3 files changed, 184 insertions, 18 deletions
diff --git a/src/lib/libcrypto/man/ASIdentifiers_new.3 b/src/lib/libcrypto/man/ASIdentifiers_new.3
index f6ab5e5aaf..f95b258cae 100644
--- a/src/lib/libcrypto/man/ASIdentifiers_new.3
+++ b/src/lib/libcrypto/man/ASIdentifiers_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ASIdentifiers_new.3,v 1.3 2023/09/25 11:59:10 tb Exp $
+.\" $OpenBSD: ASIdentifiers_new.3,v 1.4 2023/09/26 08:56:18 tb Exp $
 .\"
 .\" Copyright (c) 2021 Theo Buehler <tb@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: September 25 2023 $
+.Dd $Mdocdate: September 26 2023 $
 .Dt ASIDENTIFIERS_NEW 3
 .Os
 .Sh NAME
@@ -59,6 +59,9 @@ allocates and initializes a new, empty
 .Vt ASIdentifiers
 object that can be populated with
 .Xr X509v3_asid_add_id_or_range 3 .
+See
+.Xr ASRange_new 3
+for implementation details.
 .Pp
 .Fn ASIdentifiers_free
 frees
diff --git a/src/lib/libcrypto/man/ASRange_new.3 b/src/lib/libcrypto/man/ASRange_new.3
index 6aa33f2c79..48c3a403c5 100644
--- a/src/lib/libcrypto/man/ASRange_new.3
+++ b/src/lib/libcrypto/man/ASRange_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ASRange_new.3,v 1.1 2023/09/25 11:59:10 tb Exp $
+.\" $OpenBSD: ASRange_new.3,v 1.2 2023/09/26 08:56:18 tb Exp $
 .\"
 .\" Copyright (c) 2023 Theo Buehler <tb@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: September 25 2023 $
+.Dd $Mdocdate: September 26 2023 $
 .Dt ASRANGE_NEW 3
 .Os
 .Sh NAME
@@ -25,7 +25,11 @@
 .Nm ASIdOrRange_new ,
 .Nm ASIdOrRange_free ,
 .Nm d2i_ASIdOrRange ,
-.Nm i2d_ASIdOrRange
+.Nm i2d_ASIdOrRange ,
+.Nm ASIdentifierChoice_new ,
+.Nm ASIdentifierChoice_free ,
+.Nm d2i_ASIdentifierChoice ,
+.Nm i2d_ASIdentifierChoice
 .Nd Autonomous system identifiers and ranges
 .Sh SYNOPSIS
 .In openssl/x509v3.h
@@ -59,10 +63,26 @@
 .Fa "ASIdOrRange *aor"
 .Fa "unsigned char **der_out"
 .Fc
+.Ft "ASIdentifierChoice *"
+.Fn ASIdentifierChoice_new void
+.Ft void
+.Fn ASIdentifierChoice_free "ASIdentifierChoice *aic"
+.Ft ASIdentifierChoice *
+.Fo d2i_ASIdentifierChoice
+.Fa "ASIdentifierChoice **aic"
+.Fa "const unsigned char **der_in"
+.Fa "long length"
+.Fc
+.Ft int
+.Fo i2d_ASIdentifierChoice
+.Fa "ASIdentifierChoice *aic"
+.Fa "unsigned char **der_out"
+.Fc
 .Sh DESCRIPTION
-.Vt ASRange
+.Vt ASRange ,
+.Vt ASIdOrRange ,
 and
-.Vt ASIdOrRange
+.Vt ASIdentifierChoice
 are building blocks of the RFC 3779
 .Vt ASIdentifiers
 type representing the autonomous system identifier delegation extension.
@@ -167,15 +187,108 @@ is
 .Dv NULL ,
 no action occurs.
 .Pp
+In order to express a list of AS identifiers and ranges,
+RFC 3779 section 3.2.3.4
+uses an ASN.1 SEQUENCE,
+which is implemented via a
+.Xr STACK_OF 3
+construction over
+.Vt ASIdOrRange :
+.Bd -literal -offset indent
+typedef STACK_OF(ASIdOrRange) ASIdOrRanges;
+.Ed
+.Pp
+Since an
+.Vt ASIdOrRanges
+object should be sorted in a specific way (see
+.Xr X509v3_asid_canonize 3 Ns ),
+a comparison function is needed for a correct instantiation
+with
+.Xr sk_new 3 .
+The
+.Fn ASIdOrRange_cmp
+function is not directly exposed and not easily accessible
+from outside the library,
+and it is non-trivial to implement.
