1 files changed, 173 insertions, 0 deletions
diff --git a/src/lib/libcrypto/man/PEM_X509_INFO_read_bio.3 b/src/lib/libcrypto/man/PEM_X509_INFO_read_bio.3
new file mode 100644
index 0000000000..7d34951df0
--- /dev/null
+++ b/src/lib/libcrypto/man/PEM_X509_INFO_read_bio.3
@@ -0,0 +1,173 @@
+.\" $OpenBSD: PEM_X509_INFO_read_bio.3,v 1.1 2025/07/17 10:31:50 schwarze Exp $
+.\"
+.\" Copyright (c) 2020 Ingo Schwarze <schwarze@openbsd.org>
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\"
+.Dd $Mdocdate: July 17 2025 $
+.Dt PEM_X509_INFO_READ_BIO 3
+.Os
+.Sh NAME
+.Nm PEM_X509_INFO_read_bio
+.Nd PEM and DER decode X.509 certificates, private keys, and revocation lists
+.Sh SYNOPSIS
+.Lb libcrypto
+.In openssl/pem.h
+.Ft STACK_OF(X509_INFO) *
+.Fo PEM_X509_INFO_read_bio
+.Fa "BIO *in_bp"
+.Fa "STACK_OF(X509_INFO) *sk"
+.Fa "pem_password_cb *cb"
+.Fa "void *u"
+.Fc
+.Sh DESCRIPTION
+This function reads zero or more objects
+related to X.509 certificates from
+.Fa in_bp ,
+performs both PEM and DER decoding,
+and wraps the resulting objects in newly allocated
+.Vt X509_INFO
+containers.
+.Pp
+Setting
+.Fa sk
+to
+.Dv NULL
+is recommended, in which case
+a new stack is allocated, populated, and returned.
+If an existing
+.Fa sk
+is passed in, the created
+.Vt X509_INFO
+objects are pushed onto that stack.
+.Pp
+For PEM decoding,
+.Xr PEM_read_bio 3
+is used internally, implying that any non-PEM data
+before, between, and after the objects is silently discarded.
+.Pp
+For subsequent DER decoding,
+the decoding function and the field of the
+.Vt X509_INFO
+structure to store the new object in
+are selected according to the PEM type name:
+.Bl -column "TRUSTED CERTIFICATE" "d2i_PrivateKey()" "revocation list"
+.It PEM type name       Ta decoder             Ta Vt X509_INFO No field
+.It CERTIFICATE         Ta Xr d2i_X509 3       Ta certificate
+.It X509 CERTIFICATE    Ta Xr d2i_X509 3       Ta certificate
+.It TRUSTED CERTIFICATE Ta Xr d2i_X509_AUX 3   Ta certificate
+.It X509 CRL            Ta Xr d2i_X509_CRL 3   Ta revocation list
+.It RSA PRIVATE KEY     Ta Xr d2i_PrivateKey 3 Ta private key
+.It DSA PRIVATE KEY     Ta Xr d2i_PrivateKey 3 Ta private key
+.It EC PRIVATE KEY      Ta Xr d2i_PrivateKey 3 Ta private key
+.El
+.Pp
+Whenever the selected field is already occupied, another new
+.Vt X509_INFO
+container is allocated and pushed onto the stack.
+Depending on the sequence of objects in the input, this can result
+in several partially populated
+.Vt X509_INFO
+containers being pushed onto the stack.
+.Pp
+PEM objects of types not listed in the above table are silently skipped.
+.Pp
+Encrypted certificates and revocation lists are decrypted by calling
+.Xr PEM_do_header 3
+internally, passing through the optional arguments
+.Fa cb
+and
+.Fa u .
+Encrypted private keys are not decrypted.
+Instead, the encrypted form is stored as read.
+All the same,
+.Xr PEM_get_EVP_CIPHER_INFO 3
+is called internally to check that PEM headers, if there are any,
+are valid and specify an encryption the library is prepared to handle.
+.Pp
+If any error occurs, objects that had already been read
+during the same call are deleted again and
+.Fa sk
+is left unchanged.
+.Sh RETURN VALUES
+This function returns a pointer to the stack
+the objects read were pushed onto or
+.Dv NULL
+if an error occurs.
+It fails if
+.Xr PEM_read_bio 3 ,
+.Xr PEM_get_EVP_CIPHER_INFO 3 ,
+.Xr PEM_do_header 3 ,
+or DER decoding fails or if memory is exhausted.
+.Sh ERRORS
+Diagnostics that can be retrieved with
+.Xr ERR_get_error 3 ,
+.Xr ERR_GET_REASON 3 ,
+and
+.Xr ERR_reason_error_string 3
+include:
+.Bl -tag -width Ds
+.It Dv ERR_R_ASN1_LIB Qq "ASN1 lib"
+DER decoding of a PEM object failed.
