1 files changed, 211 insertions, 0 deletions
diff --git a/src/lib/libssl/man/X509_get_extension_flags.3 b/src/lib/libssl/man/X509_get_extension_flags.3
new file mode 100644
index 0000000000..665f59a809
--- /dev/null
+++ b/src/lib/libssl/man/X509_get_extension_flags.3
@@ -0,0 +1,211 @@
+.\" $OpenBSD: X509_get_extension_flags.3,v 1.1 2021/10/23 15:30:07 tb Exp $
+.\" full merge up to: OpenSSL 361136f4 Sep 1 18:56:58 2015 +0100
+.\" selective merge up to: OpenSSL 2b2e3106f Feb 16 15:04:45 2021 +0000
+.\"
+.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
+.\" Copyright (c) 2015 The OpenSSL Project.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in
+.\"    the documentation and/or other materials provided with the
+.\"    distribution.
+.\"
+.\" 3. All advertising materials mentioning features or use of this
+.\"    software must display the following acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+.\"
+.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+.\"    endorse or promote products derived from this software without
+.\"    prior written permission. For written permission, please contact
+.\"    openssl-core@openssl.org.
+.\"
+.\" 5. Products derived from this software may not be called "OpenSSL"
+.\"    nor may "OpenSSL" appear in their names without prior written
+.\"    permission of the OpenSSL Project.
+.\"
+.\" 6. Redistributions of any form whatsoever must retain the following
+.\"    acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+.\" OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd $Mdocdate: October 23 2021 $
+.Dt X509_GET_EXTENSION_FLAGS 3
+.Os
+.Sh NAME
+.Nm X509_get_extension_flags ,
+.Nm X509_get_key_usage ,
+.Nm X509_get_extended_key_usage
+.Nd retrieve certificate extension data
+.Sh SYNOPSIS
+.In openssl/x509v3.h
+.Ft uint32_t
+.Fo X509_get_extension_flags
+.Fa "X509 *x"
+.Fc
+.Ft uint32_t
+.Fo X509_get_key_usage
+.Fa "X509 *x"
+.Fc
+.Ft uint32_t
+.Fo X509_get_extended_key_usage
+.Fa "X509 *x"
+.Fc
+.Sh DESCRIPTION
+These functions retrieve information related to commonly used
+certificate extensions.
+.Pp
+.Fn X509_get_extension_flags
+retrieves general information about a certificate, it will return one or
+more of the following flags ored together.
+.Bl -tag -width Ds
+.It Dv EXFLAG_V1
+The certificate is an obsolete version 1 certificate.
+.It Dv EXFLAG_BCONS
+The certificate contains a basic constraints extension.
+.It Dv EXFLAG_CA
+The certificate contains basic constraints and asserts the CA flag.
+.It Dv EXFLAG_PROXY
+The certificate is a valid proxy certificate.
+.It Dv EXFLAG_SI
+The certificate is self issued (that is subject and issuer names match).
+.It Dv EXFLAG_SS
+The subject and issuer names match and extension values imply it is self
+signed.
+.It Dv EXFLAG_FRESHEST
+The freshest CRL extension is present in the certificate.
+.It Dv EXFLAG_CRITICAL
+The certificate contains an unhandled critical extension.
+.It Dv EXFLAG_INVALID
+Some certificate extension values are invalid or inconsistent.
+The certificate should be rejected.
+This bit may also be raised after an out-of-memory error while
+processing the X509 object, so it may not be related to the processed
+ASN1 object itself.
+.\" EXFLAG_NO_FINGERPRINT is not available in LibreSSL. Do we need
+.\" https://github.com/openssl/openssl/issues/13698 and the fix it fixes?
+.\".It Dv EXFLAG_NO_FINGERPRINT
+.\" Failed to compute the internal SHA1 hash value of the certificate.
+.\" This may be due to malloc failure or because no SHA1 implementation was
+.\" found.
+.It Dv EXFLAG_INVALID_POLICY
+The
+.Dv NID_certificate_policies
+certificate extension is invalid or inconsistent.
+The certificate should be rejected.
+This bit may also be raised after an out-of-memory error while
+processing the X509 object, so it may not be related to the processed
+ASN1 object itself.
+.It Dv EXFLAG_KUSAGE
+The certificate contains a key usage extension.
