1 files changed, 183 insertions, 0 deletions
diff --git a/src/lib/libcrypto/man/X509_policy_check.3 b/src/lib/libcrypto/man/X509_policy_check.3
new file mode 100644
index 0000000000..f245099228
--- /dev/null
+++ b/src/lib/libcrypto/man/X509_policy_check.3
@@ -0,0 +1,183 @@
+.\" $OpenBSD: X509_policy_check.3,v 1.1 2021/07/27 13:27:46 schwarze Exp $
+.\"
+.\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\"
+.Dd $Mdocdate: July 27 2021 $
+.Dt X509_POLICY_CHECK 3
+.Os
+.Sh NAME
+.Nm X509_policy_check
+.Nd construct X.509 valid policy tree
+.Sh SYNOPSIS
+.In openssl/x509_vfy.h
+.Ft int
+.Fo X509_policy_check
+.Fa "X509_POLICY_TREE **ptree"
+.Fa "int *pexplicit_policy"
+.Fa "STACK_OF(X509) *certs"
+.Fa "STACK_OF(ASN1_OBJECT) *policy_oids"
+.Fa "unsigned int flags"
+.Fc
+.Sh DESCRIPTION
+.Fn X509_policy_check
+performs those parts of Basic Certification Path Validation
+described in RFC 5280 section 6.1 that are related to the
+construction of the valid policy tree.
+.Pp
+The
+.Fa certs
+input argument contains the prospective certification path
+according to RFC 5280 paragraph 6.1.1(a), starting with the
+target certificate and ending with the trust anchor.
+If a policy tree is returned, the reference count of each of the
+.Fa certs
+is incremented by 1.
+.Pp
+The
+.Fa policy_oids
+input argument contains the
+.Va user-initial-policy-set
+according to RFC 5280 section 6.1.1(c).
+.Pp
+The
+.Fa flags
+argument can contain zero or more of the following constants, OR'ed together:
+.Bl -tag -width Ds
+.It Dv X509_V_FLAG_EXPLICIT_POLICY
+Set
+.Va initial-explicit-policy
+as defined by RFC 5280 paragraph 6.1.1(f).
+It requires the path to be valid for at least one of the
+.Fa policy_oids .
+.It Dv X509_V_FLAG_INHIBIT_ANY
+Set
+.Va initial-any-policy-inhibit
+as defined by RFC 5280 paragraph 6.1.1(g).
+It causes the
+.Sy anyPolicy
+OID to be skipped if it is encountered in a certificate.
+.It Dv X509_V_FLAG_INHIBIT_MAP
+Set
+.Va initial-policy-mapping-inhibit
+as defined by RFC 5280 paragraph 6.1.1(e).
+It disables policy mapping in the certification path.
+.El
+.Pp
+Upon success, a pointer to the
+.Vt valid_policy_tree
+output value mentioned in RFC 5280 section 6.1.6 is returned in
+.Pf * Fa ptree .
+It contains one level for each of the
+.Fa certs ,
+in reverse order: level 0 corresponds to the trust anchor,
+the last level corresponds to the target certificate.
+Level 0 is initialized to contain a single node with a
+.Fa valid_policy
+of
+.Sy anyPolicy ,
+an empty
+.Fa qualifier_set ,
+and an
+.Fa expected_policy_set
+containing only
+.Sy anyPolicy .
+.Pp
+The storage location pointed to by
+.Fa pexplicit_policy
+is set as specified in RFC 5280 paragraphs 6.1.2(d), 6.1.4(h), 6.1.4(i),
+6.1.5(a), and 6.1.5(b).
+In case of failure, it may or may not get set, representing a partial result.
+.Sh RETURN VALUES
+.Fn X509_policy_check
+returns these values:
+.Bl -tag -width 2n
+.It \-2
+Validation failed because
+.Dv X509_V_FLAG_EXPLICIT_POLICY
+was requested but the resulting policy tree
+or the resulting user policy set would have been empty.
+In this case,
+.Pf * Fa pexplicit_policy
+is set to 1.
+If the resulting tree is empty,
+.Pf * Fa ptree
+is set to
+.Dv NULL ;
+otherwise, it is set to the resulting tree.
+.It \-1
+At least one of the
+.Fa certs
+contains invalid or inconsistent extensions.
+.Pf * Fa ptree
+is set to
+.Dv NULL
+and
+.Pf * Fa pexplicit_policy
+to 0.
+.It 0
+Internal error.
+For example, setting up the policy caches failed, or memory allocation
+failed while constructing the tree.
