7 files changed, 11 insertions, 226 deletions
diff --git a/src/lib/libcrypto/man/Makefile b/src/lib/libcrypto/man/Makefile
index 3b636f2441..a6a3cf78fc 100644
--- a/src/lib/libcrypto/man/Makefile
+++ b/src/lib/libcrypto/man/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.293 2024/09/02 07:57:27 tb Exp $
+# $OpenBSD: Makefile,v 1.294 2024/09/02 08:04:32 tb Exp $
 .include <bsd.own.mk>
@@ -354,7 +354,6 @@ MAN=	\
        X509_check_issued.3 \
        X509_check_private_key.3 \
        X509_check_purpose.3 \
-        X509_check_trust.3 \
        X509_cmp.3 \
        X509_cmp_time.3 \
        X509_digest.3 \
diff --git a/src/lib/libcrypto/man/PEM_read_bio_PrivateKey.3 b/src/lib/libcrypto/man/PEM_read_bio_PrivateKey.3
index 293c4da655..9f45261725 100644
--- a/src/lib/libcrypto/man/PEM_read_bio_PrivateKey.3
+++ b/src/lib/libcrypto/man/PEM_read_bio_PrivateKey.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: PEM_read_bio_PrivateKey.3,v 1.22 2024/05/07 20:40:07 tb Exp $
+.\" $OpenBSD: PEM_read_bio_PrivateKey.3,v 1.23 2024/09/02 08:04:32 tb Exp $
 .\" full merge up to:
 .\" OpenSSL man3/PEM_read_bio_PrivateKey.pod 18bad535 Apr 9 15:13:55 2019 +0100
 .\" OpenSSL man3/PEM_read_CMS.pod 83cf7abf May 29 13:07:08 2018 +0100
@@ -51,7 +51,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: May 7 2024 $
+.Dd $Mdocdate: September 2 2024 $
 .Dt PEM_READ_BIO_PRIVATEKEY 3
 .Os
 .Sh NAME
@@ -896,9 +896,6 @@ The
 functions process a trusted X509 certificate using an
 .Vt X509
 structure.
-The
-.Xr X509_check_trust 3
-manual explains how the auxiliary trust information is used.
 .Pp
 The
 .Sy X509_REQ
diff --git a/src/lib/libcrypto/man/X509_CINF_new.3 b/src/lib/libcrypto/man/X509_CINF_new.3
index f7de4d9524..6c09c58545 100644
--- a/src/lib/libcrypto/man/X509_CINF_new.3
+++ b/src/lib/libcrypto/man/X509_CINF_new.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: X509_CINF_new.3,v 1.10 2021/07/24 14:33:14 schwarze Exp $
+.\"     $OpenBSD: X509_CINF_new.3,v 1.11 2024/09/02 08:04:32 tb Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: July 24 2021 $
+.Dd $Mdocdate: September 2 2024 $
 .Dt X509_CINF_NEW 3
 .Os
 .Sh NAME
@@ -96,7 +96,6 @@ if an error occurs.
 .Xr d2i_X509_CINF 3 ,
 .Xr X509_add1_trust_object 3 ,
 .Xr X509_CERT_AUX_print 3 ,
-.Xr X509_check_trust 3 ,
 .Xr X509_keyid_set1 3 ,
 .Xr X509_new 3
 .Sh STANDARDS
diff --git a/src/lib/libcrypto/man/X509_add1_trust_object.3 b/src/lib/libcrypto/man/X509_add1_trust_object.3
index e1e3824208..067bf64464 100644
--- a/src/lib/libcrypto/man/X509_add1_trust_object.3
+++ b/src/lib/libcrypto/man/X509_add1_trust_object.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_add1_trust_object.3,v 1.3 2021/07/24 14:33:14 schwarze Exp $
+.\" $OpenBSD: X509_add1_trust_object.3,v 1.4 2024/09/02 08:04:32 tb Exp $
 .\"
 .\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: July 24 2021 $
+.Dd $Mdocdate: September 2 2024 $
 .Dt X509_ADD1_TRUST_OBJECT 3
 .Os
 .Sh NAME
@@ -93,7 +93,6 @@ does not contain a sub-object that can hold non-standard auxiliary data.
