Add initial man page for new x509_verify chain validator

This may be changed substantially before we enable the public api, as discussions are still happening over it's final form, however after one pass by ingo he would rather this was here and it can be adjusted in tree, but not installed by the makefile until we make this visible ok schwarze@
author: beck <> 2020-09-14 12:38:38 +0000
committer: beck <> 2020-09-14 12:38:38 +0000
commit: cb79cb98f476fac4eb40ee7a72ea8b4eade33e1c (patch)
tree: 906a960fdc65d47a04d679fdd65ad412f2bd27dd /src
parent: 0d65d2118b0232bebdc91dae5db25ff9bceb06c1 (diff)
download: openbsd-cb79cb98f476fac4eb40ee7a72ea8b4eade33e1c.tar.gz
openbsd-cb79cb98f476fac4eb40ee7a72ea8b4eade33e1c.tar.bz2
openbsd-cb79cb98f476fac4eb40ee7a72ea8b4eade33e1c.zip
1 files changed, 225 insertions, 0 deletions
diff --git a/src/lib/libcrypto/man/x509_verify.3 b/src/lib/libcrypto/man/x509_verify.3
new file mode 100644
index 0000000000..78ec0536d2
--- /dev/null
+++ b/src/lib/libcrypto/man/x509_verify.3
@@ -0,0 +1,225 @@
+.\" $OpenBSD: x509_verify.3,v 1.1 2020/09/14 12:38:38 beck Exp $
+.\"
+.\" Copyright (c) 2020 Bob Beck <beck@openbsd.org>
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\"
+.Dd $Mdocdate: September 14 2020 $
+.Dt X509_VERIFY 3
+.Os
+.Sh NAME
+.Nm x509_verify ,
+.Nm x509_verify_ctx_new ,
+.Nm x509_verify_ctx_free ,
+.Nm x509_verify_ctx_set_max_depth ,
+.Nm x509_verify_ctx_set_max_signatures ,
+.Nm x509_verify_ctx_set_max_chains ,
+.Nm x509_verify_ctx_set_purpose ,
+.Nm x509_verify_ctx_set_intermediates ,
+.Nm x509_verify_ctx_error_string ,
+.Nm x509_verify_ctx_error_depth ,
+.Nm x509_verify_ctx_chain
+.Nd discover and verify X.509 certificate chains
+.Sh SYNOPSIS
+.In openssl/x509_verify.h
+.Ft size_t
+.Fo x509_verify
+.Fa "X509_VERIFY_CTX *ctx"
+.Fa "X509 *leaf"
+.Fa "char *name"
+.Fc
+.Ft X509_VERIFY_CTX *
+.Fo x509_verify_ctx_new
+.Fa "STACK_OF(X509) *roots"
+.Fc
+.Ft void
+.Fo x509_verify_ctx_free
+.Fa "X509_VERIFY_CTX *ctx"
+.Fc
+.Ft int
+.Fo x509_verify_ctx_set_max_depth
+.Fa "X509_VERIFY_CTX *ctx"
+.Fa "size_t max"
+.Fc
+.Ft int
+.Fo x509_verify_ctx_set_max_signatures
+.Fa "X509_VERIFY_CTX *ctx"
+.Fa "size_t max"
+.Fc
+.Ft int
+.Fo x509_verify_ctx_set_max_chains
+.Fa "X509_VERIFY_CTX *ctx"
+.Fa "size_t max"
+.Fc
+.Ft int
+.Fo x509_verify_ctx_set_purpose
+.Fa "X509_VERIFY_CTX *ctx"
+.Fa "int purpose_id"
+.Fc
+.Ft int
+.Fo x509_verify_ctx_set_intermediates
+.Fa "X509_VERIFY_CTX *ctx"
+.Fa "STACK_OF(X509) *intermediates"
+.Fc
+.Ft const char *
+.Fo x509_verify_ctx_error_string
+.Fa "X509_VERIFY_CTX *ctx"
+.Fc
+.Ft size_t
+.Fo x509_verify_ctx_error_depth
+.Fa "X509_VERIFY_CTX *ctx"
+.Fc
+.Ft STACK_OF(X509) *
+.Fo x509_verify_ctx_chain
+.Fa "X509_VERIFY_CTX *ctx"
+.Fa "size_t index"
+.Fc
+.Sh DESCRIPTION
+The
+.Fn x509_verify
+function attempts to discover and validate all certificate chains
+for the
+.Fa name
+from the
+.Fa leaf
+certificate based on the parameters in
+.Fa ctx .
