9 files changed, 11 insertions, 527 deletions

diff --git a/src/lib/libcrypto/man/Makefile b/src/lib/libcrypto/man/Makefile
index 3616c157d3..fc3204e3a2 100644
--- a/src/lib/libcrypto/man/Makefile
+++ b/src/lib/libcrypto/man/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.248 2023/04/27 09:43:55 tb Exp $
+# $OpenBSD: Makefile,v 1.249 2023/04/30 14:49:47 tb Exp $
 
 .include <bsd.own.mk>
 
@@ -377,9 +377,6 @@ MAN=	\
         X509_load_cert_file.3 \
         X509_new.3 \
         X509_ocspid_print.3 \
-        X509_policy_check.3 \
-        X509_policy_tree_get0_policies.3 \
-        X509_policy_tree_level_count.3 \
         X509_print_ex.3 \
         X509_sign.3 \
         X509_signature_dump.3 \
diff --git a/src/lib/libcrypto/man/X509_STORE_CTX_get_error.3 b/src/lib/libcrypto/man/X509_STORE_CTX_get_error.3
index 30e4024736..b3d0ee3069 100644
--- a/src/lib/libcrypto/man/X509_STORE_CTX_get_error.3
+++ b/src/lib/libcrypto/man/X509_STORE_CTX_get_error.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_STORE_CTX_get_error.3,v 1.26 2023/04/21 06:45:56 tb Exp $
+.\" $OpenBSD: X509_STORE_CTX_get_error.3,v 1.27 2023/04/30 14:49:47 tb Exp $
 .\" full merge up to:
 .\" OpenSSL man3/X509_STORE_CTX_get_error 24a535ea Sep 22 13:14:20 2020 +0100
 .\" OpenSSL man3/X509_STORE_CTX_new 24a535ea Sep 22 13:14:20 2020 +0100
@@ -68,7 +68,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: April 21 2023 $
+.Dd $Mdocdate: April 30 2023 $
 .Dt X509_STORE_CTX_GET_ERROR 3
 .Os
 .Sh NAME
@@ -86,8 +86,6 @@
 .Nm X509_STORE_CTX_get_chain ,
 .Nm X509_STORE_CTX_get1_chain ,
 .Nm X509_STORE_CTX_set0_verified_chain ,
-.Nm X509_STORE_CTX_get0_policy_tree ,
-.Nm X509_STORE_CTX_get_explicit_policy ,
 .Nm X509_verify_cert_error_string
 .Nd get or set certificate verification status information
 .Sh SYNOPSIS
@@ -152,14 +150,6 @@
 .Fa "X509_STORE_CTX *ctx"
 .Fa "STACK_OF(X509) *chain"
 .Fc
-.Ft X509_POLICY_TREE *
-.Fo X509_STORE_CTX_get0_policy_tree
-.Fa "X509_STORE_CTX *ctx"
-.Fc
-.Ft int
-.Fo X509_STORE_CTX_get_explicit_policy
-.Fa "X509_STORE_CTX *ctx"
-.Fc
 .In openssl/x509.h
 .Ft const char *
 .Fo X509_verify_cert_error_string
@@ -337,24 +327,6 @@ return a pointer to a stack of certificates or
 .Dv NULL
 if an error occurs.
 .Pp
-.Fn X509_STORE_CTX_get0_policy_tree
-returns an internal pointer to the
-.Fa valid_policy_tree
-created by
-.Xr X509_policy_check 3
-or
-.Dv NULL
-if validation failed or the resulting tree was empty.
-.Pp
-.Fn X509_STORE_CTX_get_explicit_policy
-returns the
-.Pf * Fa pexplicit_policy
-output argument of
-.Xr X509_policy_check 3 .
-If validation succeeded, it is 1 if
-.Dv X509_V_FLAG_EXPLICIT_POLICY
-was requested or 0 otherwise.
-.Pp
 .Fn X509_verify_cert_error_string
 returns a human readable error string for verification error
 .Fa n .
@@ -576,8 +548,6 @@ This will never be returned unless explicitly set by an application.
