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.	15	.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16	.\"	16	.\"
17	.Dd $Mdocdate: September 28 2023 $	17	.Dd $Mdocdate: September 29 2023 $
18	.Dt X509V3_ASID_ADD_ID_OR_RANGE 3	18	.Dt X509V3_ASID_ADD_ID_OR_RANGE 3
19	.Os	19	.Os
20	.Sh NAME	20	.Sh NAME
@@ -242,7 +242,8 @@ failure.
242	.Xr crypto 3 ,	242	.Xr crypto 3 ,
243	.Xr s2i_ASN1_INTEGER 3 ,	243	.Xr s2i_ASN1_INTEGER 3 ,
244	.Xr X509_new 3 ,	244	.Xr X509_new 3 ,
245	.Xr X509v3_addr_add_inherit 3	245	.Xr X509v3_addr_add_inherit 3 ,
		246	.Xr X509v3_addr_validate_path 3
246	.Sh STANDARDS	247	.Sh STANDARDS
247	RFC 3779: X.509 Extensions for IP Addresses and AS Identifiers,	248	RFC 3779: X.509 Extensions for IP Addresses and AS Identifiers,
248	.Bl -dash -compact	249	.Bl -dash -compact