+The value can be retrieved using
+.Fn X509_get_key_usage .
+.It Dv EXFLAG_XKUSAGE
+The certificate contains an extended key usage extension.
+The value can be retrieved using
+.Fn X509_get_extended_key_usage .
+.El
+.Pp
+.Fn X509_get_key_usage
+returns the value of the key usage extension.
+If key usage is present will return zero or more of the flags:
+.Dv KU_DIGITAL_SIGNATURE ,
+.Dv KU_NON_REPUDIATION ,
+.Dv KU_KEY_ENCIPHERMENT ,
+.Dv KU_DATA_ENCIPHERMENT ,
+.Dv KU_KEY_AGREEMENT ,
+.Dv KU_KEY_CERT_SIGN ,
+.Dv KU_CRL_SIGN ,
+.Dv KU_ENCIPHER_ONLY
+or
+.Dv KU_DECIPHER_ONLY
+corresponding to individual key usage bits.
+If key usage is absent then
+.Dv UINT32_MAX
+is returned.
+.Pp
+.Fn X509_get_extended_key_usage
+returns the value of the extended key usage extension.
+If extended key usage is present it will return zero or more of the
+flags:
+.Dv XKU_SSL_SERVER ,
+.Dv XKU_SSL_CLIENT ,
+.Dv XKU_SMIME ,
+.Dv XKU_CODE_SIGN
+.Dv XKU_OCSP_SIGN ,
+.Dv XKU_TIMESTAMP ,
+.Dv XKU_DVCS ,
+or
+.Dv XKU_ANYEKU .
+These correspond to the OIDs
+.Qq id-kp-serverAuth ,
+.Qq id-kp-clientAuth ,
+.Qq id-kp-emailProtection ,
+.Qq id-kp-codeSigning ,
+.Qq id-kp-OCSPSigning ,
+.Qq id-kp-timeStamping ,
+.Qq id-kp-dvcs ,
+and
+.Qq anyExtendedKeyUsage ,
+respectively.
+Additionally,
+.Dv XKU_SGC
+is set if either Netscape or Microsoft SGC OIDs are present.
+.Pp
+The value of the flags correspond to extension values which are cached
+in the
+.Vt X509
+structure.
+If the flags returned do not provide sufficient information,
+an application should examine extension values directly,
+for example using
+.Xr X509_get_ext_d2i 3 .
+.Pp
+If the key usage or extended key usage extension is absent then
+typically usage is unrestricted.
+For this reason
+.Fn X509_get_key_usage
+and
+.Fn X509_get_extended_key_usage
+return
+.Dv UINT32_MAX
+when the corresponding extension is absent.
+Applications can additionally check the return value of
+.Fn X509_get_extension_flags
+and take appropriate action if an extension is absent.
+.Sh RETURN VALUES
+.Fn X509_get_extension_flags ,
+.Fn X509_get_key_usage
+and
+.Fn X509_get_extended_key_usage
+return sets of flags corresponding to the certificate extension values.
+.Sh SEE ALSO
+.Xr X509_check_purpose 3 ,
+.Xr X509_get_ext_d2i 3
+.Sh HISTORY
+.Nm X509_get_extension_flags ,
+.Nm X509_get_key_usage ,
+and
+.Nm X509_get_extended_key_usage
+first appeared in OpenSSL 1.1.0 and have been available since
+.Ox 7.1 .

diff --git a/src/lib/libssl/man/X509_get_extension_flags.3 b/src/lib/libssl/man/X509_get_extension_flags.3 new file mode 100644 index 0000000000..665f59a809 --- /dev/null +++ b/src/lib/libssl/man/X509_get_extension_flags.3
@@ -0,0 +1,211 @@
	1	.\" $OpenBSD: X509_get_extension_flags.3,v 1.1 2021/10/23 15:30:07 tb Exp $
	2	.\" full merge up to: OpenSSL 361136f4 Sep 1 18:56:58 2015 +0100
	3	.\" selective merge up to: OpenSSL 2b2e3106f Feb 16 15:04:45 2021 +0000
	4	.\"
	5	.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
	6	.\" Copyright (c) 2015 The OpenSSL Project. All rights reserved.