 .\"  No CA signature digest algorithm too weak
 .El
 .Sh SEE ALSO
-.Xr X509_policy_check 3 ,
-.Xr X509_policy_tree_level_count 3 ,
 .Xr X509_STORE_CTX_new 3 ,
 .Xr X509_STORE_CTX_set_verify 3 ,
 .Xr X509_STORE_CTX_set_verify_cb 3 ,
@@ -599,12 +569,6 @@ first appeared in SSLeay 0.8.0 and have been available since
 first appeared in OpenSSL 0.9.5 and has been available since
 .Ox 2.7 .
 .Pp
-.Fn X509_STORE_CTX_get0_policy_tree
-and
-.Fn X509_STORE_CTX_get_explicit_policy
-first appeared in OpenSSL 0.9.8 and have been available since
-.Ox 4.5 .
-.Pp
 .Fn X509_STORE_CTX_get0_current_issuer ,
 .Fn X509_STORE_CTX_get0_current_crl ,
 and
diff --git a/src/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3 b/src/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3
index 08961eb4d3..65e20f1ad8 100644
--- a/src/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3
+++ b/src/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_VERIFY_PARAM_set_flags.3,v 1.27 2022/12/01 05:33:55 tb Exp $
+.\" $OpenBSD: X509_VERIFY_PARAM_set_flags.3,v 1.28 2023/04/30 14:49:47 tb Exp $
 .\" full merge up to: OpenSSL d33def66 Feb 9 14:17:13 2016 -0500
 .\" selective merge up to: OpenSSL 24a535ea Sep 22 13:14:20 2020 +0100
 .\"
@@ -68,7 +68,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 1 2022 $
+.Dd $Mdocdate: April 30 2023 $
 .Dt X509_VERIFY_PARAM_SET_FLAGS 3
 .Os
 .Sh NAME
@@ -566,8 +566,6 @@ If
 .Dv X509_V_FLAG_NOTIFY_POLICY
 is set and policy checking is successful, a special status code is
 sent to the verification callback.
-This permits it to examine the valid policy tree and perform additional
-checks or simply log it for debugging purposes.
 .Pp
 By default some additional features such as indirect CRLs and CRLs
 signed by different keys are disabled.
diff --git a/src/lib/libcrypto/man/X509_check_purpose.3 b/src/lib/libcrypto/man/X509_check_purpose.3
index 611697fa30..6356081137 100644
--- a/src/lib/libcrypto/man/X509_check_purpose.3
+++ b/src/lib/libcrypto/man/X509_check_purpose.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_check_purpose.3,v 1.9 2022/12/17 12:48:53 tb Exp $
+.\" $OpenBSD: X509_check_purpose.3,v 1.10 2023/04/30 14:49:47 tb Exp $
 .\"
 .\" Copyright (c) 2019, 2021 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: December 17 2022 $
+.Dd $Mdocdate: April 30 2023 $
 .Dt X509_CHECK_PURPOSE 3
 .Os
 .Sh NAME
@@ -412,7 +412,6 @@ can be used as a CA for the
 .Xr EXTENDED_KEY_USAGE_new 3 ,
 .Xr X509_check_trust 3 ,
 .Xr X509_new 3 ,
-.Xr X509_policy_check 3 ,
 .Xr X509_PURPOSE_set 3 ,
 .Xr X509V3_get_d2i 3 ,
 .Xr x509v3.cnf 5
diff --git a/src/lib/libcrypto/man/X509_check_trust.3 b/src/lib/libcrypto/man/X509_check_trust.3
index be4489e946..0f02a1b1ef 100644
--- a/src/lib/libcrypto/man/X509_check_trust.3
+++ b/src/lib/libcrypto/man/X509_check_trust.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_check_trust.3,v 1.7 2022/12/26 07:18:52 jmc Exp $
+.\" $OpenBSD: X509_check_trust.3,v 1.8 2023/04/30 14:49:47 tb Exp $
 .\"
 .\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: December 26 2022 $
+.Dd $Mdocdate: April 30 2023 $
 .Dt X509_CHECK_TRUST 3
 .Os
 .Sh NAME
@@ -238,7 +238,6 @@ was never called before.
