6 files changed, 403 insertions, 9 deletions
diff --git a/src/lib/libcrypto/man/BASIC_CONSTRAINTS_new.3 b/src/lib/libcrypto/man/BASIC_CONSTRAINTS_new.3
index 7a04249adb..cfe6737c41 100644
--- a/src/lib/libcrypto/man/BASIC_CONSTRAINTS_new.3
+++ b/src/lib/libcrypto/man/BASIC_CONSTRAINTS_new.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: BASIC_CONSTRAINTS_new.3,v 1.4 2019/06/06 01:06:58 schwarze Exp $
+.\" $OpenBSD: BASIC_CONSTRAINTS_new.3,v 1.5 2019/08/22 15:15:35 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: June 6 2019 $
+.Dd $Mdocdate: August 22 2019 $
 .Dt BASIC_CONSTRAINTS_NEW 3
 .Os
 .Sh NAME
@@ -68,6 +68,7 @@ object or
 if an error occurs.
 .Sh SEE ALSO
 .Xr d2i_BASIC_CONSTRAINTS 3 ,
+.Xr X509_check_purpose 3 ,
 .Xr X509_EXTENSION_new 3 ,
 .Xr X509_new 3
 .Sh STANDARDS
diff --git a/src/lib/libcrypto/man/EXTENDED_KEY_USAGE_new.3 b/src/lib/libcrypto/man/EXTENDED_KEY_USAGE_new.3
index 4e644b227d..869f538c6f 100644
--- a/src/lib/libcrypto/man/EXTENDED_KEY_USAGE_new.3
+++ b/src/lib/libcrypto/man/EXTENDED_KEY_USAGE_new.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: EXTENDED_KEY_USAGE_new.3,v 1.4 2019/06/06 01:06:58 schwarze Exp $
+.\" $OpenBSD: EXTENDED_KEY_USAGE_new.3,v 1.5 2019/08/22 15:15:35 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: June 6 2019 $
+.Dd $Mdocdate: August 22 2019 $
 .Dt EXTENDED_KEY_USAGE_NEW 3
 .Os
 .Sh NAME
@@ -63,6 +63,7 @@ if an error occurs.
 .Xr BASIC_CONSTRAINTS_new 3 ,
 .Xr d2i_EXTENDED_KEY_USAGE 3 ,
 .Xr POLICYINFO_new 3 ,
+.Xr X509_check_purpose 3 ,
 .Xr X509_EXTENSION_new 3 ,
 .Xr X509_new 3
 .Sh STANDARDS
diff --git a/src/lib/libcrypto/man/Makefile b/src/lib/libcrypto/man/Makefile
index 99536f65aa..c9c74ca337 100644
--- a/src/lib/libcrypto/man/Makefile
+++ b/src/lib/libcrypto/man/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.152 2019/08/20 13:27:19 schwarze Exp $
+# $OpenBSD: Makefile,v 1.153 2019/08/22 15:15:35 schwarze Exp $
 .include <bsd.own.mk>
@@ -265,6 +265,7 @@ MAN=	\
        X509_check_host.3 \
        X509_check_issued.3 \
        X509_check_private_key.3 \
+        X509_check_purpose.3 \
        X509_cmp.3 \
        X509_cmp_time.3 \
        X509_digest.3 \
diff --git a/src/lib/libcrypto/man/X509V3_get_d2i.3 b/src/lib/libcrypto/man/X509V3_get_d2i.3
index 70a36530ba..13f1eda35d 100644
--- a/src/lib/libcrypto/man/X509V3_get_d2i.3
+++ b/src/lib/libcrypto/man/X509V3_get_d2i.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509V3_get_d2i.3,v 1.16 2019/06/14 13:59:32 schwarze Exp $
+.\" $OpenBSD: X509V3_get_d2i.3,v 1.17 2019/08/22 15:15:35 schwarze Exp $
 .\" full merge up to: OpenSSL ff7fbfd5 Nov 2 11:52:01 2015 +0000
 .\" selective merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
 .\"
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 14 2019 $
+.Dd $Mdocdate: August 22 2019 $
 .Dt X509V3_GET_D2I 3
 .Os
 .Sh NAME
@@ -408,6 +408,7 @@ if no extensions are present.