+.It Dv ERR_R_MALLOC_FAILURE Qq "malloc failure"
+.Fn PEM_X509_INFO_read_bio
+failed to allocate a new
+.Vt X509_INFO ,
+.Vt STACK_OF(X509_INFO) ,
+or
+.Vt X509_PKEY
+object.
+.El
+.Pp
+Additional types of errors can result from
+.Xr PEM_read_bio 3 ,
+.Xr PEM_get_EVP_CIPHER_INFO 3 ,
+and
+.Xr PEM_do_header 3 .
+.Pp
+After this function failed due to memory exhaustion,
+.Xr ERR_get_error 3
+may sometimes return 0 anyway.
+.Sh SEE ALSO
+.Xr BIO_new 3 ,
+.Xr d2i_PrivateKey 3 ,
+.Xr d2i_X509 3 ,
+.Xr d2i_X509_CRL 3 ,
+.Xr EVP_PKEY_new 3 ,
+.Xr PEM_read 3 ,
+.Xr PEM_read_bio_PrivateKey 3 ,
+.Xr STACK_OF 3 ,
+.Xr X509_CRL_new 3 ,
+.Xr X509_INFO_new 3 ,
+.Xr X509_LOOKUP_new 3 ,
+.Xr X509_new 3
+.Sh HISTORY
+.Fn PEM_X509_INFO_read_bio
+first appeared in SSLeay 0.6.0 and has been available since
+.Ox 2.4 .
+.Sh CAVEATS
+It is not an error
+if the input does not contain any objects of the desired types.
+In that case, nothing is added to
+.Fa sk ,
+or if
+.Fa sk
+is
+.Dv NULL ,
+a newly allocated, empty stack is returned.
+The only way to detect this situation is by comparing
+the number of objects on the stack before and after the call.
+.Sh BUGS
+When reaching the end of the input, this function calls
+.Xr ERR_clear_error 3 ,
+which may hide errors that occurred before calling it.

diff --git a/src/lib/libcrypto/man/PEM_X509_INFO_read_bio.3 b/src/lib/libcrypto/man/PEM_X509_INFO_read_bio.3 new file mode 100644 index 0000000000..7d34951df0 --- /dev/null +++ b/src/lib/libcrypto/man/PEM_X509_INFO_read_bio.3
@@ -0,0 +1,173 @@
	1	.\" $OpenBSD: PEM_X509_INFO_read_bio.3,v 1.1 2025/07/17 10:31:50 schwarze Exp $
	2	.\"
	3	.\" Copyright (c) 2020 Ingo Schwarze <schwarze@openbsd.org>
	4	.\"
	5	.\" Permission to use, copy, modify, and distribute this software for any
	6	.\" purpose with or without fee is hereby granted, provided that the above
	7	.\" copyright notice and this permission notice appear in all copies.
	8	.\"
	9	.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
	10	.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
	11	.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
	12	.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
	13	.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
	14	.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
	15	.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
	16	.\"
	17	.Dd $Mdocdate: July 17 2025 $
	18	.Dt PEM_X509_INFO_READ_BIO 3
	19	.Os
	20	.Sh NAME
	21	.Nm PEM_X509_INFO_read_bio
	22	.Nd PEM and DER decode X.509 certificates, private keys, and revocation lists
	23	.Sh SYNOPSIS
	24	.Lb libcrypto
	25	.In openssl/pem.h
	26	.Ft STACK_OF(X509_INFO) *
	27	.Fo PEM_X509_INFO_read_bio
	28	.Fa "BIO *in_bp"
	29	.Fa "STACK_OF(X509_INFO) *sk"
	30	.Fa "pem_password_cb *cb"
	31	.Fa "void *u"
	32	.Fc
	33	.Sh DESCRIPTION
	34	This function reads zero or more objects
	35	related to X.509 certificates from
	36	.Fa in_bp ,
	37	performs both PEM and DER decoding,
	38	and wraps the resulting objects in newly allocated
	39	.Vt X509_INFO
	40	containers.
	41	.Pp
	42	Setting
	43	.Fa sk
	44	to
	45	.Dv NULL
	46	is recommended, in which case
	47	a new stack is allocated, populated, and returned.
	48	If an existing
	49	.Fa sk
	50	is passed in, the created
	51	.Vt X509_INFO
	52	objects are pushed onto that stack.
	53	.Pp
	54	For PEM decoding,
	55	.Xr PEM_read_bio 3
	56	is used internally, implying that any non-PEM data
	57	before, between, and after the objects is silently discarded.
