2 files changed, 91 insertions, 1 deletions

diff --git a/src/lib/libcrypto/man/Makefile b/src/lib/libcrypto/man/Makefile
index 065a87b0ee..5f6719c73a 100644
--- a/src/lib/libcrypto/man/Makefile
+++ b/src/lib/libcrypto/man/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.97 2016/12/23 22:21:40 schwarze Exp $
+# $OpenBSD: Makefile,v 1.98 2016/12/23 23:19:57 schwarze Exp $
 
 .include <bsd.own.mk>
 
@@ -161,6 +161,7 @@ MAN=	\
         PKCS7_verify.3 \
         PKCS8_PRIV_KEY_INFO_new.3 \
         POLICYINFO_new.3 \
+        PROXY_POLICY_new.3 \
         RAND_add.3 \
         RAND_bytes.3 \
         RAND_load_file.3 \
diff --git a/src/lib/libcrypto/man/PROXY_POLICY_new.3 b/src/lib/libcrypto/man/PROXY_POLICY_new.3
new file mode 100644
index 0000000000..eb4e963033
--- /dev/null
+++ b/src/lib/libcrypto/man/PROXY_POLICY_new.3
@@ -0,0 +1,89 @@
+.\"     $OpenBSD: PROXY_POLICY_new.3,v 1.1 2016/12/23 23:19:57 schwarze Exp $
+.\"
+.\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\"
+.Dd $Mdocdate: December 23 2016 $
+.Dt PROXY_POLICY_NEW 3
+.Os
+.Sh NAME
+.Nm PROXY_POLICY_new ,
+.Nm PROXY_POLICY_free ,
+.Nm PROXY_CERT_INFO_EXTENSION_new ,
+.Nm PROXY_CERT_INFO_EXTENSION_free
+.Nd X.509 proxy certificate extension
+.Sh SYNOPSIS
+.In openssl/x509v3.h
+.Ft PROXY_POLICY *
+.Fn PROXY_POLICY_new void
+.Ft void
+.Fn PROXY_POLICY_free "PROXY_POLICY *pp"
+.Ft PROXY_CERT_INFO_EXTENSION *
+.Fn PROXY_CERT_INFO_EXTENSION_new void
+.Ft void
+.Fn PROXY_CERT_INFO_EXTENSION_free "PROXY_CERT_INFO_EXTENSION *pcie"
+.Sh DESCRIPTION
+If a given non-CA certificate grants any privileges, using that
+certificate to issue a proxy certificate and handing that proxy
+certificate over to another person, organization, or service allows
+the bearer of the proxy certificate to exercise some or all of the
+privileges on behalf of the subject of the original certificate.
+.Pp
+.Fn PROXY_POLICY_new
+allocates and initializes an empty
+.Vt PROXY_POLICY
+object, representing an ASN.1 ProxyPolicy structure
+defined in RFC 3820 section 3.8.
+It defines which privileges are to be delegated.
+.Fn PROXY_POLICY_free
+frees
+.Fa pp .
+.Pp
+.Fn PROXY_CERT_INFO_EXTENSION_new
+allocates and initializes an empty
+.Vt PROXY_CERT_INFO_EXTENSION
+object, representing an ASN.1 ProxyCertInfo structure
+defined in RFC 3820 section 3.8.
+It can contain a
+.Vt PROXY_POLICY
+object, and it can additionally restrict the maximum depth of the
+path of proxy certificates that can be signed by this proxy
+certificate.
+.Fn PROXY_CERT_INFO_EXTENSION_free
+frees
+.Fa pcie .
+.Pp
+If a non-CA certificate contains a
+.Vt PROXY_CERT_INFO_EXTENSION ,
+it is a proxy certificate; otherwise, it is an end entity certificate.
+.Sh RETURN VALUES
+.Fn PROXY_POLICY_new
+and
+.Fn PROXY_CERT_INFO_EXTENSION_new
+return the new
+.Vt PROXY_POLICY
+or
+.Vt PROXY_CERT_INFO_EXTENSION
+object, respectively, or
+.Dv NULL
+if an error occurs.
+.Sh SEE ALSO
+.Xr BASIC_CONSTRAINTS_new 3 ,
+.Xr EXTENDED_KEY_USAGE_new 3 ,
+.Xr POLICYINFO_new 3 ,
+.Xr X509_EXTENSION_new 3 ,
+.Xr X509_new 3
+.Sh STANDARDS
+RFC 3820: Internet X.509 Public Key Infrastructure (PKI) Proxy
+Certificate Profile