 .Xr EXTENDED_KEY_USAGE_new 3 ,
 .Xr OBJ_nid2obj 3 ,
 .Xr X509_CERT_AUX_new 3 ,
-.Xr X509_check_trust 3 ,
 .Xr X509_new 3
 .Sh HISTORY
 These functions first appeared in OpenSSL 0.9.4 and have been available since
diff --git a/src/lib/libcrypto/man/X509_check_purpose.3 b/src/lib/libcrypto/man/X509_check_purpose.3
index ebd627bd57..8fea6679fc 100644
--- a/src/lib/libcrypto/man/X509_check_purpose.3
+++ b/src/lib/libcrypto/man/X509_check_purpose.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_check_purpose.3,v 1.11 2023/06/25 13:54:58 tb Exp $
+.\" $OpenBSD: X509_check_purpose.3,v 1.12 2024/09/02 08:04:32 tb Exp $
 .\"
 .\" Copyright (c) 2019, 2021 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: June 25 2023 $
+.Dd $Mdocdate: September 2 2024 $
 .Dt X509_CHECK_PURPOSE 3
 .Os
 .Sh NAME
@@ -410,7 +410,6 @@ can be used as a CA for the
 .Sh SEE ALSO
 .Xr BASIC_CONSTRAINTS_new 3 ,
 .Xr EXTENDED_KEY_USAGE_new 3 ,
-.Xr X509_check_trust 3 ,
 .Xr X509_new 3 ,
 .Xr X509_PURPOSE_set 3 ,
 .Xr X509V3_get_d2i 3 ,
diff --git a/src/lib/libcrypto/man/X509_check_trust.3 b/src/lib/libcrypto/man/X509_check_trust.3
deleted file mode 100644
index f085bfcf20..0000000000
--- a/src/lib/libcrypto/man/X509_check_trust.3
+++ /dev/null
@@ -1,207 +0,0 @@
-.\" $OpenBSD: X509_check_trust.3,v 1.10 2024/08/17 09:19:04 tb Exp $
-.\"
-.\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: August 17 2024 $
-.Dt X509_CHECK_TRUST 3
-.Os
-.Sh NAME
-.Nm X509_check_trust
-.Nd check whether a certificate is trusted
-.Sh SYNOPSIS
-.In openssl/x509.h
-.Ft int
-.Fo X509_check_trust
-.Fa "X509 *certificate"
-.Fa "int trust"
-.Fa "int flags"
-.Fc
-.Sh DESCRIPTION
-.Fn X509_check_trust
-checks whether the
-.Fa certificate
-is marked as trusted for the purpose corresponding to the requested
-.Fa trust
-identifier.
-.Pp
-The standard algorithm used by all built-in trust checking functions
-performs the following tests in the following order.
-The first matching test terminates the algorithm
-and decides the return value.
-.Bl -enum
-.It
-If
-.Xr X509_add1_reject_object 3
-was previously called on the
-.Fa certificate
-with the ASN.1 object identifier corresponding to the requested
-.Fa trust
-identifier,
-.Dv X509_TRUST_REJECTED
-is returned.
-.It
-If
-.Xr X509_add1_trust_object 3
-was previously called on the
-.Fa certificate
-with the ASN.1 object identifier corresponding to the requested
-.Fa trust
-identifier,
-.Dv X509_TRUST_TRUSTED
-is returned.
-.It
-If
-.Xr X509_add1_reject_object 3
-or
-.Xr X509_add1_trust_object 3
-were previously called on the
-.Fa certificate ,
-but neither of them
-with the ASN.1 object identifier corresponding to the requested
-.Fa trust
-identifier,
-.Dv X509_TRUST_UNTRUSTED
-is returned.
-.It
-This so-called
-.Dq compatibility
-step is skipped by some of the trust checking functions.
-If neither
-.Xr X509_add1_reject_object 3
-nor
-.Xr X509_add1_trust_object 3
-was previously called on the
-.Fa certificate
-and if the
-.Fa certificate
-is a self-signed,
-.Dv X509_TRUST_TRUSTED
-is returned.