+It is therefore discouraged to use
+.Vt ASIdOrRanges
+objects that are not part of an
+.Vt ASIdentifiers
+object.
+.Pp
+The
+.Dq inherit
+marker from RFC 3779 section 3.2.3.3 is implemented as
+.Vt ASN1_NULL .
+It has no dedicated type or API and can be instantiated with
+.Xr ASN1_NULL_new 3 .
+.Pp
+The
+.Vt ASIdentifierChoice
+type defined in RFC 3779 section 3.2.3.2 is implemented as
+.Bd -literal -offset indent
+typedef struct ASIdentifierChoice_st {
+        int type;
+        union {
+                ASN1_NULL *inherit;
+                ASIdOrRanges *asIdsOrRanges;
+        } u;
+} ASIdentifierChoice;
+.Ed
+.Pp
+where the
+.Fa type
+member should be set to
+.Dv ASIdentifierChoice_inherit
+or
+.Dv ASIdentifierChoice_asIdsOrRanges
+to indicate whether a given
+.Vt ASIdentifierChoice
+object represents an inherited list or an explicit list.
+.Pp
+.Fn ASIdentifierChoice_new
+returns a new
+.Vt ASIdentifierChoice
+object with invalid type and
+.Dv NULL
+members of the union
+.Fa u .
+.Pp
+.Fn ASIdentifierChoice_free
+frees
+.Fa aic
+including any data contained in it,
+provided
+.Fa type
+is set correctly.
+.Pp
+The
+.Vt ASIdentifiers
+type defined in RFC 3779 section 3.2.3.1 is implemented as
+.Bd -literal -offset indent
+typedef struct ASIdentifiers_st {
+        ASIdentifierChoice *asnum;
+        ASIdentifierChoice *rdi;
+} ASIdentifiers;
+.Ed
+.Pp
+It should be instantiated with
+.Xr ASIdentifiers_new 3
+and populated with
+.Xr X509v3_asid_add_id_or_range 3 .
+.Pp
 .Fn d2i_ASRange ,
 .Fn i2d_ASRange ,
 .Fn d2i_ASIdOrRange ,
+.Fn i2d_ASIdOrRange ,
+.Fn d2i_ASIdentifierChoice ,
 and
-.Fn i2d_ASIdOrRange
+.Fn i2d_ASIdentifierChoice
 decode and encode ASN.1
-.Vt ASRange
+.Vt ASRange ,
+.Vt ASIdOrRange ,
 and
-.Vt ASIdOrRange
+.Vt ASIdentifierChoice
 objects.
 For details about the semantics, examples, caveats, and bugs, see
 .Xr ASN1_item_d2i 3 .
@@ -207,23 +320,34 @@ object or
 .Dv NULL
 if an error occurs.
 .Pp
+.Fn ASIdentifierChoice_new
+returns a new, empty
+.Vt ASIdentifierChoice
+object or
+.Dv NULL
+if an error occurs.
+.Pp
 The encoding functions
-.Fn d2i_ASRange
+.Fn d2i_ASRange ,
+.Fn d2i_ASIdOrRange ,
 and
-.Fn d2i_ASIdOrRange
+.Fn d2i_ASIdentifierChoice
 return an
-.Vt ASRange
+.Vt ASRange ,
+an
+.Vt ASIdOrRange ,
 or an
-.Vt ASIdOrRange
+.Vt ASIdentifierChoice ,
 object, respectively,
 or
 .Dv NULL
 if an error occurs.
 .Pp
 The encoding functions
-.Fn i2d_ASRange
+.Fn i2d_ASRange ,
+.Fn i2d_ASIdOrRange ,
 and
-.Fn i2d_ASIdOrRange
+.Fn i2d_ASIdentifierChoice
 return the number of bytes successfully encoded
 or a value <= 0 if an error occurs.
 .Sh SEE ALSO
@@ -241,6 +365,14 @@ RFC 3779: X.509 Extensions for IP Addresses and AS Identifiers:
 .It
 section 3.2.3: Syntax
 .It
+section 3.2.3.1: Type ASIdentifiers
+.It
+section 3.2.3.2: Elements asnum, rdi, and Type ASIdentifierChoice
+.It
+section 3.2.3.3: Element inherit
+.It
+section 3.2.3.4: Element asIdsOrRanges
+.It
 section 3.2.3.5: Type ASIdOrRange
 .It
 section 3.2.3.6: Element id
@@ -255,3 +387,29 @@ section 3.2.3.9: Elements min and max
 These functions first appeared in OpenSSL 0.9.8e
 and have been available since
 .Ox 7.1 .