 .Xr X509_CERT_AUX_new 3 ,
 .Xr X509_check_purpose 3 ,
 .Xr X509_new 3 ,
-.Xr X509_policy_check 3 ,
 .Xr X509_TRUST_set 3 ,
 .Xr X509_VERIFY_PARAM_set_trust 3
 .Sh HISTORY
diff --git a/src/lib/libcrypto/man/X509_new.3 b/src/lib/libcrypto/man/X509_new.3
index 4b85f67eb0..c38dfc00b1 100644
--- a/src/lib/libcrypto/man/X509_new.3
+++ b/src/lib/libcrypto/man/X509_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_new.3,v 1.36 2021/11/18 10:09:24 schwarze Exp $
+.\" $OpenBSD: X509_new.3,v 1.37 2023/04/30 14:49:47 tb Exp $
 .\" full merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
 .\"
 .\" This file is a derived work.
@@ -66,7 +66,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: November 18 2021 $
+.Dd $Mdocdate: April 30 2023 $
 .Dt X509_NEW 3
 .Os
 .Sh NAME
@@ -229,8 +229,6 @@ if an error occurs.
 .Xr X509_NAME_new 3 ,
 .Xr X509_OBJECT_new 3 ,
 .Xr X509_PKEY_new 3 ,
-.Xr X509_policy_check 3 ,
-.Xr X509_policy_tree_level_count 3 ,
 .Xr X509_print_ex 3 ,
 .Xr X509_PUBKEY_new 3 ,
 .Xr X509_PURPOSE_set 3 ,
diff --git a/src/lib/libcrypto/man/X509_policy_check.3 b/src/lib/libcrypto/man/X509_policy_check.3
deleted file mode 100644
index 5ea774a3ef..0000000000
--- a/src/lib/libcrypto/man/X509_policy_check.3
+++ /dev/null
@@ -1,192 +0,0 @@
-.\" $OpenBSD: X509_policy_check.3,v 1.6 2021/11/11 12:06:25 schwarze Exp $
-.\"
-.\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: November 11 2021 $
-.Dt X509_POLICY_CHECK 3
-.Os
-.Sh NAME
-.Nm X509_policy_check ,
-.Nm X509_policy_tree_free
-.Nd construct X.509 valid policy tree
-.Sh SYNOPSIS
-.In openssl/x509_vfy.h
-.Ft int
-.Fo X509_policy_check
-.Fa "X509_POLICY_TREE **ptree"
-.Fa "int *pexplicit_policy"
-.Fa "STACK_OF(X509) *certs"
-.Fa "STACK_OF(ASN1_OBJECT) *policy_oids"
-.Fa "unsigned int flags"
-.Fc
-.Ft void
-.Fn X509_policy_tree_free "X509_POLICY_TREE *tree"
-.Sh DESCRIPTION
-.Fn X509_policy_check
-performs those parts of Basic Certification Path Validation
-described in RFC 5280 section 6.1 that are related to the
-construction of the valid policy tree.
-.Pp
-The
-.Fa certs
-input argument contains the prospective certification path
-according to RFC 5280 paragraph 6.1.1(a), starting with the
-target certificate and ending with the trust anchor.
-.Pp
-The
-.Fa policy_oids
-input argument contains the
-.Va user-initial-policy-set
-according to RFC 5280 section 6.1.1(c).
-It specifies a set of certificate policies acceptable to the certificate user.
-.Pp
-The
-.Fa flags
-argument can contain zero or more of the following constants, OR'ed together:
-.Bl -tag -width Ds
-.It Dv X509_V_FLAG_EXPLICIT_POLICY
-Set
-.Va initial-explicit-policy
-as defined by RFC 5280 paragraph 6.1.1(f).
-It requires the path to be valid for at least one of the
-.Fa policy_oids .
-.It Dv X509_V_FLAG_INHIBIT_ANY
-Set
-.Va initial-any-policy-inhibit
-as defined by RFC 5280 paragraph 6.1.1(g).
-It causes the
-.Sy anyPolicy
-OID to be skipped if it is encountered in a certificate.
-.It Dv X509_V_FLAG_INHIBIT_MAP
-Set
-.Va initial-policy-mapping-inhibit
-as defined by RFC 5280 paragraph 6.1.1(e).
-It disables policy mapping in the certification path.
-.El
-.Pp
-Upon success and in some cases of failure, the storage location pointed to by
-.Fa pexplicit_policy
-is set to 1 if
-.Dv X509_V_FLAG_EXPLICIT_POLICY
-was requested.