 .Sh SEE ALSO
 .Xr d2i_X509 3 ,
 .Xr d2i_X509_EXTENSION 3 ,
+.Xr X509_check_purpose 3 ,
 .Xr X509_CRL_get0_by_serial 3 ,
 .Xr X509_CRL_new 3 ,
 .Xr X509_EXTENSION_new 3 ,
diff --git a/src/lib/libcrypto/man/X509_check_purpose.3 b/src/lib/libcrypto/man/X509_check_purpose.3
new file mode 100644
index 0000000000..b74ea50bef
--- /dev/null
+++ b/src/lib/libcrypto/man/X509_check_purpose.3
@@ -0,0 +1,389 @@
+.\" $OpenBSD: X509_check_purpose.3,v 1.1 2019/08/22 15:15:35 schwarze Exp $
+.\" Copyright (c) 2019 Ingo Schwarze <schwarze@openbsd.org>
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\"
+.Dd $Mdocdate: August 22 2019 $
+.Dt X509_CHECK_PURPOSE 3
+.Os
+.Sh NAME
+.Nm X509_check_purpose
+.Nd check intended usage of a public key
+.Sh SYNOPSIS
+.In openssl/x509v3.h
+.Ft int
+.Fo X509_check_purpose
+.Fa "X509 *certificate"
+.Fa "int purpose"
+.Fa "int ca"
+.Fc
+.Sh DESCRIPTION
+If the
+.Fa ca
+flag is 0,
+.Fn X509_check_purpose
+checks whether the public key contained in the
+.Fa certificate
+is intended to be used for the given
+.Fa purpose ,
+which can be one of the following integer constants.
+The check succeeds if none of the conditions given in the list below
+are violated.
+.Bl -tag -width 1n
+.It Dv X509_PURPOSE_SSL_CLIENT
+.Bl -dash -width 1n -compact
+.It
+If the
+.Fa certificate
+contains an Extended Key Usage extension, it contains the RFC 5280
+.Dq TLS WWW client authentication
+purpose
+.Pq Dv NID_client_auth .
+.It
+If the
+.Fa certificate
+contains a Key Usage extension, the
+.Dv digitalSignature
+bit is set.
+.It
+If the
+.Fa certificate
+contains a Netscape Cert Type extension, the
+.Dq SSL client certificate
+bit is set
+.Pq Dv NS_SSL_CLIENT .
+.El
+.It Dv X509_PURPOSE_SSL_SERVER
+.Bl -dash -width 1n -compact
+.It
+If the
+.Fa certificate
+contains an Extended Key Usage extension, it contains the RFC 5280
+.Dq TLS WWW server authentication
+purpose
+.Pq Dv NID_server_auth
+or the private
+.Dq Netscape Server Gated Crypto
+.Pq Dv NID_ns_sgc
+or
+.Dq Microsoft Server Gated Crypto
+.Pq Dv NID_ms_sgc
+purpose.
+.It
+If the
+.Fa certificate
+contains a Key Usage extension, at least one of the
+.Dv digitalSignature
+and
+.Dv keyEncipherment
+bits is set.
+.It
+If the
+.Fa certificate
+contains a Netscape Cert Type extension, the
+.Dq SSL server certificate
+bit is set
+.Pq Dv NS_SSL_SERVER
+.El
+.It Dv X509_PURPOSE_NS_SSL_SERVER
+.\" check_purpose_ns_ssl_server, "Netscape SSL server"
+This does the same checks as
+.Dv X509_PURPOSE_SSL_SERVER
+and additionally requires that a Key Usage extension, if present,
+has the
+.Dv keyEncipherment
+bit set.
+.It Dv X509_PURPOSE_SMIME_SIGN
+.\" check_purpose_smime_sign, "S/MIME signing"
+.Bl -dash -width 1n -compact
+.It
+If the
+.Fa certificate
+contains an Extended Key Usage extension, it contains the RFC 5280
+.Dq Email protection
+purpose
+.Pq Dv NID_email_protect .
+.It
+If the
+.Fa certificate
+contains a Key Usage extension, at least one of the
+.Dv digitalSignature
+and
+.Dv nonRepudiation
+bits is set.
+.It
+If the
+.Fa certificate
+contains a Netscape Cert Type extension, it has the
+.Dq S/MIME certificate
+bit set.
+If the
+.Dq SSL client certificate
+bit is set but the
+.Dq S/MIME certificate
+bit is not, no decision is made.
+.El
+.It Dv X509_PURPOSE_SMIME_ENCRYPT
+.\" check_purpose_smime_encrypt, "S/MIME encryption"
+.Bl -dash -width 1n -compact
+.It
+If the
+.Fa certificate
+contains an Extended Key Usage extension, it contains the RFC 5280
+.Dq Email protection
+purpose
+.Pq Dv NID_email_protect .
+.It
+If the
+.Fa certificate
+contains a Key Usage extension, the
+.Dv keyEncipherment
+bit is set.
+.It
+If the
+.Fa certificate
+contains a Netscape Cert Type extension, it has the
+.Dq S/MIME certificate
+bit set.