+.Sh BUGS
+An
+.Fn ASIdOrRanges_new
+function that installs the correct comparison function
+on the stack of
+.Vt ASIdOrRange
+should have been part of the API to make it usable.
+.Pp
+.Fn ASIdentifierChoice_new
+is of very limited use because
+.Fn ASIdOrRanges_new
+is missing.
+.Pp
+There is no way of ensuring that an
+.Vt ASIdOrRanges
+object is in canonical form unless it is part of an
+.Vt ASIdentifiers
+object.
+It is therefore difficult to guarantee that the output of
+.Fn i2d_ASIdentifierChoice
+is conformant.
+.Pp
+RFC 3779 3.2.3.4 has
+.Dq Fa asIdsOrRanges
+while its type in this implementation is
+.Vt ASIdOrRanges .
diff --git a/src/lib/libcrypto/man/X509v3_asid_add_id_or_range.3 b/src/lib/libcrypto/man/X509v3_asid_add_id_or_range.3
index cd25945865..272acc31e2 100644
--- a/src/lib/libcrypto/man/X509v3_asid_add_id_or_range.3
+++ b/src/lib/libcrypto/man/X509v3_asid_add_id_or_range.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509v3_asid_add_id_or_range.3,v 1.2 2023/09/25 10:34:44 tb Exp $
+.\" $OpenBSD: X509v3_asid_add_id_or_range.3,v 1.3 2023/09/26 08:56:18 tb Exp $
 .\"
 .\" Copyright (c) 2021-2023 Theo Buehler <tb@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: September 25 2023 $
+.Dd $Mdocdate: September 26 2023 $
 .Dt X509V3_ASID_ADD_ID_OR_RANGE 3
 .Os
 .Sh NAME
@@ -51,6 +51,11 @@ An
 .Vt ASIdentifiers
 object represents the content of the X509v3 certificate extension
 defined in RFC 3779, section 3.2.3.1.
+It can be instantiated with
+.Xr ASIdentifiers_new 3
+and its internals are documented in
+.Xr ASRange_new 3 .
+.Pp
 An autonomous system is identified by an unsigned 32-bit integer,
 called an AS number.
 An

diff --git a/src/lib/libcrypto/man/ASIdentifiers_new.3 b/src/lib/libcrypto/man/ASIdentifiers_new.3 index f6ab5e5aaf..f95b258cae 100644 --- a/src/lib/libcrypto/man/ASIdentifiers_new.3 +++ b/src/lib/libcrypto/man/ASIdentifiers_new.3
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: ASIdentifiers_new.3,v 1.3 2023/09/25 11:59:10 tb Exp $	1	.\" $OpenBSD: ASIdentifiers_new.3,v 1.4 2023/09/26 08:56:18 tb Exp $
2	.\"	2	.\"
3	.\" Copyright (c) 2021 Theo Buehler <tb@openbsd.org>	3	.\" Copyright (c) 2021 Theo Buehler <tb@openbsd.org>
4	.\"	4	.\"
@@ -14,7 +14,7 @@
14	.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF	14	.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15	.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.	15	.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16	.\"	16	.\"
17	.Dd $Mdocdate: September 25 2023 $	17	.Dd $Mdocdate: September 26 2023 $
18	.Dt ASIDENTIFIERS_NEW 3	18	.Dt ASIDENTIFIERS_NEW 3
19	.Os	19	.Os
20	.Sh NAME	20	.Sh NAME
@@ -59,6 +59,9 @@ allocates and initializes a new, empty
59	.Vt ASIdentifiers	59	.Vt ASIdentifiers
60	object that can be populated with	60	object that can be populated with
61	.Xr X509v3_asid_add_id_or_range 3 .	61	.Xr X509v3_asid_add_id_or_range 3 .
		62	See
		63	.Xr ASRange_new 3
		64	for implementation details.