-.It
-Otherwise,
-.Dv X509_TRUST_UNTRUSTED
-is returned.
-.El
-.Pp
-By default, the following
-.Fa trust
-identifiers are supported.
-The
-.Dq ASN.1 NID
-column indicates the corresponding ASN.1 object identifier;
-for the relationship between ASN.1 NIDs and OIDs, see the
-.Xr OBJ_nid2obj 3
-manual page.
-The
-.Qq compat
-column indicates whether the compatibility step in the standard algorithm
-detailed above is used or skipped.
-.Pp
-.Bl -column X509_TRUST_OCSP_REQUEST NID_anyExtendedKeyUsage compat -compact
-.It Fa trust No identifier     Ta Em ASN.1 NID               Ta Em compat
-.It Dv X509_TRUST_SSL_CLIENT   Ta Dv NID_client_auth         Ta use
-.It Dv X509_TRUST_SSL_SERVER   Ta Dv NID_server_auth         Ta use
-.It Dv X509_TRUST_EMAIL        Ta Dv NID_email_protect       Ta use
-.It Dv X509_TRUST_OBJECT_SIGN  Ta Dv NID_code_sign           Ta use
-.It Dv X509_TRUST_OCSP_SIGN    Ta Dv NID_OCSP_sign           Ta skip
-.It Dv X509_TRUST_OCSP_REQUEST Ta Dv NID_ad_OCSP             Ta skip
-.It Dv X509_TRUST_TSA          Ta Dv NID_time_stamp          Ta use
-.It Dv X509_TRUST_COMPAT       Ta none                       Ta only
-.It 0                          Ta Dv NID_anyExtendedKeyUsage Ta special
-.It \-1                        Ta none                       Ta trusted
-.It invalid                    Ta Fa trust No argument       Ta skip
-.El
-.Pp
-For the following
-.Fa trust
-identifiers, the standard algorithm is modified:
-.Bl -tag -width Ds
-.It Dv X509_TRUST_COMPAT
-.Xr X509_add1_reject_object 3
-and
-.Xr X509_add1_trust_object 3
-settings are completely ignored
-and all steps before the compatibility step are skipped.
-The
-.Fa certificate
-is trusted if and only if it is self-signed.
-.It 0
-The third step in the standard algorithm is skipped, and the
-compatibility step is used even if
-.Xr X509_add1_reject_object 3
-or
-.Xr X509_add1_trust_object 3
-were called with ASN.1 object identifiers not corresponding to
-.Dv NID_anyExtendedKeyUsage .
-.It \-1
-The
-.Fa certificate
-is not inspected and
-.Dv X509_TRUST_TRUSTED
-is always returned.
-.It invalid
-If the
-.Fa trust
-argument is neither 0 nor \-1 nor valid as a trust identifier,
-it is re-interpreted as an ASN.1 NID
-and used itself for the standard algorithm.
-The compatibility step is skipped in this case.
-.El
-.Pp
-The
-.Fa flags
-argument is ignored by all built-in trust checking functions,
-but user-specified trust checking functions might use it.
-.Pp
-If the function
-.Xr X509_TRUST_add 3
-was called before
-.Fn X509_check_trust ,
-it may have installed different, user-supplied checking functions
-for some of the standard
-.Fa trust
-identifiers listed above, or it may have installed additional,
-user-supplied checking functions for user-defined
-.Fa trust
-identifiers not listed above.
-.Sh RETURN VALUES
-.Fn X509_check_trust
-returns the following values:
-.Bl -tag -width Ds
-.It Dv X509_TRUST_TRUSTED
-The
-.Fa certificate
-is explicitly or implicitly trusted for the requested purpose.
-.It Dv X509_TRUST_REJECTED
-The
-.Fa certificate
-is explicitly rejected for the requested purpose.
-.It Dv X509_TRUST_UNTRUSTED
-The
-.Fa certificate
-is neither trusted nor explicitly rejected,
-which implies that it is not trusted.
