1 files changed, 155 insertions, 0 deletions
diff --git a/src/lib/libcrypto/man/X509V3_EXT_print.3 b/src/lib/libcrypto/man/X509V3_EXT_print.3
new file mode 100644
index 0000000000..d9063e4881
--- /dev/null
+++ b/src/lib/libcrypto/man/X509V3_EXT_print.3
@@ -0,0 +1,155 @@
+.\" $OpenBSD: X509V3_EXT_print.3,v 1.1 2021/07/12 11:47:01 schwarze Exp $
+.\"
+.\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\"
+.Dd $Mdocdate: July 12 2021 $
+.Dt X509V3_EXT_PRINT 3
+.Os
+.Sh NAME
+.Nm X509V3_EXT_print
+.Nd pretty-print an X.509 extension
+.Sh SYNOPSIS
+.In openssl/x509v3.h
+.Ft int
+.Fo X509V3_EXT_print
+.Fa "BIO *bio"
+.Fa "X509_EXTENSION *ext"
+.Fa "unsigned long flags"
+.Fa "int indent"
+.Fc
+.Sh DESCRIPTION
+.Fn X509V3_EXT_print
+decodes
+.Fa ext
+and prints the data contained in it to
+.Fa bio
+in a human-readable format with a left margin of
+.Fa indent
+space characters.
+The details of both the decoding and the printing depend on the type of
+.Fa ext .
+.Pp
+For most extension types, the decoding is done in the same way
+as it would be done by the appropriate public API function, for example:
+.Pp
+.Bl -tag -width NID_authority_key_identifier -compact
+.It Sy extension type
+.Sy decoding function
+.It Dv NID_subject_key_identifier
+.Xr d2i_ASN1_OCTET_STRING 3
+.It Dv NID_key_usage
+.Xr d2i_ASN1_BIT_STRING 3
+.It Dv NID_crl_number
+.Xr d2i_ASN1_INTEGER 3
+.It Dv NID_crl_reason
+.Xr d2i_ASN1_ENUMERATED 3
+.It Dv NID_invalidity_date
+.Xr d2i_ASN1_GENERALIZEDTIME 3
+.It Dv NID_subject_alt_name
+.Xr d2i_GENERAL_NAMES 3
+.It Dv NID_hold_instruction_code
+.Xr d2i_ASN1_OBJECT 3
+.It Dv NID_id_pkix_OCSP_noCheck
+.Xr d2i_ASN1_NULL 3
+.It Dv NID_authority_key_identifier
+.Xr d2i_AUTHORITY_KEYID 3
+.It Dv NID_certificate_policies
+.Xr d2i_CERTIFICATEPOLICIES 3
+.It Dv NID_id_pkix_OCSP_CrlID
+.Xr d2i_OCSP_CRLID 3
+.It Dv NID_id_pkix_OCSP_Nonce
+non-public function built into the library
+.El
+.Pp
+For some types, the printing is performed
+by a dedicated non-public function built into the library.
+For some other types, the printing function is a public API function,
+but none of these printing functions are documented yet.
+.Pp
+If
+.Fa ext
+is of an unknown extension type or if decoding fails
+while using the decoding function for the relevant type,
+the action taken depends on the
+.Fa flags
+argument:
+.Bl -bullet
+.It
+If the bit
+.Dv X509V3_EXT_PARSE_UNKNOWN
+is set,
+.Xr ASN1_parse_dump 3
+is called on the BER-encoded data of the extension, passing \-1 for the
+.Fa dump
+argument.
+Thus, some information about the encoding of the extension gets printed
+and some about its decoded content, falling back to
+.Xr BIO_dump_indent 3
+for the decoded content unless a dedicated printing method is known
+for the respective data type(s).
+Note that even if an extension type is unknown, the data type used
+by the unknown extension, or, if that data type is constructed, of
+the values contained in it, may still be known, which may allow
+printing the content of even an unknown extension in a structured
+or partially structured form.
+.It
+If the bit
+.Dv X509V3_EXT_DUMP_UNKNOWN
+is set,
+.Xr BIO_dump_indent 3
+is called on the BER-encoded data of the extension without decoding
+it first, which is usually less readable than the above but poses
+a smaller risk of omitting or misrepresenting parts of the information.