62	.Pp	65	.Pp
63	.Fn ASIdentifiers_free	66	.Fn ASIdentifiers_free
64	frees	67	frees


diff --git a/src/lib/libcrypto/man/ASRange_new.3 b/src/lib/libcrypto/man/ASRange_new.3 index 6aa33f2c79..48c3a403c5 100644 --- a/src/lib/libcrypto/man/ASRange_new.3 +++ b/src/lib/libcrypto/man/ASRange_new.3
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: ASRange_new.3,v 1.1 2023/09/25 11:59:10 tb Exp $	1	.\" $OpenBSD: ASRange_new.3,v 1.2 2023/09/26 08:56:18 tb Exp $
2	.\"	2	.\"
3	.\" Copyright (c) 2023 Theo Buehler <tb@openbsd.org>	3	.\" Copyright (c) 2023 Theo Buehler <tb@openbsd.org>
4	.\"	4	.\"
@@ -14,7 +14,7 @@
14	.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF	14	.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15	.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.	15	.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16	.\"	16	.\"
17	.Dd $Mdocdate: September 25 2023 $	17	.Dd $Mdocdate: September 26 2023 $
18	.Dt ASRANGE_NEW 3	18	.Dt ASRANGE_NEW 3
19	.Os	19	.Os
20	.Sh NAME	20	.Sh NAME
@@ -25,7 +25,11 @@
25	.Nm ASIdOrRange_new ,	25	.Nm ASIdOrRange_new ,
26	.Nm ASIdOrRange_free ,	26	.Nm ASIdOrRange_free ,
27	.Nm d2i_ASIdOrRange ,	27	.Nm d2i_ASIdOrRange ,
28	.Nm i2d_ASIdOrRange	28	.Nm i2d_ASIdOrRange ,
		29	.Nm ASIdentifierChoice_new ,
		30	.Nm ASIdentifierChoice_free ,
		31	.Nm d2i_ASIdentifierChoice ,
		32	.Nm i2d_ASIdentifierChoice
29	.Nd Autonomous system identifiers and ranges	33	.Nd Autonomous system identifiers and ranges
30	.Sh SYNOPSIS	34	.Sh SYNOPSIS
31	.In openssl/x509v3.h	35	.In openssl/x509v3.h
@@ -59,10 +63,26 @@
59	.Fa "ASIdOrRange *aor"	63	.Fa "ASIdOrRange *aor"
60	.Fa "unsigned char **der_out"	64	.Fa "unsigned char **der_out"
61	.Fc	65	.Fc
		66	.Ft "ASIdentifierChoice *"
		67	.Fn ASIdentifierChoice_new void
		68	.Ft void
		69	.Fn ASIdentifierChoice_free "ASIdentifierChoice *aic"
		70	.Ft ASIdentifierChoice *
		71	.Fo d2i_ASIdentifierChoice
		72	.Fa "ASIdentifierChoice **aic"
		73	.Fa "const unsigned char **der_in"
		74	.Fa "long length"
		75	.Fc
		76	.Ft int
		77	.Fo i2d_ASIdentifierChoice
		78	.Fa "ASIdentifierChoice *aic"
		79	.Fa "unsigned char **der_out"
		80	.Fc
62	.Sh DESCRIPTION	81	.Sh DESCRIPTION
63	.Vt ASRange	82	.Vt ASRange ,
		83	.Vt ASIdOrRange ,
64	and	84	and
65	.Vt ASIdOrRange	85	.Vt ASIdentifierChoice
66	are building blocks of the RFC 3779	86	are building blocks of the RFC 3779
67	.Vt ASIdentifiers	87	.Vt ASIdentifiers
68	type representing the autonomous system identifier delegation extension.	88	type representing the autonomous system identifier delegation extension.
@@ -167,15 +187,108 @@ is
167	.Dv NULL ,	187	.Dv NULL ,
168	no action occurs.	188	no action occurs.
169	.Pp	189	.Pp
		190	In order to express a list of AS identifiers and ranges,
		191	RFC 3779 section 3.2.3.4
		192	uses an ASN.1 SEQUENCE,
		193	which is implemented via a
		194	.Xr STACK_OF 3
		195	construction over
		196	.Vt ASIdOrRange :
		197	.Bd -literal -offset indent
		198	typedef STACK_OF(ASIdOrRange) ASIdOrRanges;
		199	.Ed
		200	.Pp
		201	Since an
		202	.Vt ASIdOrRanges
		203	object should be sorted in a specific way (see
		204	.Xr X509v3_asid_canonize 3 Ns ),
		205	a comparison function is needed for a correct instantiation
		206	with
		207	.Xr sk_new 3 .
		208	The
		209	.Fn ASIdOrRange_cmp
		210	function is not directly exposed and not easily accessible
		211	from outside the library,
		212	and it is non-trivial to implement.
		213	It is therefore discouraged to use
		214	.Vt ASIdOrRanges
		215	objects that are not part of an
		216	.Vt ASIdentifiers
		217	object.
