1 files changed, 9 insertions, 130 deletions
diff --git a/src/usr.bin/openssl/openssl.1 b/src/usr.bin/openssl/openssl.1
index 3005cdd2d8..45ae95fa5b 100644
--- a/src/usr.bin/openssl/openssl.1
+++ b/src/usr.bin/openssl/openssl.1
@@ -1,4 +1,4 @@
-.\" $OpenBSD: openssl.1,v 1.147 2023/06/07 10:53:30 schwarze Exp $
+.\" $OpenBSD: openssl.1,v 1.148 2023/06/08 09:40:17 schwarze Exp $
 .\" ====================================================================
 .\" Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
 .\"
@@ -110,7 +110,7 @@
 .\" copied and put under another distribution licence
 .\" [including the GNU Public Licence.]
 .\"
-.Dd $Mdocdate: June 7 2023 $
+.Dd $Mdocdate: June 8 2023 $
 .Dt OPENSSL 1
 .Os
 .Sh NAME
@@ -6058,137 +6058,16 @@ error 24 at 1 depth lookup:invalid CA certificate
 .Pp
 The first line contains the name of the certificate being verified, followed by
 the subject name of the certificate.
-The second line contains the error number and the depth.
+The second line contains the error number as defined by the
+.Dv X509_V_ERR_*
+constants in
+.In openssl/x509_vfy.h ,
+the associated error message documented in
+.Xr X509_STORE_CTX_get_error 3 ,
+and the depth.
 The depth is the number of the certificate being verified when a
 problem was detected starting with zero for the certificate being verified
 itself, then 1 for the CA that signed the certificate and so on.
-Finally a text version of the error number is presented.
-.Pp
-An exhaustive list of the error codes and messages is shown below; this also
-includes the name of the error code as defined in the header file
-.In openssl/x509_vfy.h .
-Some of the error codes are defined but never returned: these are described as
-.Qq unused .
-.Bl -tag -width "XXXX"
-.It 0 X509_V_OK
-The operation was successful.
-.It 2 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT
-The issuer certificate of an untrusted certificate could not be found.
-.It 3 X509_V_ERR_UNABLE_TO_GET_CRL
-The CRL of a certificate could not be found.
-.It 4 X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE
-The certificate signature could not be decrypted.
-This means that the actual signature value could not be determined
-rather than it not matching the expected value.
-This is only meaningful for RSA keys.
-.It 5 X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE
-The CRL signature could not be decrypted.
-This means that the actual signature value could not be determined
-rather than it not matching the expected value.
-Unused.
-.It 6 X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY
-The public key in the certificate
-.Cm SubjectPublicKeyInfo
-could not be read.
-.It 7 X509_V_ERR_CERT_SIGNATURE_FAILURE
-The signature of the certificate is invalid.
-.It 8 X509_V_ERR_CRL_SIGNATURE_FAILURE
-The signature of the certificate is invalid.
-.It 9 X509_V_ERR_CERT_NOT_YET_VALID
-The certificate is not yet valid: the
-.Cm notBefore
-date is after the current time.
-.It 10 X509_V_ERR_CERT_HAS_EXPIRED
-The certificate has expired; that is, the
-.Cm notAfter
-date is before the current time.
-.It 11 X509_V_ERR_CRL_NOT_YET_VALID
-The CRL is not yet valid.
-.It 12 X509_V_ERR_CRL_HAS_EXPIRED
-The CRL has expired.
-.It 13 X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD
-The certificate
-.Cm notBefore
-field contains an invalid time.
-.It 14 X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD
-The certificate
-.Cm notAfter
-field contains an invalid time.
-.It 15 X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD
-The CRL
-.Cm thisUpdate
-field contains an invalid time.
-The error code is misnamed and the error message confusingly talks about
-.Dq lastUpdate
-instead of
-.Dq thisUpdate
-for historical reasons.
-.It 16 X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD
-The CRL
-.Cm nextUpdate
-field contains an invalid time.
-.It 17 X509_V_ERR_OUT_OF_MEM
-An error occurred trying to allocate memory.
-This should never happen.
-.It 18 X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT
-The passed certificate is self-signed and the same certificate cannot be
-found in the list of trusted certificates.
-.It 19 X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN
-The certificate chain could be built up using the untrusted certificates but
-the root could not be found locally.
-.It 20 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
-The issuer certificate of a locally looked up certificate could not be found.
-This normally means the list of trusted certificates is not complete.
-.It 21 X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE
-No signatures could be verified because the chain contains only one
-certificate and it is not self-signed.
-.It 22 X509_V_ERR_CERT_CHAIN_TOO_LONG
-The certificate chain length is greater than the supplied maximum depth.
-Unused.
-.It 23 X509_V_ERR_CERT_REVOKED
-The certificate has been revoked.