	58	.Pp
	59	For subsequent DER decoding,
	60	the decoding function and the field of the
	61	.Vt X509_INFO
	62	structure to store the new object in
	63	are selected according to the PEM type name:
	64	.Bl -column "TRUSTED CERTIFICATE" "d2i_PrivateKey()" "revocation list"
	65	.It PEM type name Ta decoder Ta Vt X509_INFO No field
	66	.It CERTIFICATE Ta Xr d2i_X509 3 Ta certificate
	67	.It X509 CERTIFICATE Ta Xr d2i_X509 3 Ta certificate
	68	.It TRUSTED CERTIFICATE Ta Xr d2i_X509_AUX 3 Ta certificate
	69	.It X509 CRL Ta Xr d2i_X509_CRL 3 Ta revocation list
	70	.It RSA PRIVATE KEY Ta Xr d2i_PrivateKey 3 Ta private key
	71	.It DSA PRIVATE KEY Ta Xr d2i_PrivateKey 3 Ta private key
	72	.It EC PRIVATE KEY Ta Xr d2i_PrivateKey 3 Ta private key
	73	.El
	74	.Pp
	75	Whenever the selected field is already occupied, another new
	76	.Vt X509_INFO
	77	container is allocated and pushed onto the stack.
	78	Depending on the sequence of objects in the input, this can result
	79	in several partially populated
	80	.Vt X509_INFO
	81	containers being pushed onto the stack.
	82	.Pp
	83	PEM objects of types not listed in the above table are silently skipped.
	84	.Pp
	85	Encrypted certificates and revocation lists are decrypted by calling
	86	.Xr PEM_do_header 3
	87	internally, passing through the optional arguments
	88	.Fa cb
	89	and
	90	.Fa u .
	91	Encrypted private keys are not decrypted.
	92	Instead, the encrypted form is stored as read.
	93	All the same,
	94	.Xr PEM_get_EVP_CIPHER_INFO 3
	95	is called internally to check that PEM headers, if there are any,
	96	are valid and specify an encryption the library is prepared to handle.
	97	.Pp
	98	If any error occurs, objects that had already been read
	99	during the same call are deleted again and
	100	.Fa sk
	101	is left unchanged.
	102	.Sh RETURN VALUES
	103	This function returns a pointer to the stack
	104	the objects read were pushed onto or
	105	.Dv NULL
	106	if an error occurs.
	107	It fails if
	108	.Xr PEM_read_bio 3 ,
	109	.Xr PEM_get_EVP_CIPHER_INFO 3 ,
	110	.Xr PEM_do_header 3 ,
	111	or DER decoding fails or if memory is exhausted.
	112	.Sh ERRORS
	113	Diagnostics that can be retrieved with
	114	.Xr ERR_get_error 3 ,
	115	.Xr ERR_GET_REASON 3 ,
	116	and
	117	.Xr ERR_reason_error_string 3
	118	include:
	119	.Bl -tag -width Ds
	120	.It Dv ERR_R_ASN1_LIB Qq "ASN1 lib"
	121	DER decoding of a PEM object failed.
	122	.It Dv ERR_R_MALLOC_FAILURE Qq "malloc failure"
	123	.Fn PEM_X509_INFO_read_bio
	124	failed to allocate a new
	125	.Vt X509_INFO ,
	126	.Vt STACK_OF(X509_INFO) ,
	127	or
	128	.Vt X509_PKEY
	129	object.
	130	.El
	131	.Pp
	132	Additional types of errors can result from
	133	.Xr PEM_read_bio 3 ,
	134	.Xr PEM_get_EVP_CIPHER_INFO 3 ,
	135	and
	136	.Xr PEM_do_header 3 .
	137	.Pp
	138	After this function failed due to memory exhaustion,
	139	.Xr ERR_get_error 3
	140	may sometimes return 0 anyway.
	141	.Sh SEE ALSO
	142	.Xr BIO_new 3 ,
	143	.Xr d2i_PrivateKey 3 ,
	144	.Xr d2i_X509 3 ,
	145	.Xr d2i_X509_CRL 3 ,
	146	.Xr EVP_PKEY_new 3 ,
	147	.Xr PEM_read 3 ,
	148	.Xr PEM_read_bio_PrivateKey 3 ,
	149	.Xr STACK_OF 3 ,
	150	.Xr X509_CRL_new 3 ,
	151	.Xr X509_INFO_new 3 ,
	152	.Xr X509_LOOKUP_new 3 ,
	153	.Xr X509_new 3
	154	.Sh HISTORY
	155	.Fn PEM_X509_INFO_read_bio
	156	first appeared in SSLeay 0.6.0 and has been available since
	157	.Ox 2.4 .
	158	.Sh CAVEATS
	159	It is not an error
	160	if the input does not contain any objects of the desired types.
	161	In that case, nothing is added to
	162	.Fa sk ,
	163	or if
	164	.Fa sk
	165	is
	166	.Dv NULL ,
	167	a newly allocated, empty stack is returned.
	168	The only way to detect this situation is by comparing
	169	the number of objects on the stack before and after the call.
	170	.Sh BUGS
	171	When reaching the end of the input, this function calls
	172	.Xr ERR_clear_error 3 ,
	173	which may hide errors that occurred before calling it.