-.El
-.Sh SEE ALSO
-.Xr PEM_read_X509_AUX 3 ,
-.Xr X509_add1_trust_object 3 ,
-.Xr X509_CERT_AUX_new 3 ,
-.Xr X509_check_purpose 3 ,
-.Xr X509_new 3 ,
-.Xr X509_VERIFY_PARAM_set_trust 3
-.Sh HISTORY
-.Fn X509_check_trust
-first appeared in OpenSSL 0.9.5 and has been available since
-.Ox 2.7 .
diff --git a/src/lib/libcrypto/man/X509_new.3 b/src/lib/libcrypto/man/X509_new.3
index 9bc3ee95c8..7b62363d4d 100644
--- a/src/lib/libcrypto/man/X509_new.3
+++ b/src/lib/libcrypto/man/X509_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_new.3,v 1.44 2024/08/17 09:16:37 tb Exp $
+.\" $OpenBSD: X509_new.3,v 1.45 2024/09/02 08:04:32 tb Exp $
 .\" full merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
 .\"
 .\" This file is a derived work.
@@ -66,7 +66,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: August 17 2024 $
+.Dd $Mdocdate: September 2 2024 $
 .Dt X509_NEW 3
 .Os
 .Sh NAME
@@ -208,7 +208,6 @@ if an error occurs.
 .Xr X509_check_issued 3 ,
 .Xr X509_check_private_key 3 ,
 .Xr X509_check_purpose 3 ,
-.Xr X509_check_trust 3 ,
 .Xr X509_CINF_new 3 ,
 .Xr X509_cmp 3 ,
 .Xr X509_CRL_new 3 ,

diff --git a/src/lib/libcrypto/man/Makefile b/src/lib/libcrypto/man/Makefile index 3b636f2441..a6a3cf78fc 100644 --- a/src/lib/libcrypto/man/Makefile +++ b/src/lib/libcrypto/man/Makefile
@@ -1,4 +1,4 @@
1	# $OpenBSD: Makefile,v 1.293 2024/09/02 07:57:27 tb Exp $	1	# $OpenBSD: Makefile,v 1.294 2024/09/02 08:04:32 tb Exp $
2		2
3	.include <bsd.own.mk>	3	.include <bsd.own.mk>
4		4
@@ -354,7 +354,6 @@ MAN= \
354	X509_check_issued.3 \	354	X509_check_issued.3 \
355	X509_check_private_key.3 \	355	X509_check_private_key.3 \
356	X509_check_purpose.3 \	356	X509_check_purpose.3 \
357	X509_check_trust.3 \
358	X509_cmp.3 \	357	X509_cmp.3 \
359	X509_cmp_time.3 \	358	X509_cmp_time.3 \
360	X509_digest.3 \	359	X509_digest.3 \


diff --git a/src/lib/libcrypto/man/PEM_read_bio_PrivateKey.3 b/src/lib/libcrypto/man/PEM_read_bio_PrivateKey.3 index 293c4da655..9f45261725 100644 --- a/src/lib/libcrypto/man/PEM_read_bio_PrivateKey.3 +++ b/src/lib/libcrypto/man/PEM_read_bio_PrivateKey.3
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: PEM_read_bio_PrivateKey.3,v 1.22 2024/05/07 20:40:07 tb Exp $	1	.\" $OpenBSD: PEM_read_bio_PrivateKey.3,v 1.23 2024/09/02 08:04:32 tb Exp $
2	.\" full merge up to:	2	.\" full merge up to:
3	.\" OpenSSL man3/PEM_read_bio_PrivateKey.pod 18bad535 Apr 9 15:13:55 2019 +0100	3	.\" OpenSSL man3/PEM_read_bio_PrivateKey.pod 18bad535 Apr 9 15:13:55 2019 +0100
4	.\" OpenSSL man3/PEM_read_CMS.pod 83cf7abf May 29 13:07:08 2018 +0100	4	.\" OpenSSL man3/PEM_read_CMS.pod 83cf7abf May 29 13:07:08 2018 +0100
@@ -51,7 +51,7 @@
51	.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED	51	.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
52	.\" OF THE POSSIBILITY OF SUCH DAMAGE.	52	.\" OF THE POSSIBILITY OF SUCH DAMAGE.