+If the
+.Dq SSL client certificate
+bit is set but the
+.Dq S/MIME certificate
+bit is not, no decision is made.
+.El
+.It Dv X509_PURPOSE_CRL_SIGN
+.\" check_purpose_crl_sign, "CRL signing"
+.Bl -dash -width 1n -compact
+.It
+If the
+.Fa certificate
+contains a Key Usage extension, the
+.Dv cRLSign
+bit is set.
+.El
+.It Dv X509_PURPOSE_ANY
+The check always succeeds.
+.It Dv X509_PURPOSE_OCSP_HELPER
+.\" ocsp_helper, "OCSP helper"
+The check always succeeds.
+The application program is expected
+to do the actual checking by other means.
+.It Dv X509_PURPOSE_TIMESTAMP_SIGN
+.\" check_purpose_timestamp_sign, "Time Stamp signing"
+.Bl -dash -width 1n -compact
+.It
+The
+.Fa certificate
+contains an Extended Key Usage extension containing the RFC 5280
+.Dq Time Stamping
+purpose and no other purpose.
+This extension is marked as critical.
+.It
+If the
+.Fa certificate
+contains a Key Usage extension, at least one of the
+.Dv digitalSignature
+and
+.Dv nonRepudiation
+bits is set, and no other bits are set.
+.El
+.El
+.Pp
+If the
+.Fa ca
+flag is non-zero,
+.Fn X509_check_purpose
+instead checks whether the
+.Fa certificate
+can be used as a certificate authority certificate
+in the context of the given
+.Fa purpose .
+To succeed, the check always requires that none of the following
+conditions are violated:
+.Pp
+.Bl -dash -width 1n -compact
+.It
+If the
+.Fa certificate
+contains a Key Usage extension, the
+.Dv keyCertSign
+bit is set.
+.It
+If the
+.Fa certificate
+contains a Basic Constraints extension, the
+.Fa cA
+field is set.
+.It
+If the
+.Fa certificate
+is a version 1 certificate, the subject name matches the issuer name
+and the certificate is self signed.
+.El
+.Pp
+The check succeeds if none of the additional conditions given in
+the list below are violated.
+.Bl -tag -width 1n
+.It Dv X509_PURPOSE_SSL_CLIENT
+.Bl -dash -width 1n -compact
+.It
+If the
+.Fa certificate
+contains an Extended Key Usage extension, it contains the RFC 5280
+.Dq TLS WWW client authentication
+purpose
+.Pq Dv NID_client_auth .
+.It
+If the
+.Fa certificate
+is not a version 1 certificate and does not contain a Basic Constraints
+extension, it contains a Key Usage extension with the
+.Dv keyCertSign
+bit set or a Netscape Cert Type extension with the
+.Dq SSL CA certificate
+bit set.
+.El
+.It Dv X509_PURPOSE_SSL_SERVER No or Dv X509_PURPOSE_NS_SSL_SERVER
+.Bl -dash -width 1n -compact
+.It
+If the
+.Fa certificate
+contains an Extended Key Usage extension, it contains the RFC 5280
+.Dq TLS WWW server authentication
+purpose
+.Pq Dv NID_server_auth
+or the private
+.Dq Netscape Server Gated Crypto
+.Pq Dv NID_ns_sgc
+or
+.Dq Microsoft Server Gated Crypto
+.Pq Dv NID_ms_sgc
+purpose.
+.It
+If the
+.Fa certificate
+is not a version 1 certificate and does not contain a Basic Constraints
+extension, it contains a Key Usage extension with the
+.Dv keyCertSign
+bit set or a Netscape Cert Type extension with the
+.Dq SSL CA certificate
+bit set.
+.El
+.It Dv X509_PURPOSE_SMIME_SIGN No or Dv X509_PURPOSE_SMIME_ENCRYPT
+.Bl -dash -width 1n -compact
+.It
+If the
+.Fa certificate
+contains an Extended Key Usage extension, it contains the RFC 5280
+.Dq Email protection
+purpose
+.Pq Dv NID_email_protect .
+.It
+If the
+.Fa certificate
+is not a version 1 certificate and does not contain a Basic Constraints
+extension, it contains a Key Usage extension with the
+.Dv keyCertSign
+bit set or a Netscape Cert Type extension with the
+.Dq S/MIME CA certificate
+bit set.
+.El
+.It Xo
+.Dv X509_PURPOSE_CRL_SIGN ,
+.Dv X509_PURPOSE_OCSP_HELPER ,
+or
+.Dv X509_PURPOSE_TIMESTAMP_SIGN
+.Xc
+.Bl -dash -width 1n -compact
+.It
+If the
+.Fa certificate
+is not a version 1 certificate and does not contain a Basic Constraints
+extension, it contains a Key Usage extension with the
+.Dv keyCertSign
+bit set or a Netscape Cert Type extension with at least one of the
+.Dq SSL CA certificate ,
+.Dq S/MIME CA certificate ,
+or
+.Dq Object-signing CA certificate
+bits set.