-Otherwise, it is set to 0.
-.Pp
-In many cases of success and in a few cases of failure, a pointer to the
-.Vt valid_policy_tree
-output value mentioned in RFC 5280 section 6.1.6 is returned in
-.Pf * Fa ptree .
-It contains one level for each of the
-.Fa certs ,
-in reverse order: level 0 corresponds to the trust anchor,
-the last level corresponds to the target certificate.
-Level 0 is initialized to contain a single node with a
-.Fa valid_policy
-of
-.Sy anyPolicy
-and an empty
-.Fa qualifier_set .
-.Pp
-If a policy tree is returned, the reference count of each of the
-.Fa certs
-is incremented by 1.
-In that case, the caller is responsible for calling
-.Fn X509_policy_tree_free
-to release all memory used by the
-.Fa tree
-and to decrement the reference counts
-of the certificates referenced from it by 1.
-If
-.Fa tree
-is a
-.Dv NULL
-pointer,
-.Fn X509_policy_tree_free
-has no effect.
-.Sh RETURN VALUES
-.Fn X509_policy_check
-returns these values:
-.Bl -tag -width 2n
-.It \-2
-Validation failed because
-.Dv X509_V_FLAG_EXPLICIT_POLICY
-was requested but the resulting policy tree
-or the resulting user policy set would have been empty.
-In this case,
-.Pf * Fa pexplicit_policy
-is set to 1.
-If the resulting tree is empty,
-.Pf * Fa ptree
-is set to
-.Dv NULL ;
-otherwise, it is set to the resulting tree.
-.It \-1
-At least one of the
-.Fa certs
-contains invalid or inconsistent extensions.
-.Pf * Fa ptree
-is set to
-.Dv NULL
-and
-.Pf * Fa pexplicit_policy
-to 0.
-.It 0
-Internal error.
-For example, setting up the policy caches failed, or memory allocation
-failed while constructing the tree.
-.Pf * Fa ptree
-is set to
-.Dv NULL
-and
-.Pf * Fa pexplicit_policy
-may or may not be set.
-.It 1
-Validation succeeded and
-.Pf * Fa ptree
-and
-.Pf * Fa pexplicit_policy
-have been set.
-In the special cases that the
-.Fa certs
-argument contains exactly one certificate or that
-.Dv X509_V_FLAG_EXPLICIT_POLICY
-was not requested and at least one of the certificates contains no
-certificate policies or the resulting policy tree would have been empty,
-.Pf * Fa ptree
-is set to
-.Dv NULL
-and
-.Pf * Fa pexplicit_policy
-to 0.
-.El
-.Sh SEE ALSO
-.Xr ASN1_OBJECT_new 3 ,
-.Xr OBJ_nid2obj 3 ,
-.Xr STACK_OF 3 ,
-.Xr X509_check_purpose 3 ,
-.Xr X509_check_trust 3 ,
-.Xr X509_new 3 ,
-.Xr X509_policy_tree_get0_policies 3 ,
-.Xr X509_policy_tree_level_count 3 ,
-.Xr X509_verify_cert 3
-.Sh STANDARDS
-RFC 5280: Internet X.509 Public Key Infrastructure Certificate
-and Certificate Revocation List (CRL) Profile,
-section 6.1: Basic Path Validation
-.Sh HISTORY
-.Fn X509_policy_check
-and
-.Fn X509_policy_tree_free
-first appeared in OpenSSL 0.9.8 and have been available since
-.Ox 4.5 .
diff --git a/src/lib/libcrypto/man/X509_policy_tree_get0_policies.3 b/src/lib/libcrypto/man/X509_policy_tree_get0_policies.3
deleted file mode 100644
index cb0715d6cb..0000000000
--- a/src/lib/libcrypto/man/X509_policy_tree_get0_policies.3
+++ /dev/null
@@ -1,101 +0,0 @@
-.\" $OpenBSD: X509_policy_tree_get0_policies.3,v 1.1 2021/11/11 12:06:25 schwarze Exp $
-.\"
-.\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: November 11 2021 $
-.Dt X509_POLICY_TREE_GET0_POLICIES 3
-.Os
-.Sh NAME
-.Nm X509_policy_tree_get0_policies ,
-.Nm X509_policy_tree_get0_user_policies
-.Nd retrieve arrays of policy tree nodes
-.Sh SYNOPSIS
-.In openssl/x509_vfy.h
-.Ft STACK_OF(X509_POLICY_NODE) *
-.Fn X509_policy_tree_get0_policies "const X509_POLICY_TREE *tree"
-.Ft STACK_OF(X509_POLICY_NODE) *
-.Fn X509_policy_tree_get0_user_policies "const X509_POLICY_TREE *tree"
-.Sh DESCRIPTION
-The
-.Em authority set
-and the
-.Em user set
-are arrays of nodes from a policy
-.Fa tree .