		218	.Pp
		219	The
		220	.Dq inherit
		221	marker from RFC 3779 section 3.2.3.3 is implemented as
		222	.Vt ASN1_NULL .
		223	It has no dedicated type or API and can be instantiated with
		224	.Xr ASN1_NULL_new 3 .
		225	.Pp
		226	The
		227	.Vt ASIdentifierChoice
		228	type defined in RFC 3779 section 3.2.3.2 is implemented as
		229	.Bd -literal -offset indent
		230	typedef struct ASIdentifierChoice_st {
		231	int type;
		232	union {
		233	ASN1_NULL *inherit;
		234	ASIdOrRanges *asIdsOrRanges;
		235	} u;
		236	} ASIdentifierChoice;
		237	.Ed
		238	.Pp
		239	where the
		240	.Fa type
		241	member should be set to
		242	.Dv ASIdentifierChoice_inherit
		243	or
		244	.Dv ASIdentifierChoice_asIdsOrRanges
		245	to indicate whether a given
		246	.Vt ASIdentifierChoice
		247	object represents an inherited list or an explicit list.
		248	.Pp
		249	.Fn ASIdentifierChoice_new
		250	returns a new
		251	.Vt ASIdentifierChoice
		252	object with invalid type and
		253	.Dv NULL
		254	members of the union
		255	.Fa u .
		256	.Pp
		257	.Fn ASIdentifierChoice_free
		258	frees
		259	.Fa aic
		260	including any data contained in it,
		261	provided
		262	.Fa type
		263	is set correctly.
		264	.Pp
		265	The
		266	.Vt ASIdentifiers
		267	type defined in RFC 3779 section 3.2.3.1 is implemented as
		268	.Bd -literal -offset indent
		269	typedef struct ASIdentifiers_st {
		270	ASIdentifierChoice *asnum;
		271	ASIdentifierChoice *rdi;
		272	} ASIdentifiers;
		273	.Ed
		274	.Pp
		275	It should be instantiated with
		276	.Xr ASIdentifiers_new 3
		277	and populated with
		278	.Xr X509v3_asid_add_id_or_range 3 .
		279	.Pp
170	.Fn d2i_ASRange ,	280	.Fn d2i_ASRange ,
171	.Fn i2d_ASRange ,	281	.Fn i2d_ASRange ,
172	.Fn d2i_ASIdOrRange ,	282	.Fn d2i_ASIdOrRange ,
		283	.Fn i2d_ASIdOrRange ,
		284	.Fn d2i_ASIdentifierChoice ,
173	and	285	and
174	.Fn i2d_ASIdOrRange	286	.Fn i2d_ASIdentifierChoice
175	decode and encode ASN.1	287	decode and encode ASN.1
176	.Vt ASRange	288	.Vt ASRange ,
		289	.Vt ASIdOrRange ,
177	and	290	and
178	.Vt ASIdOrRange	291	.Vt ASIdentifierChoice
179	objects.	292	objects.
180	For details about the semantics, examples, caveats, and bugs, see	293	For details about the semantics, examples, caveats, and bugs, see
181	.Xr ASN1_item_d2i 3 .	294	.Xr ASN1_item_d2i 3 .
@@ -207,23 +320,34 @@ object or
207	.Dv NULL	320	.Dv NULL
208	if an error occurs.	321	if an error occurs.
209	.Pp	322	.Pp
		323	.Fn ASIdentifierChoice_new
		324	returns a new, empty
		325	.Vt ASIdentifierChoice
		326	object or
		327	.Dv NULL
		328	if an error occurs.
		329	.Pp
210	The encoding functions	330	The encoding functions
211	.Fn d2i_ASRange	331	.Fn d2i_ASRange ,
		332	.Fn d2i_ASIdOrRange ,
212	and	333	and
213	.Fn d2i_ASIdOrRange	334	.Fn d2i_ASIdentifierChoice
214	return an	335	return an
215	.Vt ASRange	336	.Vt ASRange ,
		337	an
		338	.Vt ASIdOrRange ,
216	or an	339	or an
217	.Vt ASIdOrRange	340	.Vt ASIdentifierChoice ,
218	object, respectively,	341	object, respectively,
219	or	342	or
220	.Dv NULL	343	.Dv NULL
221	if an error occurs.	344	if an error occurs.