+.El
+.It Dv X509_PURPOSE_ANY
+The check always succeeds, even if the three common conditions
+cited above this list are violated.
+.El
+.Pp
+If the
+.Fa purpose
+is -1,
+.Fn X509_check_purpose
+always succeeds, no matter whether or not the
+.Fa ca
+flag is set.
+.Sh RETURN VALUES
+.Fn X509_check_purpose
+returns the following values:
+.Bl -column -1 Failure -compact
+.It -1 Ta Error Ta The
+.Fa purpose
+is invalid.
+.It 0 Ta Failure Ta The
+.Fa certificate
+cannot be used for the
+.Fa purpose .
+.El
+.Pp
+If
+.Fa ca
+is 0, the following values can also be returned:
+.Bl -column -1 Failure -compact
+.It 1 Ta Success Ta The
+.Fa certificate
+can be used for the
+.Fa purpose .
+.It 2 Ta Unknown Ta \&No decision can be made.
+.El
+.Pp
+If
+.Fa ca
+is non-zero, the following values can also be returned:
+.Bl -column -1 Failure -compact
+.It 1 Ta Success Ta The
+.Fa certificate
+can be used as a CA for the
+.Fa purpose .
+.It 3 Ta Success Ta The Fa certificate No is a version 1 CA.
+.It 4 Ta Success Ta The Key Usage allows Dv keyCertSign .
+.It 5 Ta Success Ta A Netscape Cert Type allows usage as a CA.
+.El
+.Sh SEE ALSO
+.Xr BASIC_CONSTRAINTS_new 3 ,
+.Xr EXTENDED_KEY_USAGE_new 3 ,
+.Xr X509_new 3 ,
+.Xr X509V3_get_d2i 3 ,
+.Xr x509v3.cnf 5
+.Sh STANDARDS
+RFC 5280: Internet X.509 Public Key Infrastructure Certificate and
+Certificate Revocation List (CRL) Profile
+.Bl -dash -offset indent -compact
+.It
+section 4.2.1.3: Key Usage
+.It
+section 4.2.1.9: Basic Constraints
+.It
+section 4.2.1.12: Extended Key Usage
+.El
+.Sh HISTORY
+.Fn X509_check_purpose
+first appeared in OpenSSL 0.9.5 and has been available since
+.Ox 2.7 .
diff --git a/src/lib/libcrypto/man/X509_new.3 b/src/lib/libcrypto/man/X509_new.3
index 25b45b39bd..c7a62c2215 100644
--- a/src/lib/libcrypto/man/X509_new.3
+++ b/src/lib/libcrypto/man/X509_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_new.3,v 1.19 2019/08/20 13:27:19 schwarze Exp $
+.\" $OpenBSD: X509_new.3,v 1.20 2019/08/22 15:15:35 schwarze Exp $
 .\" full merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: August 20 2019 $
+.Dd $Mdocdate: August 22 2019 $
 .Dt X509_NEW 3
 .Os
 .Sh NAME
@@ -146,6 +146,7 @@ if an error occurs.
 .Xr X509_check_host 3 ,
 .Xr X509_check_issued 3 ,
 .Xr X509_check_private_key 3 ,
+.Xr X509_check_purpose 3 ,
 .Xr X509_CINF_new 3 ,
 .Xr X509_cmp 3 ,
 .Xr X509_CRL_new 3 ,

diff --git a/src/lib/libcrypto/man/BASIC_CONSTRAINTS_new.3 b/src/lib/libcrypto/man/BASIC_CONSTRAINTS_new.3 index 7a04249adb..cfe6737c41 100644 --- a/src/lib/libcrypto/man/BASIC_CONSTRAINTS_new.3 +++ b/src/lib/libcrypto/man/BASIC_CONSTRAINTS_new.3
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: BASIC_CONSTRAINTS_new.3,v 1.4 2019/06/06 01:06:58 schwarze Exp $	1	.\" $OpenBSD: BASIC_CONSTRAINTS_new.3,v 1.5 2019/08/22 15:15:35 schwarze Exp $
2	.\"	2	.\"
3	.\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>	3	.\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
4	.\"	4	.\"
@@ -14,7 +14,7 @@
14	.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF	14	.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15	.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.	15	.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16	.\"	16	.\"
17	.Dd $Mdocdate: June 6 2019 $	17	.Dd $Mdocdate: August 22 2019 $
18	.Dt BASIC_CONSTRAINTS_NEW 3	18	.Dt BASIC_CONSTRAINTS_NEW 3
19	.Os	19	.Os
20	.Sh NAME	20	.Sh NAME
@@ -68,6 +68,7 @@ object or
68	if an error occurs.	68	if an error occurs.