+Multiple chains may be built and validated.
+Revocation checking is not done by this function, and should be
+performed by the caller on any returned chains if so desired.
+.Pp
+.Fn x509_verify_ctx_new
+allocates a new context using the trusted
+.Fa roots .
+In case of success, it increments the reference count of
+.Fa roots .
+.Pp
+.Fn x509_verify_ctx_free
+frees
+.Fa ctx
+and decrements the reference count of the
+.Fa roots
+and
+.Fa intermediates
+associated with it.
+If
+.Fa ctx
+is
+.Dv NULL ,
+no action occurs.
+.Pp
+.Fn x509_verify_ctx_set_max_depth
+sets the maximum depth of certificate chains that will be constructed to
+.Fa max ,
+which can be in the range from 1 to the default of 32.
+.Pp
+.Fn x509_verify_ctx_set_max_signatures
+sets the maximum number of public key signature operations that will be
+used when verifying certificate chains to
+.Fa max ,
+which can be in the range from 1 to 100000.
+The default is 256.
+.Pp
+.Fn x509_verify_ctx_set_max_chains
+sets the maximum number of chains which may be returned to
+.Fa max ,
+which can be in the range from 1 to the default of 8.
+.Pp
+.Fn x509_verify_ctx_set_purpose
+sets the certificate purpose for validation to
+.Fa purpose_id .
+The
+.Dv X509_PURPOSE_*
+constants listed in
+.Xr X509_check_purpose 3
+can be used.
+.Pp
+.Fn x509_verify_ctx_set_intermediates
+provides some intermediate certificates, typically received from
+the peer, to be used for building chains.
+In case of success, this function increases the reference count of
+.Fa intermediates .
+.Pp
+.Fn x509_verify_ctx_error_string
+extracts a description of the last error encountered by a previous
+call to
+.Fn x509_verify
+from
+.Fa ctx .
+.Pp
+.Fn x509_verify_ctx_error_depth
+extracts the depth of the last error encountered by a previous
+call to
+.Fn x509_verify
+from
+.Fa ctx .
+.Pp
+.Fn x509_verify_ctx_chain
+extracts the validated chain with the given
+.Fa index
+from
+.Fa ctx
+after a previous call to
+.Fn x509_verify .
+The
+.Fa index
+starts at 0, and it is an error to pass a number
+greater than or equal to the return value of
+.Fn x509_verify .
+The returned chain is neither copied,
+nor is its reference count increased.
+.Sh RETURN VALUES
+.Fn x509_verify
+returns the number of chains successfully built and validated,
+or 0 if
+.Fa ctx
+is
+.Dv NULL
+or if an error occurs.
+.Pp
+.Fn x509_verify_ctx_new
+returns a newly allocated context or
+.Dv NULL
+on failure.
+.Pp
+.Fn x509_verify_ctx_set_max_depth ,
+.Fn x509_verify_ctx_set_max_signatures ,
+.Fn x509_verify_ctx_set_max_chains ,
+.Fn x509_verify_ctx_set_purpose ,
+and
+.Fn x509_verify_ctx_set_intermediates
+return 1 on success or 0 on failure.
+.Pp
+.Fn x509_verify_ctx_error_string
+returns a pointer to a human readable error string.
+If no error occurred,
+.Qq ok
+is returned.
+.Pp
+.Fn x509_verify_ctx_chain
+returns an internal pointer to a validated chain or
+.Dv NULL
+if
+.Fa index
+is greater than or equal to the number of chains
+that were successfully built and validated.
+The returned pointer becomes invalid when
+.Fa ctx
+is destroyed.
+.Sh SEE ALSO
+.Xr X509_verify_cert 3
+.Sh HISTORY
+These functions first appeared in
+.Ox 6.8 .