-.Pp
-If the last level of a
-.Fa tree ,
-or equivalently, all levels of it, contain an
-.Sy anyPolicy
-node, the authority set contains
-only this anyPolicy node from the last level.
-Unless the array of
-.Fa policy_oids
-passed to
-.Xr X509_policy_check 3
-contained an anyPolicy object,
-the user set contains one node for each of the
-.Fa policy_oids ;
-specifically, the first matching node that is a child of an anyPolicy node.
-.Pp
-If the last level of the
-.Fa tree
-does not contain an
-.Sy anyPolicy
-node, the authority set contains
-all non-anyPolicy nodes that are children of anyPolicy nodes.
-For each element of the
-.Fa policy_oids ,
-the user set contains the first node from the authority set
-matching it, if any.
-.Pp
-These functions are intended to be called after
-.Xr X509_policy_check 3
-was called either directly or indirectly through
-.Xr X509_verify_cert 3 .
-.Sh RETURN VALUES
-.Fn X509_policy_tree_get0_policies
-returns an internal pointer to the authority set
-or
-.Dv NULL
-if the
-.Fa tree
-argument is
-.Dv NULL .
-.Pp
-.Fn X509_policy_tree_get0_user_policies
-returns an internal pointer to the user set or
-.Dv NULL
-if the
-.Fa tree
-argument is
-.Dv NULL
-or if the array of
-.Fa policy_oids
-passed to
-.Xr X509_policy_check 3
-was empty or contained an anyPolicy object.
-.Sh SEE ALSO
-.Xr STACK_OF 3 ,
-.Xr X509_policy_check 3 ,
-.Xr X509_policy_level_get0_node 3 ,
-.Xr X509_STORE_CTX_get0_policy_tree 3
-.Sh STANDARDS
-RFC 5280: Internet X.509 Public Key Infrastructure Certificate
-and Certificate Revocation List (CRL) Profile,
-section 6.1: Basic Path Validation
-.Sh HISTORY
-These function first appeared in OpenSSL 0.9.8 and have been available since
-.Ox 4.5 .
diff --git a/src/lib/libcrypto/man/X509_policy_tree_level_count.3 b/src/lib/libcrypto/man/X509_policy_tree_level_count.3
deleted file mode 100644
index ff2036c40f..0000000000
--- a/src/lib/libcrypto/man/X509_policy_tree_level_count.3
+++ /dev/null
@@ -1,178 +0,0 @@
-.\" $OpenBSD: X509_policy_tree_level_count.3,v 1.5 2022/09/10 08:50:53 jsg Exp $
-.\"
-.\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: September 10 2022 $
-.Dt X509_POLICY_TREE_LEVEL_COUNT 3
-.Os
-.Sh NAME
-.Nm X509_policy_tree_level_count ,
-.Nm X509_policy_tree_get0_level ,
-.Nm X509_policy_level_node_count ,
-.Nm X509_policy_level_get0_node ,
-.Nm X509_policy_node_get0_policy ,
-.Nm X509_policy_node_get0_qualifiers ,
-.Nm X509_policy_node_get0_parent
-.Nd inspect X.509 policy tree objects
-.Sh SYNOPSIS
-.In openssl/x509_vfy.h
-.Ft int
-.Fn X509_policy_tree_level_count "const X509_POLICY_TREE *tree"
-.Ft X509_POLICY_LEVEL *
-.Fn X509_policy_tree_get0_level "const X509_POLICY_TREE *tree" "int index"
-.Ft int
-.Fn X509_policy_level_node_count "X509_POLICY_LEVEL *level"
-.Ft X509_POLICY_NODE *
-.Fn X509_policy_level_get0_node "X509_POLICY_LEVEL *level" "int index"
-.Ft const ASN1_OBJECT *
-.Fn X509_policy_node_get0_policy "const X509_POLICY_NODE *node"
-.Ft STACK_OF(POLICYQUALINFO) *
-.Fn X509_policy_node_get0_qualifiers "const X509_POLICY_NODE *node"
-.Ft const X509_POLICY_NODE *
-.Fn X509_policy_node_get0_parent "const X509_POLICY_NODE *node"
-.Sh DESCRIPTION
-The
-.Vt X509_POLICY_TREE
-object represents a
-.Vt valid_policy_tree
-as described in RFC 5280 section 6.1.