53	.\"	53	.\"
54	.Dd $Mdocdate: May 7 2024 $	54	.Dd $Mdocdate: September 2 2024 $
55	.Dt PEM_READ_BIO_PRIVATEKEY 3	55	.Dt PEM_READ_BIO_PRIVATEKEY 3
56	.Os	56	.Os
57	.Sh NAME	57	.Sh NAME
@@ -896,9 +896,6 @@ The
896	functions process a trusted X509 certificate using an	896	functions process a trusted X509 certificate using an
897	.Vt X509	897	.Vt X509
898	structure.	898	structure.
899	The
900	.Xr X509_check_trust 3
901	manual explains how the auxiliary trust information is used.
902	.Pp	899	.Pp
903	The	900	The
904	.Sy X509_REQ	901	.Sy X509_REQ


diff --git a/src/lib/libcrypto/man/X509_CINF_new.3 b/src/lib/libcrypto/man/X509_CINF_new.3 index f7de4d9524..6c09c58545 100644 --- a/src/lib/libcrypto/man/X509_CINF_new.3 +++ b/src/lib/libcrypto/man/X509_CINF_new.3
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: X509_CINF_new.3,v 1.10 2021/07/24 14:33:14 schwarze Exp $	1	.\" $OpenBSD: X509_CINF_new.3,v 1.11 2024/09/02 08:04:32 tb Exp $
2	.\"	2	.\"
3	.\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>	3	.\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
4	.\"	4	.\"
@@ -14,7 +14,7 @@
14	.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF	14	.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15	.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.	15	.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16	.\"	16	.\"
17	.Dd $Mdocdate: July 24 2021 $	17	.Dd $Mdocdate: September 2 2024 $
18	.Dt X509_CINF_NEW 3	18	.Dt X509_CINF_NEW 3
19	.Os	19	.Os
20	.Sh NAME	20	.Sh NAME
@@ -96,7 +96,6 @@ if an error occurs.
96	.Xr d2i_X509_CINF 3 ,	96	.Xr d2i_X509_CINF 3 ,
97	.Xr X509_add1_trust_object 3 ,	97	.Xr X509_add1_trust_object 3 ,
98	.Xr X509_CERT_AUX_print 3 ,	98	.Xr X509_CERT_AUX_print 3 ,
99	.Xr X509_check_trust 3 ,
100	.Xr X509_keyid_set1 3 ,	99	.Xr X509_keyid_set1 3 ,
101	.Xr X509_new 3	100	.Xr X509_new 3
102	.Sh STANDARDS	101	.Sh STANDARDS


diff --git a/src/lib/libcrypto/man/X509_add1_trust_object.3 b/src/lib/libcrypto/man/X509_add1_trust_object.3 index e1e3824208..067bf64464 100644 --- a/src/lib/libcrypto/man/X509_add1_trust_object.3 +++ b/src/lib/libcrypto/man/X509_add1_trust_object.3
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: X509_add1_trust_object.3,v 1.3 2021/07/24 14:33:14 schwarze Exp $	1	.\" $OpenBSD: X509_add1_trust_object.3,v 1.4 2024/09/02 08:04:32 tb Exp $
2	.\"	2	.\"
3	.\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>	3	.\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
4	.\"	4	.\"
@@ -14,7 +14,7 @@
14	.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF	14	.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15	.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.	15	.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16	.\"	16	.\"
17	.Dd $Mdocdate: July 24 2021 $	17	.Dd $Mdocdate: September 2 2024 $
18	.Dt X509_ADD1_TRUST_OBJECT 3	18	.Dt X509_ADD1_TRUST_OBJECT 3
19	.Os	19	.Os
20	.Sh NAME	20	.Sh NAME
@@ -93,7 +93,6 @@ does not contain a sub-object that can hold non-standard auxiliary data.