-.It 24 X509_V_ERR_INVALID_CA
-A CA certificate is invalid.
-Either it is not a CA or its extensions are not consistent
-with the supplied purpose.
-.It 25 X509_V_ERR_PATH_LENGTH_EXCEEDED
-The
-.Cm basicConstraints
-pathlength parameter has been exceeded.
-.It 26 X509_V_ERR_INVALID_PURPOSE
-The supplied certificate cannot be used for the specified purpose.
-.It 27 X509_V_ERR_CERT_UNTRUSTED
-The root CA is not marked as trusted for the specified purpose.
-.It 28 X509_V_ERR_CERT_REJECTED
-The root CA is marked to reject the specified purpose.
-.It 29 X509_V_ERR_SUBJECT_ISSUER_MISMATCH
-The current candidate issuer certificate was rejected because its subject name
-did not match the issuer name of the current certificate.
-Only displayed when the
-.Fl issuer_checks
-option is set.
-.It 30 X509_V_ERR_AKID_SKID_MISMATCH
-The current candidate issuer certificate was rejected because its subject key
-identifier was present and did not match the authority key identifier current
-certificate.
-Only displayed when the
-.Fl issuer_checks
-option is set.
-.It 31 X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH
-The current candidate issuer certificate was rejected because its issuer name
-and serial number were present and did not match the authority key identifier
-of the current certificate.
-Only displayed when the
-.Fl issuer_checks
-option is set.
-.It 32 X509_V_ERR_KEYUSAGE_NO_CERTSIGN
-The current candidate issuer certificate was rejected because its
-.Cm keyUsage
-extension does not permit certificate signing.
-.It 50 X509_V_ERR_APPLICATION_VERIFICATION
-An application specific error.
-Unused.
-.El
 .Tg version
 .Sh VERSION
 .Nm openssl version

diff --git a/src/usr.bin/openssl/openssl.1 b/src/usr.bin/openssl/openssl.1 index 3005cdd2d8..45ae95fa5b 100644 --- a/src/usr.bin/openssl/openssl.1 +++ b/src/usr.bin/openssl/openssl.1
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: openssl.1,v 1.147 2023/06/07 10:53:30 schwarze Exp $	1	.\" $OpenBSD: openssl.1,v 1.148 2023/06/08 09:40:17 schwarze Exp $
2	.\" ====================================================================	2	.\" ====================================================================
3	.\" Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.	3	.\" Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
4	.\"	4	.\"
@@ -110,7 +110,7 @@
110	.\" copied and put under another distribution licence	110	.\" copied and put under another distribution licence
111	.\" [including the GNU Public Licence.]	111	.\" [including the GNU Public Licence.]
112	.\"	112	.\"
113	.Dd $Mdocdate: June 7 2023 $	113	.Dd $Mdocdate: June 8 2023 $
114	.Dt OPENSSL 1	114	.Dt OPENSSL 1
115	.Os	115	.Os
116	.Sh NAME	116	.Sh NAME
@@ -6058,137 +6058,16 @@ error 24 at 1 depth lookup:invalid CA certificate
6058	.Pp	6058	.Pp
6059	The first line contains the name of the certificate being verified, followed by	6059	The first line contains the name of the certificate being verified, followed by
6060	the subject name of the certificate.	6060	the subject name of the certificate.
6061	The second line contains the error number and the depth.	6061	The second line contains the error number as defined by the
		6062	.Dv X509_V_ERR_*
		6063	constants in
		6064	.In openssl/x509_vfy.h ,
		6065	the associated error message documented in
		6066	.Xr X509_STORE_CTX_get_error 3 ,
		6067	and the depth.
6062	The depth is the number of the certificate being verified when a	6068	The depth is the number of the certificate being verified when a
6063	problem was detected starting with zero for the certificate being verified	6069	problem was detected starting with zero for the certificate being verified
6064	itself, then 1 for the CA that signed the certificate and so on.	6070	itself, then 1 for the CA that signed the certificate and so on.
6065	Finally a text version of the error number is presented.
6066	.Pp
6067	An exhaustive list of the error codes and messages is shown below; this also
6068	includes the name of the error code as defined in the header file
6069	.In openssl/x509_vfy.h .
6070	Some of the error codes are defined but never returned: these are described as
6071	.Qq unused .
6072	.Bl -tag -width "XXXX"
6073	.It 0 X509_V_OK
6074	The operation was successful.
6075	.It 2 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT
6076	The issuer certificate of an untrusted certificate could not be found.
6077	.It 3 X509_V_ERR_UNABLE_TO_GET_CRL
6078	The CRL of a certificate could not be found.
6079	.It 4 X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE
6080	The certificate signature could not be decrypted.
6081	This means that the actual signature value could not be determined
6082	rather than it not matching the expected value.