69	.Sh SEE ALSO	69	.Sh SEE ALSO
70	.Xr d2i_BASIC_CONSTRAINTS 3 ,	70	.Xr d2i_BASIC_CONSTRAINTS 3 ,
		71	.Xr X509_check_purpose 3 ,
71	.Xr X509_EXTENSION_new 3 ,	72	.Xr X509_EXTENSION_new 3 ,
72	.Xr X509_new 3	73	.Xr X509_new 3
73	.Sh STANDARDS	74	.Sh STANDARDS


diff --git a/src/lib/libcrypto/man/EXTENDED_KEY_USAGE_new.3 b/src/lib/libcrypto/man/EXTENDED_KEY_USAGE_new.3 index 4e644b227d..869f538c6f 100644 --- a/src/lib/libcrypto/man/EXTENDED_KEY_USAGE_new.3 +++ b/src/lib/libcrypto/man/EXTENDED_KEY_USAGE_new.3
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: EXTENDED_KEY_USAGE_new.3,v 1.4 2019/06/06 01:06:58 schwarze Exp $	1	.\" $OpenBSD: EXTENDED_KEY_USAGE_new.3,v 1.5 2019/08/22 15:15:35 schwarze Exp $
2	.\"	2	.\"
3	.\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>	3	.\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
4	.\"	4	.\"
@@ -14,7 +14,7 @@
14	.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF	14	.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15	.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.	15	.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16	.\"	16	.\"
17	.Dd $Mdocdate: June 6 2019 $	17	.Dd $Mdocdate: August 22 2019 $
18	.Dt EXTENDED_KEY_USAGE_NEW 3	18	.Dt EXTENDED_KEY_USAGE_NEW 3
19	.Os	19	.Os
20	.Sh NAME	20	.Sh NAME
@@ -63,6 +63,7 @@ if an error occurs.
63	.Xr BASIC_CONSTRAINTS_new 3 ,	63	.Xr BASIC_CONSTRAINTS_new 3 ,
64	.Xr d2i_EXTENDED_KEY_USAGE 3 ,	64	.Xr d2i_EXTENDED_KEY_USAGE 3 ,
65	.Xr POLICYINFO_new 3 ,	65	.Xr POLICYINFO_new 3 ,
		66	.Xr X509_check_purpose 3 ,
66	.Xr X509_EXTENSION_new 3 ,	67	.Xr X509_EXTENSION_new 3 ,
67	.Xr X509_new 3	68	.Xr X509_new 3
68	.Sh STANDARDS	69	.Sh STANDARDS


diff --git a/src/lib/libcrypto/man/Makefile b/src/lib/libcrypto/man/Makefile index 99536f65aa..c9c74ca337 100644 --- a/src/lib/libcrypto/man/Makefile +++ b/src/lib/libcrypto/man/Makefile
@@ -1,4 +1,4 @@
1	# $OpenBSD: Makefile,v 1.152 2019/08/20 13:27:19 schwarze Exp $	1	# $OpenBSD: Makefile,v 1.153 2019/08/22 15:15:35 schwarze Exp $
2		2
3	.include <bsd.own.mk>	3	.include <bsd.own.mk>
4		4
@@ -265,6 +265,7 @@ MAN= \
265	X509_check_host.3 \	265	X509_check_host.3 \
266	X509_check_issued.3 \	266	X509_check_issued.3 \
267	X509_check_private_key.3 \	267	X509_check_private_key.3 \
		268	X509_check_purpose.3 \
268	X509_cmp.3 \	269	X509_cmp.3 \
269	X509_cmp_time.3 \	270	X509_cmp_time.3 \
270	X509_digest.3 \	271	X509_digest.3 \


diff --git a/src/lib/libcrypto/man/X509V3_get_d2i.3 b/src/lib/libcrypto/man/X509V3_get_d2i.3 index 70a36530ba..13f1eda35d 100644 --- a/src/lib/libcrypto/man/X509V3_get_d2i.3 +++ b/src/lib/libcrypto/man/X509V3_get_d2i.3
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: X509V3_get_d2i.3,v 1.16 2019/06/14 13:59:32 schwarze Exp $	1	.\" $OpenBSD: X509V3_get_d2i.3,v 1.17 2019/08/22 15:15:35 schwarze Exp $
2	.\" full merge up to: OpenSSL ff7fbfd5 Nov 2 11:52:01 2015 +0000	2	.\" full merge up to: OpenSSL ff7fbfd5 Nov 2 11:52:01 2015 +0000
3	.\" selective merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400	3	.\" selective merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
4	.\"	4	.\"
@@ -49,7 +49,7 @@
49	.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED	49	.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50	.\" OF THE POSSIBILITY OF SUCH DAMAGE.	50	.\" OF THE POSSIBILITY OF SUCH DAMAGE.