93	.Xr EXTENDED_KEY_USAGE_new 3 ,	93	.Xr EXTENDED_KEY_USAGE_new 3 ,
94	.Xr OBJ_nid2obj 3 ,	94	.Xr OBJ_nid2obj 3 ,
95	.Xr X509_CERT_AUX_new 3 ,	95	.Xr X509_CERT_AUX_new 3 ,
96	.Xr X509_check_trust 3 ,
97	.Xr X509_new 3	96	.Xr X509_new 3
98	.Sh HISTORY	97	.Sh HISTORY
99	These functions first appeared in OpenSSL 0.9.4 and have been available since	98	These functions first appeared in OpenSSL 0.9.4 and have been available since


diff --git a/src/lib/libcrypto/man/X509_check_purpose.3 b/src/lib/libcrypto/man/X509_check_purpose.3 index ebd627bd57..8fea6679fc 100644 --- a/src/lib/libcrypto/man/X509_check_purpose.3 +++ b/src/lib/libcrypto/man/X509_check_purpose.3
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: X509_check_purpose.3,v 1.11 2023/06/25 13:54:58 tb Exp $	1	.\" $OpenBSD: X509_check_purpose.3,v 1.12 2024/09/02 08:04:32 tb Exp $
2	.\"	2	.\"
3	.\" Copyright (c) 2019, 2021 Ingo Schwarze <schwarze@openbsd.org>	3	.\" Copyright (c) 2019, 2021 Ingo Schwarze <schwarze@openbsd.org>
4	.\"	4	.\"
@@ -14,7 +14,7 @@
14	.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF	14	.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15	.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.	15	.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16	.\"	16	.\"
17	.Dd $Mdocdate: June 25 2023 $	17	.Dd $Mdocdate: September 2 2024 $
18	.Dt X509_CHECK_PURPOSE 3	18	.Dt X509_CHECK_PURPOSE 3
19	.Os	19	.Os
20	.Sh NAME	20	.Sh NAME
@@ -410,7 +410,6 @@ can be used as a CA for the
410	.Sh SEE ALSO	410	.Sh SEE ALSO
411	.Xr BASIC_CONSTRAINTS_new 3 ,	411	.Xr BASIC_CONSTRAINTS_new 3 ,
412	.Xr EXTENDED_KEY_USAGE_new 3 ,	412	.Xr EXTENDED_KEY_USAGE_new 3 ,
413	.Xr X509_check_trust 3 ,
414	.Xr X509_new 3 ,	413	.Xr X509_new 3 ,
415	.Xr X509_PURPOSE_set 3 ,	414	.Xr X509_PURPOSE_set 3 ,
416	.Xr X509V3_get_d2i 3 ,	415	.Xr X509V3_get_d2i 3 ,


diff --git a/src/lib/libcrypto/man/X509_check_trust.3 b/src/lib/libcrypto/man/X509_check_trust.3 deleted file mode 100644 index f085bfcf20..0000000000 --- a/src/lib/libcrypto/man/X509_check_trust.3 +++ /dev/null
@@ -1,207 +0,0 @@
1	.\" $OpenBSD: X509_check_trust.3,v 1.10 2024/08/17 09:19:04 tb Exp $
2	.\"
3	.\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
4	.\"
5	.\" Permission to use, copy, modify, and distribute this software for any
6	.\" purpose with or without fee is hereby granted, provided that the above
7	.\" copyright notice and this permission notice appear in all copies.
8	.\"
9	.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10	.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11	.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12	.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13	.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14	.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15	.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16	.\"
17	.Dd $Mdocdate: August 17 2024 $
18	.Dt X509_CHECK_TRUST 3
19	.Os
20	.Sh NAME
21	.Nm X509_check_trust
22	.Nd check whether a certificate is trusted
23	.Sh SYNOPSIS
24	.In openssl/x509.h
25	.Ft int
26	.Fo X509_check_trust
27	.Fa "X509 *certificate"
28	.Fa "int trust"
29	.Fa "int flags"
30	.Fc
31	.Sh DESCRIPTION
32	.Fn X509_check_trust
33	checks whether the
34	.Fa certificate
35	is marked as trusted for the purpose corresponding to the requested
36	.Fa trust
37	identifier.