+.Pf * Fa ptree
+is set to
+.Dv NULL
+and
+.Pf * Fa pexplicit_policy
+may be set to 0 or to a partial result.
+.It 1
+Validation succeeded and
+.Pf * Fa ptree
+and
+.Pf * Fa pexplicit_policy
+have been set.
+In the special cases that the
+.Fa certs
+argument contains exactly one certificate or that
+.Dv X509_V_FLAG_EXPLICIT_POLICY
+was not requested and the resulting policy tree would have been empty,
+.Pf * Fa ptree
+is set to
+.Dv NULL
+and
+.Pf * Fa pexplicit_policy
+to 0.
+.It 2
+.Dv X509_V_FLAG_EXPLICIT_POLICY
+was not requested and at least one of the certificates contains no
+certificate policies.
+.Pf * Fa ptree
+is set to
+.Dv NULL
+and
+.Pf * Fa pexplicit_policy
+to 0.
+.El
+.Sh SEE ALSO
+.Xr ASN1_OBJECT_new 3 ,
+.Xr OBJ_nid2obj 3 ,
+.Xr STACK_OF 3 ,
+.Xr X509_check_purpose 3 ,
+.Xr X509_check_trust 3 ,
+.Xr X509_new 3 ,
+.Xr X509_policy_tree_level_count 3 ,
+.Xr X509_verify_cert 3
+.Sh STANDARDS
+RFC 5280: Internet X.509 Public Key Infrastructure Certificate
+and Certificate Revocation List (CRL) Profile,
+section 6.1: Basic Path Validation
+.Sh HISTORY
+.Fn X509_policy_check
+first appeared in OpenSSL 0.9.8 and has been available since
+.Ox 4.5 .

diff --git a/src/lib/libcrypto/man/X509_policy_check.3 b/src/lib/libcrypto/man/X509_policy_check.3 new file mode 100644 index 0000000000..f245099228 --- /dev/null +++ b/src/lib/libcrypto/man/X509_policy_check.3
@@ -0,0 +1,183 @@
	1	.\" $OpenBSD: X509_policy_check.3,v 1.1 2021/07/27 13:27:46 schwarze Exp $
	2	.\"
	3	.\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
	4	.\"
	5	.\" Permission to use, copy, modify, and distribute this software for any
	6	.\" purpose with or without fee is hereby granted, provided that the above
	7	.\" copyright notice and this permission notice appear in all copies.
	8	.\"
	9	.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
	10	.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
	11	.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
	12	.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
	13	.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
	14	.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
	15	.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
	16	.\"
	17	.Dd $Mdocdate: July 27 2021 $
	18	.Dt X509_POLICY_CHECK 3
	19	.Os
	20	.Sh NAME
	21	.Nm X509_policy_check
	22	.Nd construct X.509 valid policy tree
	23	.Sh SYNOPSIS
	24	.In openssl/x509_vfy.h
	25	.Ft int
	26	.Fo X509_policy_check
	27	.Fa "X509_POLICY_TREE **ptree"
	28	.Fa "int *pexplicit_policy"
	29	.Fa "STACK_OF(X509) *certs"
	30	.Fa "STACK_OF(ASN1_OBJECT) *policy_oids"
	31	.Fa "unsigned int flags"
	32	.Fc
	33	.Sh DESCRIPTION
	34	.Fn X509_policy_check
	35	performs those parts of Basic Certification Path Validation
	36	described in RFC 5280 section 6.1 that are related to the
	37	construction of the valid policy tree.
	38	.Pp
	39	The
	40	.Fa certs
	41	input argument contains the prospective certification path
	42	according to RFC 5280 paragraph 6.1.1(a), starting with the
	43	target certificate and ending with the trust anchor.
	44	If a policy tree is returned, the reference count of each of the
	45	.Fa certs
	46	is incremented by 1.
	47	.Pp
	48	The
	49	.Fa policy_oids
	50	input argument contains the
	51	.Va user-initial-policy-set
	52	according to RFC 5280 section 6.1.1(c).
	53	.Pp
	54	The
	55	.Fa flags
	56	argument can contain zero or more of the following constants, OR'ed together:
	57	.Bl -tag -width Ds
	58	.It Dv X509_V_FLAG_EXPLICIT_POLICY
	59	Set
	60	.Va initial-explicit-policy
	61	as defined by RFC 5280 paragraph 6.1.1(f).
	62	It requires the path to be valid for at least one of the
	63	.Fa policy_oids .