+.It
+If the bit
+.Dv X509V3_EXT_ERROR_UNKNOWN
+is set, only the fixed string
+.Qq "<Not Supported>"
+is printed for an unknown type or only the fixed string
+.Qq "<Parse Error>"
+if the parsing functions fails,
+but printing is considered as successful anyway.
+.It
+If more than one of these three bits is set, or if a bit in
+.Dv X509V3_EXT_UNKNOWN_MASK
+is set that is not listed above, nothing is printed, but printing
+is considered as successful anyway.
+.It
+If none of the bits in
+.Dv X509V3_EXT_UNKNOWN_MASK
+are set, nothing is printed and printing is considered as failed.
+.El
+.Sh RETURN VALUES
+.Fn X509V3_EXT_print
+returns 0 if failure was both detected and considered relevant.
+Otherwise, 1 is returned, and in general the user cannot tell whether
+failure simply went undetected, whether the function detected failure
+but regarded it as irrelevant, or whether printing did indeed
+succeed.
+.Sh SEE ALSO
+.Xr BIO_new 3 ,
+.Xr X509_EXTENSION_new 3 ,
+.Xr X509_get0_extensions 3 ,
+.Xr X509_get_ext 3
+.Sh HISTORY
+.Fn X509V3_EXT_print
+first appeared in OpenSSL 0.9.2 and has been available since
+.Ox 2.6 .
+.Sh BUGS
+.Fn X509V3_EXT_print
+lacks error handling throughout.
+When a write operation fails, it will usually ignore the fact that
+information was omitted from the output and report success to the
+caller anyway.

diff --git a/src/lib/libcrypto/man/X509V3_EXT_print.3 b/src/lib/libcrypto/man/X509V3_EXT_print.3 new file mode 100644 index 0000000000..d9063e4881 --- /dev/null +++ b/src/lib/libcrypto/man/X509V3_EXT_print.3
@@ -0,0 +1,155 @@
	1	.\" $OpenBSD: X509V3_EXT_print.3,v 1.1 2021/07/12 11:47:01 schwarze Exp $
	2	.\"
	3	.\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
	4	.\"
	5	.\" Permission to use, copy, modify, and distribute this software for any
	6	.\" purpose with or without fee is hereby granted, provided that the above
	7	.\" copyright notice and this permission notice appear in all copies.
	8	.\"
	9	.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
	10	.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
	11	.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
	12	.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
	13	.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
	14	.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
	15	.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
	16	.\"
	17	.Dd $Mdocdate: July 12 2021 $
	18	.Dt X509V3_EXT_PRINT 3
	19	.Os
	20	.Sh NAME
	21	.Nm X509V3_EXT_print
	22	.Nd pretty-print an X.509 extension
	23	.Sh SYNOPSIS
	24	.In openssl/x509v3.h
	25	.Ft int
	26	.Fo X509V3_EXT_print
	27	.Fa "BIO *bio"
	28	.Fa "X509_EXTENSION *ext"
	29	.Fa "unsigned long flags"
	30	.Fa "int indent"
	31	.Fc
	32	.Sh DESCRIPTION
	33	.Fn X509V3_EXT_print
	34	decodes
	35	.Fa ext
	36	and prints the data contained in it to
	37	.Fa bio
	38	in a human-readable format with a left margin of
	39	.Fa indent
	40	space characters.
	41	The details of both the decoding and the printing depend on the type of
	42	.Fa ext .