38	.Pp
39	The standard algorithm used by all built-in trust checking functions
40	performs the following tests in the following order.
41	The first matching test terminates the algorithm
42	and decides the return value.
43	.Bl -enum
44	.It
45	If
46	.Xr X509_add1_reject_object 3
47	was previously called on the
48	.Fa certificate
49	with the ASN.1 object identifier corresponding to the requested
50	.Fa trust
51	identifier,
52	.Dv X509_TRUST_REJECTED
53	is returned.
54	.It
55	If
56	.Xr X509_add1_trust_object 3
57	was previously called on the
58	.Fa certificate
59	with the ASN.1 object identifier corresponding to the requested
60	.Fa trust
61	identifier,
62	.Dv X509_TRUST_TRUSTED
63	is returned.
64	.It
65	If
66	.Xr X509_add1_reject_object 3
67	or
68	.Xr X509_add1_trust_object 3
69	were previously called on the
70	.Fa certificate ,
71	but neither of them
72	with the ASN.1 object identifier corresponding to the requested
73	.Fa trust
74	identifier,
75	.Dv X509_TRUST_UNTRUSTED
76	is returned.
77	.It
78	This so-called
79	.Dq compatibility
80	step is skipped by some of the trust checking functions.
81	If neither
82	.Xr X509_add1_reject_object 3
83	nor
84	.Xr X509_add1_trust_object 3
85	was previously called on the
86	.Fa certificate
87	and if the
88	.Fa certificate
89	is a self-signed,
90	.Dv X509_TRUST_TRUSTED
91	is returned.
92	.It
93	Otherwise,
94	.Dv X509_TRUST_UNTRUSTED
95	is returned.
96	.El
97	.Pp
98	By default, the following
99	.Fa trust
100	identifiers are supported.
101	The
102	.Dq ASN.1 NID
103	column indicates the corresponding ASN.1 object identifier;
104	for the relationship between ASN.1 NIDs and OIDs, see the
105	.Xr OBJ_nid2obj 3
106	manual page.
107	The
108	.Qq compat
109	column indicates whether the compatibility step in the standard algorithm
110	detailed above is used or skipped.
111	.Pp
112	.Bl -column X509_TRUST_OCSP_REQUEST NID_anyExtendedKeyUsage compat -compact
113	.It Fa trust No identifier Ta Em ASN.1 NID Ta Em compat
114	.It Dv X509_TRUST_SSL_CLIENT Ta Dv NID_client_auth Ta use
115	.It Dv X509_TRUST_SSL_SERVER Ta Dv NID_server_auth Ta use
116	.It Dv X509_TRUST_EMAIL Ta Dv NID_email_protect Ta use
117	.It Dv X509_TRUST_OBJECT_SIGN Ta Dv NID_code_sign Ta use
118	.It Dv X509_TRUST_OCSP_SIGN Ta Dv NID_OCSP_sign Ta skip
119	.It Dv X509_TRUST_OCSP_REQUEST Ta Dv NID_ad_OCSP Ta skip
120	.It Dv X509_TRUST_TSA Ta Dv NID_time_stamp Ta use
121	.It Dv X509_TRUST_COMPAT Ta none Ta only
122	.It 0 Ta Dv NID_anyExtendedKeyUsage Ta special
123	.It \-1 Ta none Ta trusted
124	.It invalid Ta Fa trust No argument Ta skip
125	.El
126	.Pp
127	For the following
128	.Fa trust
129	identifiers, the standard algorithm is modified:
130	.Bl -tag -width Ds
131	.It Dv X509_TRUST_COMPAT
132	.Xr X509_add1_reject_object 3
133	and
134	.Xr X509_add1_trust_object 3
135	settings are completely ignored
136	and all steps before the compatibility step are skipped.
137	The
138	.Fa certificate
139	is trusted if and only if it is self-signed.
140	.It 0
141	The third step in the standard algorithm is skipped, and the
142	compatibility step is used even if
143	.Xr X509_add1_reject_object 3
144	or
145	.Xr X509_add1_trust_object 3
146	were called with ASN.1 object identifiers not corresponding to
147	.Dv NID_anyExtendedKeyUsage .