	7	.\"
	8	.\" Redistribution and use in source and binary forms, with or without
	9	.\" modification, are permitted provided that the following conditions
	10	.\" are met:
	11	.\"
	12	.\" 1. Redistributions of source code must retain the above copyright
	13	.\" notice, this list of conditions and the following disclaimer.
	14	.\"
	15	.\" 2. Redistributions in binary form must reproduce the above copyright
	16	.\" notice, this list of conditions and the following disclaimer in
	17	.\" the documentation and/or other materials provided with the
	18	.\" distribution.
	19	.\"
	20	.\" 3. All advertising materials mentioning features or use of this
	21	.\" software must display the following acknowledgment:
	22	.\" "This product includes software developed by the OpenSSL Project
	23	.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
	24	.\"
	25	.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
	26	.\" endorse or promote products derived from this software without
	27	.\" prior written permission. For written permission, please contact
	28	.\" openssl-core@openssl.org.
	29	.\"
	30	.\" 5. Products derived from this software may not be called "OpenSSL"
	31	.\" nor may "OpenSSL" appear in their names without prior written
	32	.\" permission of the OpenSSL Project.
	33	.\"
	34	.\" 6. Redistributions of any form whatsoever must retain the following
	35	.\" acknowledgment:
	36	.\" "This product includes software developed by the OpenSSL Project
	37	.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)"
	38	.\"
	39	.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
	40	.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
	41	.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
	42	.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
	43	.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
	44	.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
	45	.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
	46	.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
	47	.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
	48	.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
	49	.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
	50	.\" OF THE POSSIBILITY OF SUCH DAMAGE.
	51	.\"
	52	.Dd $Mdocdate: October 23 2021 $
	53	.Dt X509_GET_EXTENSION_FLAGS 3
	54	.Os
	55	.Sh NAME
	56	.Nm X509_get_extension_flags ,
	57	.Nm X509_get_key_usage ,
	58	.Nm X509_get_extended_key_usage
	59	.Nd retrieve certificate extension data
	60	.Sh SYNOPSIS
	61	.In openssl/x509v3.h
	62	.Ft uint32_t
	63	.Fo X509_get_extension_flags
	64	.Fa "X509 *x"
	65	.Fc
	66	.Ft uint32_t
	67	.Fo X509_get_key_usage
	68	.Fa "X509 *x"
	69	.Fc
	70	.Ft uint32_t
	71	.Fo X509_get_extended_key_usage
	72	.Fa "X509 *x"
	73	.Fc
	74	.Sh DESCRIPTION
	75	These functions retrieve information related to commonly used
	76	certificate extensions.
	77	.Pp
	78	.Fn X509_get_extension_flags
	79	retrieves general information about a certificate, it will return one or
	80	more of the following flags ored together.
	81	.Bl -tag -width Ds
	82	.It Dv EXFLAG_V1
	83	The certificate is an obsolete version 1 certificate.
	84	.It Dv EXFLAG_BCONS
	85	The certificate contains a basic constraints extension.
	86	.It Dv EXFLAG_CA
	87	The certificate contains basic constraints and asserts the CA flag.
	88	.It Dv EXFLAG_PROXY
	89	The certificate is a valid proxy certificate.
	90	.It Dv EXFLAG_SI
	91	The certificate is self issued (that is subject and issuer names match).
	92	.It Dv EXFLAG_SS
	93	The subject and issuer names match and extension values imply it is self
	94	signed.
	95	.It Dv EXFLAG_FRESHEST
	96	The freshest CRL extension is present in the certificate.
	97	.It Dv EXFLAG_CRITICAL
	98	The certificate contains an unhandled critical extension.
	99	.It Dv EXFLAG_INVALID
	100	Some certificate extension values are invalid or inconsistent.
	101	The certificate should be rejected.
	102	This bit may also be raised after an out-of-memory error while
	103	processing the X509 object, so it may not be related to the processed
	104	ASN1 object itself.
	105	.\" EXFLAG_NO_FINGERPRINT is not available in LibreSSL. Do we need
	106	.\" https://github.com/openssl/openssl/issues/13698 and the fix it fixes?
	107	.\".It Dv EXFLAG_NO_FINGERPRINT
	108	.\" Failed to compute the internal SHA1 hash value of the certificate.
	109	.\" This may be due to malloc failure or because no SHA1 implementation was
	110	.\" found.