222	.Pp	345	.Pp
223	The encoding functions	346	The encoding functions
224	.Fn i2d_ASRange	347	.Fn i2d_ASRange ,
		348	.Fn i2d_ASIdOrRange ,
225	and	349	and
226	.Fn i2d_ASIdOrRange	350	.Fn i2d_ASIdentifierChoice
227	return the number of bytes successfully encoded	351	return the number of bytes successfully encoded
228	or a value <= 0 if an error occurs.	352	or a value <= 0 if an error occurs.
229	.Sh SEE ALSO	353	.Sh SEE ALSO
@@ -241,6 +365,14 @@ RFC 3779: X.509 Extensions for IP Addresses and AS Identifiers:
241	.It	365	.It
242	section 3.2.3: Syntax	366	section 3.2.3: Syntax
243	.It	367	.It
		368	section 3.2.3.1: Type ASIdentifiers
		369	.It
		370	section 3.2.3.2: Elements asnum, rdi, and Type ASIdentifierChoice
		371	.It
		372	section 3.2.3.3: Element inherit
		373	.It
		374	section 3.2.3.4: Element asIdsOrRanges
		375	.It
244	section 3.2.3.5: Type ASIdOrRange	376	section 3.2.3.5: Type ASIdOrRange
245	.It	377	.It
246	section 3.2.3.6: Element id	378	section 3.2.3.6: Element id
@@ -255,3 +387,29 @@ section 3.2.3.9: Elements min and max
255	These functions first appeared in OpenSSL 0.9.8e	387	These functions first appeared in OpenSSL 0.9.8e
256	and have been available since	388	and have been available since
257	.Ox 7.1 .	389	.Ox 7.1 .
		390	.Sh BUGS
		391	An
		392	.Fn ASIdOrRanges_new
		393	function that installs the correct comparison function
		394	on the stack of
		395	.Vt ASIdOrRange
		396	should have been part of the API to make it usable.
		397	.Pp
		398	.Fn ASIdentifierChoice_new
		399	is of very limited use because
		400	.Fn ASIdOrRanges_new
		401	is missing.
		402	.Pp
		403	There is no way of ensuring that an
		404	.Vt ASIdOrRanges
		405	object is in canonical form unless it is part of an
		406	.Vt ASIdentifiers
		407	object.
		408	It is therefore difficult to guarantee that the output of
		409	.Fn i2d_ASIdentifierChoice
		410	is conformant.
		411	.Pp
		412	RFC 3779 3.2.3.4 has
		413	.Dq Fa asIdsOrRanges
		414	while its type in this implementation is
		415	.Vt ASIdOrRanges .


diff --git a/src/lib/libcrypto/man/X509v3_asid_add_id_or_range.3 b/src/lib/libcrypto/man/X509v3_asid_add_id_or_range.3 index cd25945865..272acc31e2 100644 --- a/src/lib/libcrypto/man/X509v3_asid_add_id_or_range.3 +++ b/src/lib/libcrypto/man/X509v3_asid_add_id_or_range.3
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: X509v3_asid_add_id_or_range.3,v 1.2 2023/09/25 10:34:44 tb Exp $	1	.\" $OpenBSD: X509v3_asid_add_id_or_range.3,v 1.3 2023/09/26 08:56:18 tb Exp $
2	.\"	2	.\"
3	.\" Copyright (c) 2021-2023 Theo Buehler <tb@openbsd.org>	3	.\" Copyright (c) 2021-2023 Theo Buehler <tb@openbsd.org>
4	.\"	4	.\"
@@ -14,7 +14,7 @@
14	.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF	14	.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15	.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.	15	.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16	.\"	16	.\"
17	.Dd $Mdocdate: September 25 2023 $	17	.Dd $Mdocdate: September 26 2023 $
18	.Dt X509V3_ASID_ADD_ID_OR_RANGE 3	18	.Dt X509V3_ASID_ADD_ID_OR_RANGE 3
19	.Os	19	.Os
20	.Sh NAME	20	.Sh NAME
@@ -51,6 +51,11 @@ An
51	.Vt ASIdentifiers	51	.Vt ASIdentifiers
52	object represents the content of the X509v3 certificate extension	52	object represents the content of the X509v3 certificate extension
53	defined in RFC 3779, section 3.2.3.1.	53	defined in RFC 3779, section 3.2.3.1.
		54	It can be instantiated with
		55	.Xr ASIdentifiers_new 3
		56	and its internals are documented in
		57	.Xr ASRange_new 3 .
		58	.Pp
54	An autonomous system is identified by an unsigned 32-bit integer,	59	An autonomous system is identified by an unsigned 32-bit integer,
55	called an AS number.	60	called an AS number.
56	An	61	An