148	.It \-1
149	The
150	.Fa certificate
151	is not inspected and
152	.Dv X509_TRUST_TRUSTED
153	is always returned.
154	.It invalid
155	If the
156	.Fa trust
157	argument is neither 0 nor \-1 nor valid as a trust identifier,
158	it is re-interpreted as an ASN.1 NID
159	and used itself for the standard algorithm.
160	The compatibility step is skipped in this case.
161	.El
162	.Pp
163	The
164	.Fa flags
165	argument is ignored by all built-in trust checking functions,
166	but user-specified trust checking functions might use it.
167	.Pp
168	If the function
169	.Xr X509_TRUST_add 3
170	was called before
171	.Fn X509_check_trust ,
172	it may have installed different, user-supplied checking functions
173	for some of the standard
174	.Fa trust
175	identifiers listed above, or it may have installed additional,
176	user-supplied checking functions for user-defined
177	.Fa trust
178	identifiers not listed above.
179	.Sh RETURN VALUES
180	.Fn X509_check_trust
181	returns the following values:
182	.Bl -tag -width Ds
183	.It Dv X509_TRUST_TRUSTED
184	The
185	.Fa certificate
186	is explicitly or implicitly trusted for the requested purpose.
187	.It Dv X509_TRUST_REJECTED
188	The
189	.Fa certificate
190	is explicitly rejected for the requested purpose.
191	.It Dv X509_TRUST_UNTRUSTED
192	The
193	.Fa certificate
194	is neither trusted nor explicitly rejected,
195	which implies that it is not trusted.
196	.El
197	.Sh SEE ALSO
198	.Xr PEM_read_X509_AUX 3 ,
199	.Xr X509_add1_trust_object 3 ,
200	.Xr X509_CERT_AUX_new 3 ,
201	.Xr X509_check_purpose 3 ,
202	.Xr X509_new 3 ,
203	.Xr X509_VERIFY_PARAM_set_trust 3
204	.Sh HISTORY
205	.Fn X509_check_trust
206	first appeared in OpenSSL 0.9.5 and has been available since
207	.Ox 2.7 .


diff --git a/src/lib/libcrypto/man/X509_new.3 b/src/lib/libcrypto/man/X509_new.3 index 9bc3ee95c8..7b62363d4d 100644 --- a/src/lib/libcrypto/man/X509_new.3 +++ b/src/lib/libcrypto/man/X509_new.3
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: X509_new.3,v 1.44 2024/08/17 09:16:37 tb Exp $	1	.\" $OpenBSD: X509_new.3,v 1.45 2024/09/02 08:04:32 tb Exp $
2	.\" full merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400	2	.\" full merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
3	.\"	3	.\"
4	.\" This file is a derived work.	4	.\" This file is a derived work.
@@ -66,7 +66,7 @@
66	.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED	66	.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
67	.\" OF THE POSSIBILITY OF SUCH DAMAGE.	67	.\" OF THE POSSIBILITY OF SUCH DAMAGE.
68	.\"	68	.\"
69	.Dd $Mdocdate: August 17 2024 $	69	.Dd $Mdocdate: September 2 2024 $
70	.Dt X509_NEW 3	70	.Dt X509_NEW 3
71	.Os	71	.Os
72	.Sh NAME	72	.Sh NAME
@@ -208,7 +208,6 @@ if an error occurs.
208	.Xr X509_check_issued 3 ,	208	.Xr X509_check_issued 3 ,
209	.Xr X509_check_private_key 3 ,	209	.Xr X509_check_private_key 3 ,
210	.Xr X509_check_purpose 3 ,	210	.Xr X509_check_purpose 3 ,
211	.Xr X509_check_trust 3 ,
212	.Xr X509_CINF_new 3 ,	211	.Xr X509_CINF_new 3 ,
213	.Xr X509_cmp 3 ,	212	.Xr X509_cmp 3 ,
214	.Xr X509_CRL_new 3 ,	213	.Xr X509_CRL_new 3 ,