1 files changed, 208 insertions, 0 deletions
diff --git a/src/lib/libcrypto/man/X509_check_trust.3 b/src/lib/libcrypto/man/X509_check_trust.3
new file mode 100644
index 0000000000..4b625fdfd4
--- /dev/null
+++ b/src/lib/libcrypto/man/X509_check_trust.3
@@ -0,0 +1,208 @@
+.\" $OpenBSD: X509_check_trust.3,v 1.1 2021/07/24 14:33:14 schwarze Exp $
+.\"
+.\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\"
+.Dd $Mdocdate: July 24 2021 $
+.Dt X509_CHECK_TRUST 3
+.Os
+.Sh NAME
+.Nm X509_check_trust
+.Nd check whether a certificate is trusted
+.Sh SYNOPSIS
+.In openssl/x509.h
+.Ft int
+.Fo X509_check_trust
+.Fa "X509 *certificate"
+.Fa "int trust"
+.Fa "int flags"
+.Fc
+.Sh DESCRIPTION
+.Fn X509_check_trust
+checks whether the
+.Fa certificate
+is marked as trusted for the purpose corresponding to the requested
+.Fa trust
+identifier.
+.Pp
+The standard algorithm used by all built-in trust checking functions
+performs the following tests in the following order.
+The first matching test terminates the algorithm
+and decides the return value.
+.Bl -enum
+.It
+If
+.Xr X509_add1_reject_object 3
+was previously called on the
+.Fa certificate
+with the ASN.1 object identifier corresponding to the requested
+.Fa trust
+identifier,
+.Dv X509_TRUST_REJECTED
+is returned.
+.It
+If
+.Xr X509_add1_trust_object 3
+was previously called on the
+.Fa certificate
+with the ASN.1 object identifier corresponding to the requested
+.Fa trust
+identifier,
+.Dv X509_TRUST_TRUSTED
+is returned.
+.It
+If
+.Xr X509_add1_reject_object 3
+or
+.Xr X509_add1_trust_object 3
+were previously called on the
+.Fa certificate ,
+but neither of them
+with the ASN.1 object identifier corresponding to the requested
+.Fa trust
+identifier,
+.Dv X509_TRUST_UNTRUSTED
+is returned.
+.It
+This so-called
+.Dq compatibility
+step is skipped by some of the trust checking functions.
+If neither
+.Xr X509_add1_reject_object 3
+nor
+.Xr X509_add1_trust_object 3
+was previously called on the
+.Fa certificate
+and if the
+.Fa certificate
+is a self-signed,
+.Dv X509_TRUST_TRUSTED
+is returned.
+.It
+Otherwise,
+.Dv X509_TRUST_UNTRUSTED
+is returned.
+.El
+.Pp
+By default, the following
+.Fa trust
+identifiers are supported.
+The
+.Dq ASN.1 NID
+column indicates the correspondig ASN.1 object identifier;
+for the relationship between ASN.1 NIDs and OIDs, see the
+.Xr OBJ_nid2obj 3
+manual page.
+The
+.Qq compat
+column indicates whether the compatibility step in the standard algorithm
+detailed above is used or skipped.
+.Pp
+.Bl -column X509_TRUST_OCSP_REQUEST NID_anyExtendedKeyUsage compat -compact
+.It Fa trust No identifier     Ta Em ASN.1 NID               Ta Em compat
+.It Dv X509_TRUST_SSL_CLIENT   Ta Dv NID_client_auth         Ta use
+.It Dv X509_TRUST_SSL_SERVER   Ta Dv NID_server_auth         Ta use
+.It Dv X509_TRUST_EMAIL        Ta Dv NID_email_protect       Ta use
+.It Dv X509_TRUST_OBJECT_SIGN  Ta Dv NID_code_sign           Ta use
+.It Dv X509_TRUST_OCSP_SIGN    Ta Dv NID_OCSP_sign           Ta skip
+.It Dv X509_TRUST_OCSP_REQUEST Ta Dv NID_ad_OCSP             Ta skip
+.It Dv X509_TRUST_TSA          Ta Dv NID_time_stamp          Ta use
+.It Dv X509_TRUST_COMPAT       Ta none                       Ta only
+.It 0                          Ta Dv NID_anyExtendedKeyUsage Ta special
+.It \-1                        Ta none                       Ta trusted
+.It invalid                    Ta Fa trust No argument       Ta skip
+.El
+.Pp
+For the following
+.Fa trust
+identifiers, the standard algorithm is modified:
+.Bl -tag -width Ds
+.It Dv X509_TRUST_COMPAT
+.Xr X509_add1_reject_object 3
+and
+.Xr X509_add1_trust_object 3
+settings are completely ignored
+and all steps before the compatibility step are skippped.
+The
+.Fa certificate
+is trusted if and only if it is self-signed.
+.It 0
+The third step in the standard algorithm is skipped, and the
+compatibility step is used even if
+.Xr X509_add1_reject_object 3
+or
+.Xr X509_add1_trust_object 3
+were called with ASN.1 object identifiers not corresponding to
+.Dv NID_anyExtendedKeyUsage .