+.Sh AUTHORS
+.An Bob Beck Aq Mt beck@openbsd.org
author	beck <>	2020-09-14 12:38:38 +0000
committer	beck <>	2020-09-14 12:38:38 +0000
commit	cb79cb98f476fac4eb40ee7a72ea8b4eade33e1c (patch)
tree	906a960fdc65d47a04d679fdd65ad412f2bd27dd /src
parent	0d65d2118b0232bebdc91dae5db25ff9bceb06c1 (diff)
download	openbsd-cb79cb98f476fac4eb40ee7a72ea8b4eade33e1c.tar.gz openbsd-cb79cb98f476fac4eb40ee7a72ea8b4eade33e1c.tar.bz2 openbsd-cb79cb98f476fac4eb40ee7a72ea8b4eade33e1c.zip

diff --git a/src/lib/libcrypto/man/x509_verify.3 b/src/lib/libcrypto/man/x509_verify.3 new file mode 100644 index 0000000000..78ec0536d2 --- /dev/null +++ b/src/lib/libcrypto/man/x509_verify.3
@@ -0,0 +1,225 @@
	1	.\" $OpenBSD: x509_verify.3,v 1.1 2020/09/14 12:38:38 beck Exp $
	2	.\"
	3	.\" Copyright (c) 2020 Bob Beck <beck@openbsd.org>
	4	.\"
	5	.\" Permission to use, copy, modify, and distribute this software for any
	6	.\" purpose with or without fee is hereby granted, provided that the above
	7	.\" copyright notice and this permission notice appear in all copies.
	8	.\"
	9	.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
	10	.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
	11	.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
	12	.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
	13	.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
	14	.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
	15	.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
	16	.\"
	17	.Dd $Mdocdate: September 14 2020 $
	18	.Dt X509_VERIFY 3
	19	.Os
	20	.Sh NAME
	21	.Nm x509_verify ,
	22	.Nm x509_verify_ctx_new ,
	23	.Nm x509_verify_ctx_free ,
	24	.Nm x509_verify_ctx_set_max_depth ,
	25	.Nm x509_verify_ctx_set_max_signatures ,
	26	.Nm x509_verify_ctx_set_max_chains ,
	27	.Nm x509_verify_ctx_set_purpose ,
	28	.Nm x509_verify_ctx_set_intermediates ,
	29	.Nm x509_verify_ctx_error_string ,
	30	.Nm x509_verify_ctx_error_depth ,
	31	.Nm x509_verify_ctx_chain
	32	.Nd discover and verify X.509 certificate chains
	33	.Sh SYNOPSIS
	34	.In openssl/x509_verify.h
	35	.Ft size_t
	36	.Fo x509_verify
	37	.Fa "X509_VERIFY_CTX *ctx"
	38	.Fa "X509 *leaf"
	39	.Fa "char *name"
	40	.Fc
	41	.Ft X509_VERIFY_CTX *
	42	.Fo x509_verify_ctx_new
	43	.Fa "STACK_OF(X509) *roots"
	44	.Fc
	45	.Ft void
	46	.Fo x509_verify_ctx_free
	47	.Fa "X509_VERIFY_CTX *ctx"
	48	.Fc
	49	.Ft int
	50	.Fo x509_verify_ctx_set_max_depth
	51	.Fa "X509_VERIFY_CTX *ctx"
	52	.Fa "size_t max"
	53	.Fc
	54	.Ft int
	55	.Fo x509_verify_ctx_set_max_signatures
	56	.Fa "X509_VERIFY_CTX *ctx"
	57	.Fa "size_t max"
	58	.Fc
	59	.Ft int
	60	.Fo x509_verify_ctx_set_max_chains
	61	.Fa "X509_VERIFY_CTX *ctx"
	62	.Fa "size_t max"
	63	.Fc
	64	.Ft int
	65	.Fo x509_verify_ctx_set_purpose
	66	.Fa "X509_VERIFY_CTX *ctx"
	67	.Fa "int purpose_id"
	68	.Fc
	69	.Ft int
	70	.Fo x509_verify_ctx_set_intermediates
	71	.Fa "X509_VERIFY_CTX *ctx"
	72	.Fa "STACK_OF(X509) *intermediates"
	73	.Fc
	74	.Ft const char *
	75	.Fo x509_verify_ctx_error_string
	76	.Fa "X509_VERIFY_CTX *ctx"
	77	.Fc
	78	.Ft size_t
	79	.Fo x509_verify_ctx_error_depth
	80	.Fa "X509_VERIFY_CTX *ctx"
	81	.Fc
	82	.Ft STACK_OF(X509) *
	83	.Fo x509_verify_ctx_chain
	84	.Fa "X509_VERIFY_CTX *ctx"
	85	.Fa "size_t index"
	86	.Fc
	87	.Sh DESCRIPTION
	88	The
	89	.Fn x509_verify
	90	function attempts to discover and validate all certificate chains
	91	for the
	92	.Fa name
	93	from the
	94	.Fa leaf
	95	certificate based on the parameters in
	96	.Fa ctx .