6083	This is only meaningful for RSA keys.
6084	.It 5 X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE
6085	The CRL signature could not be decrypted.
6086	This means that the actual signature value could not be determined
6087	rather than it not matching the expected value.
6088	Unused.
6089	.It 6 X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY
6090	The public key in the certificate
6091	.Cm SubjectPublicKeyInfo
6092	could not be read.
6093	.It 7 X509_V_ERR_CERT_SIGNATURE_FAILURE
6094	The signature of the certificate is invalid.
6095	.It 8 X509_V_ERR_CRL_SIGNATURE_FAILURE
6096	The signature of the certificate is invalid.
6097	.It 9 X509_V_ERR_CERT_NOT_YET_VALID
6098	The certificate is not yet valid: the
6099	.Cm notBefore
6100	date is after the current time.
6101	.It 10 X509_V_ERR_CERT_HAS_EXPIRED
6102	The certificate has expired; that is, the
6103	.Cm notAfter
6104	date is before the current time.
6105	.It 11 X509_V_ERR_CRL_NOT_YET_VALID
6106	The CRL is not yet valid.
6107	.It 12 X509_V_ERR_CRL_HAS_EXPIRED
6108	The CRL has expired.
6109	.It 13 X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD
6110	The certificate
6111	.Cm notBefore
6112	field contains an invalid time.
6113	.It 14 X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD
6114	The certificate
6115	.Cm notAfter
6116	field contains an invalid time.
6117	.It 15 X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD
6118	The CRL
6119	.Cm thisUpdate
6120	field contains an invalid time.
6121	The error code is misnamed and the error message confusingly talks about
6122	.Dq lastUpdate
6123	instead of
6124	.Dq thisUpdate
6125	for historical reasons.
6126	.It 16 X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD
6127	The CRL
6128	.Cm nextUpdate
6129	field contains an invalid time.
6130	.It 17 X509_V_ERR_OUT_OF_MEM
6131	An error occurred trying to allocate memory.
6132	This should never happen.
6133	.It 18 X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT
6134	The passed certificate is self-signed and the same certificate cannot be
6135	found in the list of trusted certificates.
6136	.It 19 X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN
6137	The certificate chain could be built up using the untrusted certificates but
6138	the root could not be found locally.
6139	.It 20 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
6140	The issuer certificate of a locally looked up certificate could not be found.
6141	This normally means the list of trusted certificates is not complete.
6142	.It 21 X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE
6143	No signatures could be verified because the chain contains only one
6144	certificate and it is not self-signed.
6145	.It 22 X509_V_ERR_CERT_CHAIN_TOO_LONG
6146	The certificate chain length is greater than the supplied maximum depth.
6147	Unused.
6148	.It 23 X509_V_ERR_CERT_REVOKED
6149	The certificate has been revoked.
6150	.It 24 X509_V_ERR_INVALID_CA
6151	A CA certificate is invalid.
6152	Either it is not a CA or its extensions are not consistent
6153	with the supplied purpose.
6154	.It 25 X509_V_ERR_PATH_LENGTH_EXCEEDED
6155	The
6156	.Cm basicConstraints
6157	pathlength parameter has been exceeded.
6158	.It 26 X509_V_ERR_INVALID_PURPOSE
6159	The supplied certificate cannot be used for the specified purpose.
6160	.It 27 X509_V_ERR_CERT_UNTRUSTED
6161	The root CA is not marked as trusted for the specified purpose.
6162	.It 28 X509_V_ERR_CERT_REJECTED
6163	The root CA is marked to reject the specified purpose.
6164	.It 29 X509_V_ERR_SUBJECT_ISSUER_MISMATCH
6165	The current candidate issuer certificate was rejected because its subject name
6166	did not match the issuer name of the current certificate.
6167	Only displayed when the
6168	.Fl issuer_checks
6169	option is set.
6170	.It 30 X509_V_ERR_AKID_SKID_MISMATCH
6171	The current candidate issuer certificate was rejected because its subject key
6172	identifier was present and did not match the authority key identifier current
6173	certificate.
6174	Only displayed when the
6175	.Fl issuer_checks
6176	option is set.
6177	.It 31 X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH
6178	The current candidate issuer certificate was rejected because its issuer name
6179	and serial number were present and did not match the authority key identifier
6180	of the current certificate.
6181	Only displayed when the
6182	.Fl issuer_checks
6183	option is set.
6184	.It 32 X509_V_ERR_KEYUSAGE_NO_CERTSIGN
6185	The current candidate issuer certificate was rejected because its
6186	.Cm keyUsage
6187	extension does not permit certificate signing.
6188	.It 50 X509_V_ERR_APPLICATION_VERIFICATION
6189	An application specific error.
6190	Unused.
6191	.El
6192	.Tg version	6071	.Tg version
6193	.Sh VERSION	6072	.Sh VERSION
6194	.Nm openssl version	6073	.Nm openssl version