+.It \-1
+The
+.Fa certificate
+is not inspected and
+.Dv X509_TRUST_TRUSTED
+is always returned.
+.It invalid
+If the
+.Fa trust
+argument is neither 0 nor \-1 nor valid as a trust identifier,
+it is re-interpreted as an ASN.1 NID
+and used itself for the standard algorithm.
+The compatibility step is skipped in this case.
+.El
+.Pp
+The
+.Fa flags
+argument is ignored by all built-in trust checking functions,
+but user-specified trust checking functions might use it.
+.Pp
+If the function
+.Xr X509_TRUST_add 3
+was called before
+.Fn X509_check_trust ,
+it may have installed different, user-supplied checking functions
+for some of the standard
+.Fa trust
+identifiers listed above, or it may have installed additional,
+user-supplied checking functions for user-defined
+.Fa trust
+identifiers not listed above.
+.Sh RETURN VALUES
+.Fn X509_check_trust
+returns the following values:
+.Bl -tag -width Ds
+.It Dv X509_TRUST_TRUSTED
+The
+.Fa certificate
+is explicitly or implicitly trusted for the requested purpose.
+.It Dv X509_TRUST_REJECTED
+The
+.Fa certificate
+is explicitely rejected for the requested purpose.
+.It Dv X509_TRUST_UNTRUSTED
+The
+.Fa certificate
+is neither trusted nor explicitely rejected,
+which implies that it is not trusted.
+.El
+.Sh SEE ALSO
+.Xr PEM_read_X509_AUX 3 ,
+.Xr X509_add1_trust_object 3 ,
+.Xr X509_CERT_AUX_new 3 ,
+.Xr X509_check_purpose 3 ,
+.Xr X509_new 3 ,
+.Xr X509_TRUST_set 3 ,
+.Xr X509_VERIFY_PARAM_set_trust 3
+.Sh HISTORY
+.Fn X509_check_trust
+first appeared in OpenSSL 0.9.5 and has been available since
+.Ox 2.7 .

diff --git a/src/lib/libcrypto/man/X509_check_trust.3 b/src/lib/libcrypto/man/X509_check_trust.3 new file mode 100644 index 0000000000..4b625fdfd4 --- /dev/null +++ b/src/lib/libcrypto/man/X509_check_trust.3
@@ -0,0 +1,208 @@
	1	.\" $OpenBSD: X509_check_trust.3,v 1.1 2021/07/24 14:33:14 schwarze Exp $
	2	.\"
	3	.\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
	4	.\"
	5	.\" Permission to use, copy, modify, and distribute this software for any
	6	.\" purpose with or without fee is hereby granted, provided that the above
	7	.\" copyright notice and this permission notice appear in all copies.
	8	.\"
	9	.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
	10	.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
	11	.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
	12	.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
	13	.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
	14	.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
	15	.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
	16	.\"
	17	.Dd $Mdocdate: July 24 2021 $
	18	.Dt X509_CHECK_TRUST 3
	19	.Os
	20	.Sh NAME
	21	.Nm X509_check_trust
	22	.Nd check whether a certificate is trusted
	23	.Sh SYNOPSIS
	24	.In openssl/x509.h
	25	.Ft int
	26	.Fo X509_check_trust
	27	.Fa "X509 *certificate"
	28	.Fa "int trust"
	29	.Fa "int flags"
	30	.Fc
	31	.Sh DESCRIPTION
	32	.Fn X509_check_trust
	33	checks whether the
	34	.Fa certificate
	35	is marked as trusted for the purpose corresponding to the requested
	36	.Fa trust
	37	identifier.
	38	.Pp
	39	The standard algorithm used by all built-in trust checking functions
	40	performs the following tests in the following order.
	41	The first matching test terminates the algorithm
	42	and decides the return value.
	43	.Bl -enum
	44	.It
	45	If
	46	.Xr X509_add1_reject_object 3
	47	was previously called on the
	48	.Fa certificate
	49	with the ASN.1 object identifier corresponding to the requested
	50	.Fa trust
	51	identifier,
	52	.Dv X509_TRUST_REJECTED
	53	is returned.
	54	.It
	55	If
	56	.Xr X509_add1_trust_object 3
	57	was previously called on the
	58	.Fa certificate
	59	with the ASN.1 object identifier corresponding to the requested
	60	.Fa trust
	61	identifier,
	62	.Dv X509_TRUST_TRUSTED
	63	is returned.
	64	.It
	65	If
	66	.Xr X509_add1_reject_object 3
	67	or
	68	.Xr X509_add1_trust_object 3
	69	were previously called on the
	70	.Fa certificate ,
	71	but neither of them
	72	with the ASN.1 object identifier corresponding to the requested
	73	.Fa trust
	74	identifier,
	75	.Dv X509_TRUST_UNTRUSTED
	76	is returned.
	77	.It
	78	This so-called
	79	.Dq compatibility
	80	step is skipped by some of the trust checking functions.
	81	If neither
	82	.Xr X509_add1_reject_object 3
	83	nor
	84	.Xr X509_add1_trust_object 3
	85	was previously called on the
	86	.Fa certificate
	87	and if the
	88	.Fa certificate
	89	is a self-signed,
	90	.Dv X509_TRUST_TRUSTED
	91	is returned.