51	.\"	51	.\"
52	.Dd $Mdocdate: June 14 2019 $	52	.Dd $Mdocdate: August 22 2019 $
53	.Dt X509V3_GET_D2I 3	53	.Dt X509V3_GET_D2I 3
54	.Os	54	.Os
55	.Sh NAME	55	.Sh NAME
@@ -408,6 +408,7 @@ if no extensions are present.
408	.Sh SEE ALSO	408	.Sh SEE ALSO
409	.Xr d2i_X509 3 ,	409	.Xr d2i_X509 3 ,
410	.Xr d2i_X509_EXTENSION 3 ,	410	.Xr d2i_X509_EXTENSION 3 ,
		411	.Xr X509_check_purpose 3 ,
411	.Xr X509_CRL_get0_by_serial 3 ,	412	.Xr X509_CRL_get0_by_serial 3 ,
412	.Xr X509_CRL_new 3 ,	413	.Xr X509_CRL_new 3 ,
413	.Xr X509_EXTENSION_new 3 ,	414	.Xr X509_EXTENSION_new 3 ,


diff --git a/src/lib/libcrypto/man/X509_check_purpose.3 b/src/lib/libcrypto/man/X509_check_purpose.3 new file mode 100644 index 0000000000..b74ea50bef --- /dev/null +++ b/src/lib/libcrypto/man/X509_check_purpose.3
@@ -0,0 +1,389 @@
		1	.\" $OpenBSD: X509_check_purpose.3,v 1.1 2019/08/22 15:15:35 schwarze Exp $
		2	.\" Copyright (c) 2019 Ingo Schwarze <schwarze@openbsd.org>
		3	.\"
		4	.\" Permission to use, copy, modify, and distribute this software for any
		5	.\" purpose with or without fee is hereby granted, provided that the above
		6	.\" copyright notice and this permission notice appear in all copies.
		7	.\"
		8	.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
		9	.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
		10	.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
		11	.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
		12	.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
		13	.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
		14	.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
		15	.\"
		16	.Dd $Mdocdate: August 22 2019 $
		17	.Dt X509_CHECK_PURPOSE 3
		18	.Os
		19	.Sh NAME
		20	.Nm X509_check_purpose
		21	.Nd check intended usage of a public key
		22	.Sh SYNOPSIS
		23	.In openssl/x509v3.h
		24	.Ft int
		25	.Fo X509_check_purpose
		26	.Fa "X509 *certificate"
		27	.Fa "int purpose"
		28	.Fa "int ca"
		29	.Fc
		30	.Sh DESCRIPTION
		31	If the
		32	.Fa ca
		33	flag is 0,
		34	.Fn X509_check_purpose
		35	checks whether the public key contained in the
		36	.Fa certificate
		37	is intended to be used for the given
		38	.Fa purpose ,
		39	which can be one of the following integer constants.
		40	The check succeeds if none of the conditions given in the list below
		41	are violated.
		42	.Bl -tag -width 1n
		43	.It Dv X509_PURPOSE_SSL_CLIENT
		44	.Bl -dash -width 1n -compact
		45	.It
		46	If the
		47	.Fa certificate
		48	contains an Extended Key Usage extension, it contains the RFC 5280
		49	.Dq TLS WWW client authentication
		50	purpose
		51	.Pq Dv NID_client_auth .
		52	.It
		53	If the
		54	.Fa certificate
		55	contains a Key Usage extension, the
		56	.Dv digitalSignature
		57	bit is set.
		58	.It
		59	If the
		60	.Fa certificate
		61	contains a Netscape Cert Type extension, the
		62	.Dq SSL client certificate
		63	bit is set
		64	.Pq Dv NS_SSL_CLIENT .
		65	.El
		66	.It Dv X509_PURPOSE_SSL_SERVER
		67	.Bl -dash -width 1n -compact
		68	.It
		69	If the
		70	.Fa certificate
		71	contains an Extended Key Usage extension, it contains the RFC 5280
		72	.Dq TLS WWW server authentication
		73	purpose
		74	.Pq Dv NID_server_auth
		75	or the private
		76	.Dq Netscape Server Gated Crypto
		77	.Pq Dv NID_ns_sgc
		78	or
		79	.Dq Microsoft Server Gated Crypto
		80	.Pq Dv NID_ms_sgc
		81	purpose.