-.Pp
-The
-.Vt X509_POLICY_LEVEL
-object represents one level of such a tree,
-corresponding to one certificate.
-.Pp
-The
-.Vt X509_POLICY_NODE
-object represents one node in the tree.
-.Sh RETURN VALUES
-.Fn X509_policy_tree_level_count
-returns the number of levels in the
-.Fa tree
-or 0 if the
-.Fa tree
-argument is
-.Dv NULL .
-If it is not 0, it equals the number of certificates in the
-certification path the tree was created from, including both
-the target certificate and the trust anchor.
-.Pp
-.Fn X509_policy_tree_get0_level
-returns an internal pointer to the level of the
-.Fa tree
-with the given
-.Fa index
-or
-.Dv NULL
-if the
-.Fa tree
-argument is
-.Dv NULL
-or the
-.Fa index
-is less than 0 or greater than or equal to the number of levels in the
-.Fa tree .
-An
-.Fa index
-of 0 corresponds to the trust anchor
-and the last level corresponds to the target certificate.
-.Pp
-.Fn X509_policy_level_node_count
-returns the number of nodes on the
-.Fa level ,
-including an
-.Sy anyPolicy
-node if it is present, or 0 if the
-.Fa level
-argument is
-.Dv NULL .
-.Pp
-.Fn X509_policy_level_get0_node
-returns an internal pointer to the node on the
-.Fa level
-with the given
-.Fa index
-or
-.Dv NULL
-if the
-.Fa level
-argument is
-.Dv NULL
-or the
-.Fa index
-is less than 0 or greater than or equal to the number of nodes on the level.
-If an
-.Sy anyPolicy
-node is present on the level, it can be retrieved by passing an
-.Fa index
-of 0.
-.Pp
-.Fn X509_policy_node_get0_policy
-returns an internal pointer to the
-.Fa valid_policy
-child object of the node or
-.Dv NULL
-if the
-.Fa node
-argument is
-.Dv NULL .
-It represents a single policy that is valid for the path
-from the trust anchor to the certificate corresponding
-to the level containing the
-.Fa node .
-.Pp
-.Fn X509_policy_node_get0_qualifiers
-returns an internal pointer to the
-.Fa qualifier_set
-child object of the node or
-.Dv NULL
-if the
-.Fa node
-argument is
-.Dv NULL .
-It contains the policy qualifiers associated with the
-.Fa valid_policy
-of the
-.Fa node
-in the certificate corresponding to the level containing the
-.Fa node .
-.Pp
-.Fn X509_policy_node_get0_parent
-returns
-.Dv NULL
-if the
-.Fa node
-argument is
-.Dv NULL
-or located on level 0.
-Otherwise, it returns an internal pointer to the parent node of the
-.Fa node
-argument.
-The parent node is always located on the previous level.
-.Sh SEE ALSO
-.Xr ASN1_OBJECT_new 3 ,
-.Xr OBJ_obj2txt 3 ,
-.Xr POLICYQUALINFO_new 3 ,
-.Xr STACK_OF 3 ,
-.Xr X509_new 3 ,
-.Xr X509_policy_check 3 ,
-.Xr X509_policy_tree_get0_policies 3
-.Sh STANDARDS
-RFC 5280: Internet X.509 Public Key Infrastructure Certificate
-and Certificate Revocation List (CRL) Profile,
-section 6.1: Basic Path Validation
-.Sh HISTORY
-These function first appeared in OpenSSL 0.9.8 and have been available since
-.Ox 4.5 .