	43	.Pp
	44	For most extension types, the decoding is done in the same way
	45	as it would be done by the appropriate public API function, for example:
	46	.Pp
	47	.Bl -tag -width NID_authority_key_identifier -compact
	48	.It Sy extension type
	49	.Sy decoding function
	50	.It Dv NID_subject_key_identifier
	51	.Xr d2i_ASN1_OCTET_STRING 3
	52	.It Dv NID_key_usage
	53	.Xr d2i_ASN1_BIT_STRING 3
	54	.It Dv NID_crl_number
	55	.Xr d2i_ASN1_INTEGER 3
	56	.It Dv NID_crl_reason
	57	.Xr d2i_ASN1_ENUMERATED 3
	58	.It Dv NID_invalidity_date
	59	.Xr d2i_ASN1_GENERALIZEDTIME 3
	60	.It Dv NID_subject_alt_name
	61	.Xr d2i_GENERAL_NAMES 3
	62	.It Dv NID_hold_instruction_code
	63	.Xr d2i_ASN1_OBJECT 3
	64	.It Dv NID_id_pkix_OCSP_noCheck
	65	.Xr d2i_ASN1_NULL 3
	66	.It Dv NID_authority_key_identifier
	67	.Xr d2i_AUTHORITY_KEYID 3
	68	.It Dv NID_certificate_policies
	69	.Xr d2i_CERTIFICATEPOLICIES 3
	70	.It Dv NID_id_pkix_OCSP_CrlID
	71	.Xr d2i_OCSP_CRLID 3
	72	.It Dv NID_id_pkix_OCSP_Nonce
	73	non-public function built into the library
	74	.El
	75	.Pp
	76	For some types, the printing is performed
	77	by a dedicated non-public function built into the library.
	78	For some other types, the printing function is a public API function,
	79	but none of these printing functions are documented yet.
	80	.Pp
	81	If
	82	.Fa ext
	83	is of an unknown extension type or if decoding fails
	84	while using the decoding function for the relevant type,
	85	the action taken depends on the
	86	.Fa flags
	87	argument:
	88	.Bl -bullet
	89	.It
	90	If the bit
	91	.Dv X509V3_EXT_PARSE_UNKNOWN
	92	is set,
	93	.Xr ASN1_parse_dump 3
	94	is called on the BER-encoded data of the extension, passing \-1 for the
	95	.Fa dump
	96	argument.
	97	Thus, some information about the encoding of the extension gets printed
	98	and some about its decoded content, falling back to
	99	.Xr BIO_dump_indent 3
	100	for the decoded content unless a dedicated printing method is known
	101	for the respective data type(s).
	102	Note that even if an extension type is unknown, the data type used
	103	by the unknown extension, or, if that data type is constructed, of
	104	the values contained in it, may still be known, which may allow
	105	printing the content of even an unknown extension in a structured
	106	or partially structured form.
	107	.It
	108	If the bit
	109	.Dv X509V3_EXT_DUMP_UNKNOWN
	110	is set,
	111	.Xr BIO_dump_indent 3
	112	is called on the BER-encoded data of the extension without decoding
	113	it first, which is usually less readable than the above but poses
	114	a smaller risk of omitting or misrepresenting parts of the information.
	115	.It
	116	If the bit
	117	.Dv X509V3_EXT_ERROR_UNKNOWN
	118	is set, only the fixed string
	119	.Qq "<Not Supported>"
	120	is printed for an unknown type or only the fixed string
	121	.Qq "<Parse Error>"
	122	if the parsing functions fails,
	123	but printing is considered as successful anyway.
	124	.It
	125	If more than one of these three bits is set, or if a bit in
	126	.Dv X509V3_EXT_UNKNOWN_MASK
	127	is set that is not listed above, nothing is printed, but printing
	128	is considered as successful anyway.
	129	.It
	130	If none of the bits in
	131	.Dv X509V3_EXT_UNKNOWN_MASK
	132	are set, nothing is printed and printing is considered as failed.
	133	.El
	134	.Sh RETURN VALUES
	135	.Fn X509V3_EXT_print
	136	returns 0 if failure was both detected and considered relevant.
	137	Otherwise, 1 is returned, and in general the user cannot tell whether
	138	failure simply went undetected, whether the function detected failure
	139	but regarded it as irrelevant, or whether printing did indeed
	140	succeed.
	141	.Sh SEE ALSO
	142	.Xr BIO_new 3 ,
	143	.Xr X509_EXTENSION_new 3 ,
	144	.Xr X509_get0_extensions 3 ,
	145	.Xr X509_get_ext 3
	146	.Sh HISTORY
	147	.Fn X509V3_EXT_print
	148	first appeared in OpenSSL 0.9.2 and has been available since
	149	.Ox 2.6 .
	150	.Sh BUGS
	151	.Fn X509V3_EXT_print
	152	lacks error handling throughout.
	153	When a write operation fails, it will usually ignore the fact that
	154	information was omitted from the output and report success to the
	155	caller anyway.