		82	.It
		83	If the
		84	.Fa certificate
		85	contains a Key Usage extension, at least one of the
		86	.Dv digitalSignature
		87	and
		88	.Dv keyEncipherment
		89	bits is set.
		90	.It
		91	If the
		92	.Fa certificate
		93	contains a Netscape Cert Type extension, the
		94	.Dq SSL server certificate
		95	bit is set
		96	.Pq Dv NS_SSL_SERVER
		97	.El
		98	.It Dv X509_PURPOSE_NS_SSL_SERVER
		99	.\" check_purpose_ns_ssl_server, "Netscape SSL server"
		100	This does the same checks as
		101	.Dv X509_PURPOSE_SSL_SERVER
		102	and additionally requires that a Key Usage extension, if present,
		103	has the
		104	.Dv keyEncipherment
		105	bit set.
		106	.It Dv X509_PURPOSE_SMIME_SIGN
		107	.\" check_purpose_smime_sign, "S/MIME signing"
		108	.Bl -dash -width 1n -compact
		109	.It
		110	If the
		111	.Fa certificate
		112	contains an Extended Key Usage extension, it contains the RFC 5280
		113	.Dq Email protection
		114	purpose
		115	.Pq Dv NID_email_protect .
		116	.It
		117	If the
		118	.Fa certificate
		119	contains a Key Usage extension, at least one of the
		120	.Dv digitalSignature
		121	and
		122	.Dv nonRepudiation
		123	bits is set.
		124	.It
		125	If the
		126	.Fa certificate
		127	contains a Netscape Cert Type extension, it has the
		128	.Dq S/MIME certificate
		129	bit set.
		130	If the
		131	.Dq SSL client certificate
		132	bit is set but the
		133	.Dq S/MIME certificate
		134	bit is not, no decision is made.
		135	.El
		136	.It Dv X509_PURPOSE_SMIME_ENCRYPT
		137	.\" check_purpose_smime_encrypt, "S/MIME encryption"
		138	.Bl -dash -width 1n -compact
		139	.It
		140	If the
		141	.Fa certificate
		142	contains an Extended Key Usage extension, it contains the RFC 5280
		143	.Dq Email protection
		144	purpose
		145	.Pq Dv NID_email_protect .
		146	.It
		147	If the
		148	.Fa certificate
		149	contains a Key Usage extension, the
		150	.Dv keyEncipherment
		151	bit is set.
		152	.It
		153	If the
		154	.Fa certificate
		155	contains a Netscape Cert Type extension, it has the
		156	.Dq S/MIME certificate
		157	bit set.
		158	If the
		159	.Dq SSL client certificate
		160	bit is set but the
		161	.Dq S/MIME certificate
		162	bit is not, no decision is made.
		163	.El
		164	.It Dv X509_PURPOSE_CRL_SIGN
		165	.\" check_purpose_crl_sign, "CRL signing"
		166	.Bl -dash -width 1n -compact
		167	.It
		168	If the
		169	.Fa certificate
		170	contains a Key Usage extension, the
		171	.Dv cRLSign
		172	bit is set.
		173	.El
		174	.It Dv X509_PURPOSE_ANY
		175	The check always succeeds.
		176	.It Dv X509_PURPOSE_OCSP_HELPER
		177	.\" ocsp_helper, "OCSP helper"
		178	The check always succeeds.
		179	The application program is expected
		180	to do the actual checking by other means.
		181	.It Dv X509_PURPOSE_TIMESTAMP_SIGN
		182	.\" check_purpose_timestamp_sign, "Time Stamp signing"
		183	.Bl -dash -width 1n -compact
		184	.It
		185	The
		186	.Fa certificate
		187	contains an Extended Key Usage extension containing the RFC 5280
		188	.Dq Time Stamping
		189	purpose and no other purpose.
		190	This extension is marked as critical.
		191	.It
		192	If the
		193	.Fa certificate
		194	contains a Key Usage extension, at least one of the
		195	.Dv digitalSignature
		196	and
		197	.Dv nonRepudiation
		198	bits is set, and no other bits are set.
		199	.El
		200	.El
		201	.Pp
		202	If the
		203	.Fa ca
		204	flag is non-zero,
		205	.Fn X509_check_purpose
		206	instead checks whether the
		207	.Fa certificate
		208	can be used as a certificate authority certificate
		209	in the context of the given
		210	.Fa purpose .