	111	.It Dv EXFLAG_INVALID_POLICY
	112	The
	113	.Dv NID_certificate_policies
	114	certificate extension is invalid or inconsistent.
	115	The certificate should be rejected.
	116	This bit may also be raised after an out-of-memory error while
	117	processing the X509 object, so it may not be related to the processed
	118	ASN1 object itself.
	119	.It Dv EXFLAG_KUSAGE
	120	The certificate contains a key usage extension.
	121	The value can be retrieved using
	122	.Fn X509_get_key_usage .
	123	.It Dv EXFLAG_XKUSAGE
	124	The certificate contains an extended key usage extension.
	125	The value can be retrieved using
	126	.Fn X509_get_extended_key_usage .
	127	.El
	128	.Pp
	129	.Fn X509_get_key_usage
	130	returns the value of the key usage extension.
	131	If key usage is present will return zero or more of the flags:
	132	.Dv KU_DIGITAL_SIGNATURE ,
	133	.Dv KU_NON_REPUDIATION ,
	134	.Dv KU_KEY_ENCIPHERMENT ,
	135	.Dv KU_DATA_ENCIPHERMENT ,
	136	.Dv KU_KEY_AGREEMENT ,
	137	.Dv KU_KEY_CERT_SIGN ,
	138	.Dv KU_CRL_SIGN ,
	139	.Dv KU_ENCIPHER_ONLY
	140	or
	141	.Dv KU_DECIPHER_ONLY
	142	corresponding to individual key usage bits.
	143	If key usage is absent then
	144	.Dv UINT32_MAX
	145	is returned.
	146	.Pp
	147	.Fn X509_get_extended_key_usage
	148	returns the value of the extended key usage extension.
	149	If extended key usage is present it will return zero or more of the
	150	flags:
	151	.Dv XKU_SSL_SERVER ,
	152	.Dv XKU_SSL_CLIENT ,
	153	.Dv XKU_SMIME ,
	154	.Dv XKU_CODE_SIGN
	155	.Dv XKU_OCSP_SIGN ,
	156	.Dv XKU_TIMESTAMP ,
	157	.Dv XKU_DVCS ,
	158	or
	159	.Dv XKU_ANYEKU .
	160	These correspond to the OIDs
	161	.Qq id-kp-serverAuth ,
	162	.Qq id-kp-clientAuth ,
	163	.Qq id-kp-emailProtection ,
	164	.Qq id-kp-codeSigning ,
	165	.Qq id-kp-OCSPSigning ,
	166	.Qq id-kp-timeStamping ,
	167	.Qq id-kp-dvcs ,
	168	and
	169	.Qq anyExtendedKeyUsage ,
	170	respectively.
	171	Additionally,
	172	.Dv XKU_SGC
	173	is set if either Netscape or Microsoft SGC OIDs are present.
	174	.Pp
	175	The value of the flags correspond to extension values which are cached
	176	in the
	177	.Vt X509
	178	structure.
	179	If the flags returned do not provide sufficient information,
	180	an application should examine extension values directly,
	181	for example using
	182	.Xr X509_get_ext_d2i 3 .
	183	.Pp
	184	If the key usage or extended key usage extension is absent then
	185	typically usage is unrestricted.
	186	For this reason
	187	.Fn X509_get_key_usage
	188	and
	189	.Fn X509_get_extended_key_usage
	190	return
	191	.Dv UINT32_MAX
	192	when the corresponding extension is absent.
	193	Applications can additionally check the return value of
	194	.Fn X509_get_extension_flags
	195	and take appropriate action if an extension is absent.
	196	.Sh RETURN VALUES
	197	.Fn X509_get_extension_flags ,
	198	.Fn X509_get_key_usage
	199	and
	200	.Fn X509_get_extended_key_usage
	201	return sets of flags corresponding to the certificate extension values.
	202	.Sh SEE ALSO
	203	.Xr X509_check_purpose 3 ,
	204	.Xr X509_get_ext_d2i 3
	205	.Sh HISTORY
	206	.Nm X509_get_extension_flags ,
	207	.Nm X509_get_key_usage ,
	208	and
	209	.Nm X509_get_extended_key_usage
	210	first appeared in OpenSSL 1.1.0 and have been available since
	211	.Ox 7.1 .