	97	Multiple chains may be built and validated.
	98	Revocation checking is not done by this function, and should be
	99	performed by the caller on any returned chains if so desired.
	100	.Pp
	101	.Fn x509_verify_ctx_new
	102	allocates a new context using the trusted
	103	.Fa roots .
	104	In case of success, it increments the reference count of
	105	.Fa roots .
	106	.Pp
	107	.Fn x509_verify_ctx_free
	108	frees
	109	.Fa ctx
	110	and decrements the reference count of the
	111	.Fa roots
	112	and
	113	.Fa intermediates
	114	associated with it.
	115	If
	116	.Fa ctx
	117	is
	118	.Dv NULL ,
	119	no action occurs.
	120	.Pp
	121	.Fn x509_verify_ctx_set_max_depth
	122	sets the maximum depth of certificate chains that will be constructed to
	123	.Fa max ,
	124	which can be in the range from 1 to the default of 32.
	125	.Pp
	126	.Fn x509_verify_ctx_set_max_signatures
	127	sets the maximum number of public key signature operations that will be
	128	used when verifying certificate chains to
	129	.Fa max ,
	130	which can be in the range from 1 to 100000.
	131	The default is 256.
	132	.Pp
	133	.Fn x509_verify_ctx_set_max_chains
	134	sets the maximum number of chains which may be returned to
	135	.Fa max ,
	136	which can be in the range from 1 to the default of 8.
	137	.Pp
	138	.Fn x509_verify_ctx_set_purpose
	139	sets the certificate purpose for validation to
	140	.Fa purpose_id .
	141	The
	142	.Dv X509_PURPOSE_*
	143	constants listed in
	144	.Xr X509_check_purpose 3
	145	can be used.
	146	.Pp
	147	.Fn x509_verify_ctx_set_intermediates
	148	provides some intermediate certificates, typically received from
	149	the peer, to be used for building chains.
	150	In case of success, this function increases the reference count of
	151	.Fa intermediates .
	152	.Pp
	153	.Fn x509_verify_ctx_error_string
	154	extracts a description of the last error encountered by a previous
	155	call to
	156	.Fn x509_verify
	157	from
	158	.Fa ctx .
	159	.Pp
	160	.Fn x509_verify_ctx_error_depth
	161	extracts the depth of the last error encountered by a previous
	162	call to
	163	.Fn x509_verify
	164	from
	165	.Fa ctx .
	166	.Pp
	167	.Fn x509_verify_ctx_chain
	168	extracts the validated chain with the given
	169	.Fa index
	170	from
	171	.Fa ctx
	172	after a previous call to
	173	.Fn x509_verify .
	174	The
	175	.Fa index
	176	starts at 0, and it is an error to pass a number
	177	greater than or equal to the return value of
	178	.Fn x509_verify .
	179	The returned chain is neither copied,
	180	nor is its reference count increased.
	181	.Sh RETURN VALUES
	182	.Fn x509_verify
	183	returns the number of chains successfully built and validated,
	184	or 0 if
	185	.Fa ctx
	186	is
	187	.Dv NULL
	188	or if an error occurs.
	189	.Pp
	190	.Fn x509_verify_ctx_new
	191	returns a newly allocated context or
	192	.Dv NULL
	193	on failure.
	194	.Pp
	195	.Fn x509_verify_ctx_set_max_depth ,
	196	.Fn x509_verify_ctx_set_max_signatures ,
	197	.Fn x509_verify_ctx_set_max_chains ,
	198	.Fn x509_verify_ctx_set_purpose ,
	199	and
	200	.Fn x509_verify_ctx_set_intermediates
	201	return 1 on success or 0 on failure.
	202	.Pp
	203	.Fn x509_verify_ctx_error_string
	204	returns a pointer to a human readable error string.
	205	If no error occurred,
	206	.Qq ok
	207	is returned.
	208	.Pp
	209	.Fn x509_verify_ctx_chain
	210	returns an internal pointer to a validated chain or
	211	.Dv NULL
	212	if
	213	.Fa index
	214	is greater than or equal to the number of chains
	215	that were successfully built and validated.
	216	The returned pointer becomes invalid when
	217	.Fa ctx
	218	is destroyed.
	219	.Sh SEE ALSO
	220	.Xr X509_verify_cert 3
	221	.Sh HISTORY
	222	These functions first appeared in
	223	.Ox 6.8 .
	224	.Sh AUTHORS
	225	.An Bob Beck Aq Mt beck@openbsd.org