	92	.It
	93	Otherwise,
	94	.Dv X509_TRUST_UNTRUSTED
	95	is returned.
	96	.El
	97	.Pp
	98	By default, the following
	99	.Fa trust
	100	identifiers are supported.
	101	The
	102	.Dq ASN.1 NID
	103	column indicates the correspondig ASN.1 object identifier;
	104	for the relationship between ASN.1 NIDs and OIDs, see the
	105	.Xr OBJ_nid2obj 3
	106	manual page.
	107	The
	108	.Qq compat
	109	column indicates whether the compatibility step in the standard algorithm
	110	detailed above is used or skipped.
	111	.Pp
	112	.Bl -column X509_TRUST_OCSP_REQUEST NID_anyExtendedKeyUsage compat -compact
	113	.It Fa trust No identifier Ta Em ASN.1 NID Ta Em compat
	114	.It Dv X509_TRUST_SSL_CLIENT Ta Dv NID_client_auth Ta use
	115	.It Dv X509_TRUST_SSL_SERVER Ta Dv NID_server_auth Ta use
	116	.It Dv X509_TRUST_EMAIL Ta Dv NID_email_protect Ta use
	117	.It Dv X509_TRUST_OBJECT_SIGN Ta Dv NID_code_sign Ta use
	118	.It Dv X509_TRUST_OCSP_SIGN Ta Dv NID_OCSP_sign Ta skip
	119	.It Dv X509_TRUST_OCSP_REQUEST Ta Dv NID_ad_OCSP Ta skip
	120	.It Dv X509_TRUST_TSA Ta Dv NID_time_stamp Ta use
	121	.It Dv X509_TRUST_COMPAT Ta none Ta only
	122	.It 0 Ta Dv NID_anyExtendedKeyUsage Ta special
	123	.It \-1 Ta none Ta trusted
	124	.It invalid Ta Fa trust No argument Ta skip
	125	.El
	126	.Pp
	127	For the following
	128	.Fa trust
	129	identifiers, the standard algorithm is modified:
	130	.Bl -tag -width Ds
	131	.It Dv X509_TRUST_COMPAT
	132	.Xr X509_add1_reject_object 3
	133	and
	134	.Xr X509_add1_trust_object 3
	135	settings are completely ignored
	136	and all steps before the compatibility step are skippped.
	137	The
	138	.Fa certificate
	139	is trusted if and only if it is self-signed.
	140	.It 0
	141	The third step in the standard algorithm is skipped, and the
	142	compatibility step is used even if
	143	.Xr X509_add1_reject_object 3
	144	or
	145	.Xr X509_add1_trust_object 3
	146	were called with ASN.1 object identifiers not corresponding to
	147	.Dv NID_anyExtendedKeyUsage .
	148	.It \-1
	149	The
	150	.Fa certificate
	151	is not inspected and
	152	.Dv X509_TRUST_TRUSTED
	153	is always returned.
	154	.It invalid
	155	If the
	156	.Fa trust
	157	argument is neither 0 nor \-1 nor valid as a trust identifier,
	158	it is re-interpreted as an ASN.1 NID
	159	and used itself for the standard algorithm.
	160	The compatibility step is skipped in this case.
	161	.El
	162	.Pp
	163	The
	164	.Fa flags
	165	argument is ignored by all built-in trust checking functions,
	166	but user-specified trust checking functions might use it.
	167	.Pp
	168	If the function
	169	.Xr X509_TRUST_add 3
	170	was called before
	171	.Fn X509_check_trust ,
	172	it may have installed different, user-supplied checking functions
	173	for some of the standard
	174	.Fa trust
	175	identifiers listed above, or it may have installed additional,
	176	user-supplied checking functions for user-defined
	177	.Fa trust
	178	identifiers not listed above.
	179	.Sh RETURN VALUES
	180	.Fn X509_check_trust
	181	returns the following values:
	182	.Bl -tag -width Ds
	183	.It Dv X509_TRUST_TRUSTED
	184	The
	185	.Fa certificate
	186	is explicitly or implicitly trusted for the requested purpose.
	187	.It Dv X509_TRUST_REJECTED
	188	The
	189	.Fa certificate
	190	is explicitely rejected for the requested purpose.
	191	.It Dv X509_TRUST_UNTRUSTED
	192	The
	193	.Fa certificate
	194	is neither trusted nor explicitely rejected,
	195	which implies that it is not trusted.
	196	.El
	197	.Sh SEE ALSO
	198	.Xr PEM_read_X509_AUX 3 ,
	199	.Xr X509_add1_trust_object 3 ,
	200	.Xr X509_CERT_AUX_new 3 ,
	201	.Xr X509_check_purpose 3 ,
	202	.Xr X509_new 3 ,
	203	.Xr X509_TRUST_set 3 ,
	204	.Xr X509_VERIFY_PARAM_set_trust 3
	205	.Sh HISTORY
	206	.Fn X509_check_trust
	207	first appeared in OpenSSL 0.9.5 and has been available since
	208	.Ox 2.7 .