	64	.It Dv X509_V_FLAG_INHIBIT_ANY
	65	Set
	66	.Va initial-any-policy-inhibit
	67	as defined by RFC 5280 paragraph 6.1.1(g).
	68	It causes the
	69	.Sy anyPolicy
	70	OID to be skipped if it is encountered in a certificate.
	71	.It Dv X509_V_FLAG_INHIBIT_MAP
	72	Set
	73	.Va initial-policy-mapping-inhibit
	74	as defined by RFC 5280 paragraph 6.1.1(e).
	75	It disables policy mapping in the certification path.
	76	.El
	77	.Pp
	78	Upon success, a pointer to the
	79	.Vt valid_policy_tree
	80	output value mentioned in RFC 5280 section 6.1.6 is returned in
	81	.Pf * Fa ptree .
	82	It contains one level for each of the
	83	.Fa certs ,
	84	in reverse order: level 0 corresponds to the trust anchor,
	85	the last level corresponds to the target certificate.
	86	Level 0 is initialized to contain a single node with a
	87	.Fa valid_policy
	88	of
	89	.Sy anyPolicy ,
	90	an empty
	91	.Fa qualifier_set ,
	92	and an
	93	.Fa expected_policy_set
	94	containing only
	95	.Sy anyPolicy .
	96	.Pp
	97	The storage location pointed to by
	98	.Fa pexplicit_policy
	99	is set as specified in RFC 5280 paragraphs 6.1.2(d), 6.1.4(h), 6.1.4(i),
	100	6.1.5(a), and 6.1.5(b).
	101	In case of failure, it may or may not get set, representing a partial result.
	102	.Sh RETURN VALUES
	103	.Fn X509_policy_check
	104	returns these values:
	105	.Bl -tag -width 2n
	106	.It \-2
	107	Validation failed because
	108	.Dv X509_V_FLAG_EXPLICIT_POLICY
	109	was requested but the resulting policy tree
	110	or the resulting user policy set would have been empty.
	111	In this case,
	112	.Pf * Fa pexplicit_policy
	113	is set to 1.
	114	If the resulting tree is empty,
	115	.Pf * Fa ptree
	116	is set to
	117	.Dv NULL ;
	118	otherwise, it is set to the resulting tree.
	119	.It \-1
	120	At least one of the
	121	.Fa certs
	122	contains invalid or inconsistent extensions.
	123	.Pf * Fa ptree
	124	is set to
	125	.Dv NULL
	126	and
	127	.Pf * Fa pexplicit_policy
	128	to 0.
	129	.It 0
	130	Internal error.
	131	For example, setting up the policy caches failed, or memory allocation
	132	failed while constructing the tree.
	133	.Pf * Fa ptree
	134	is set to
	135	.Dv NULL
	136	and
	137	.Pf * Fa pexplicit_policy
	138	may be set to 0 or to a partial result.
	139	.It 1
	140	Validation succeeded and
	141	.Pf * Fa ptree
	142	and
	143	.Pf * Fa pexplicit_policy
	144	have been set.
	145	In the special cases that the
	146	.Fa certs
	147	argument contains exactly one certificate or that
	148	.Dv X509_V_FLAG_EXPLICIT_POLICY
	149	was not requested and the resulting policy tree would have been empty,
	150	.Pf * Fa ptree
	151	is set to
	152	.Dv NULL
	153	and
	154	.Pf * Fa pexplicit_policy
	155	to 0.
	156	.It 2
	157	.Dv X509_V_FLAG_EXPLICIT_POLICY
	158	was not requested and at least one of the certificates contains no
	159	certificate policies.
	160	.Pf * Fa ptree
	161	is set to
	162	.Dv NULL
	163	and
	164	.Pf * Fa pexplicit_policy
	165	to 0.
	166	.El
	167	.Sh SEE ALSO
	168	.Xr ASN1_OBJECT_new 3 ,
	169	.Xr OBJ_nid2obj 3 ,
	170	.Xr STACK_OF 3 ,
	171	.Xr X509_check_purpose 3 ,
	172	.Xr X509_check_trust 3 ,
	173	.Xr X509_new 3 ,
	174	.Xr X509_policy_tree_level_count 3 ,
	175	.Xr X509_verify_cert 3
	176	.Sh STANDARDS
	177	RFC 5280: Internet X.509 Public Key Infrastructure Certificate
	178	and Certificate Revocation List (CRL) Profile,
	179	section 6.1: Basic Path Validation
	180	.Sh HISTORY
	181	.Fn X509_policy_check
	182	first appeared in OpenSSL 0.9.8 and has been available since
	183	.Ox 4.5 .