		211	To succeed, the check always requires that none of the following
		212	conditions are violated:
		213	.Pp
		214	.Bl -dash -width 1n -compact
		215	.It
		216	If the
		217	.Fa certificate
		218	contains a Key Usage extension, the
		219	.Dv keyCertSign
		220	bit is set.
		221	.It
		222	If the
		223	.Fa certificate
		224	contains a Basic Constraints extension, the
		225	.Fa cA
		226	field is set.
		227	.It
		228	If the
		229	.Fa certificate
		230	is a version 1 certificate, the subject name matches the issuer name
		231	and the certificate is self signed.
		232	.El
		233	.Pp
		234	The check succeeds if none of the additional conditions given in
		235	the list below are violated.
		236	.Bl -tag -width 1n
		237	.It Dv X509_PURPOSE_SSL_CLIENT
		238	.Bl -dash -width 1n -compact
		239	.It
		240	If the
		241	.Fa certificate
		242	contains an Extended Key Usage extension, it contains the RFC 5280
		243	.Dq TLS WWW client authentication
		244	purpose
		245	.Pq Dv NID_client_auth .
		246	.It
		247	If the
		248	.Fa certificate
		249	is not a version 1 certificate and does not contain a Basic Constraints
		250	extension, it contains a Key Usage extension with the
		251	.Dv keyCertSign
		252	bit set or a Netscape Cert Type extension with the
		253	.Dq SSL CA certificate
		254	bit set.
		255	.El
		256	.It Dv X509_PURPOSE_SSL_SERVER No or Dv X509_PURPOSE_NS_SSL_SERVER
		257	.Bl -dash -width 1n -compact
		258	.It
		259	If the
		260	.Fa certificate
		261	contains an Extended Key Usage extension, it contains the RFC 5280
		262	.Dq TLS WWW server authentication
		263	purpose
		264	.Pq Dv NID_server_auth
		265	or the private
		266	.Dq Netscape Server Gated Crypto
		267	.Pq Dv NID_ns_sgc
		268	or
		269	.Dq Microsoft Server Gated Crypto
		270	.Pq Dv NID_ms_sgc
		271	purpose.
		272	.It
		273	If the
		274	.Fa certificate
		275	is not a version 1 certificate and does not contain a Basic Constraints
		276	extension, it contains a Key Usage extension with the
		277	.Dv keyCertSign
		278	bit set or a Netscape Cert Type extension with the
		279	.Dq SSL CA certificate
		280	bit set.
		281	.El
		282	.It Dv X509_PURPOSE_SMIME_SIGN No or Dv X509_PURPOSE_SMIME_ENCRYPT
		283	.Bl -dash -width 1n -compact
		284	.It
		285	If the
		286	.Fa certificate
		287	contains an Extended Key Usage extension, it contains the RFC 5280
		288	.Dq Email protection
		289	purpose
		290	.Pq Dv NID_email_protect .
		291	.It
		292	If the
		293	.Fa certificate
		294	is not a version 1 certificate and does not contain a Basic Constraints
		295	extension, it contains a Key Usage extension with the
		296	.Dv keyCertSign
		297	bit set or a Netscape Cert Type extension with the
		298	.Dq S/MIME CA certificate
		299	bit set.
		300	.El
		301	.It Xo
		302	.Dv X509_PURPOSE_CRL_SIGN ,
		303	.Dv X509_PURPOSE_OCSP_HELPER ,
		304	or
		305	.Dv X509_PURPOSE_TIMESTAMP_SIGN
		306	.Xc
		307	.Bl -dash -width 1n -compact
		308	.It
		309	If the
		310	.Fa certificate
		311	is not a version 1 certificate and does not contain a Basic Constraints
		312	extension, it contains a Key Usage extension with the
		313	.Dv keyCertSign
		314	bit set or a Netscape Cert Type extension with at least one of the
		315	.Dq SSL CA certificate ,
		316	.Dq S/MIME CA certificate ,
		317	or
		318	.Dq Object-signing CA certificate
		319	bits set.
		320	.El
		321	.It Dv X509_PURPOSE_ANY
		322	The check always succeeds, even if the three common conditions
		323	cited above this list are violated.
		324	.El
		325	.Pp
		326	If the
		327	.Fa purpose
		328	is -1,
		329	.Fn X509_check_purpose
		330	always succeeds, no matter whether or not the
		331	.Fa ca
		332	flag is set.
		333	.Sh RETURN VALUES
		334	.Fn X509_check_purpose
		335	returns the following values:
		336	.Bl -column -1 Failure -compact
		337	.It -1 Ta Error Ta The
		338	.Fa purpose
		339	is invalid.
		340	.It 0 Ta Failure Ta The
		341	.Fa certificate
		342	cannot be used for the
		343	.Fa purpose .
		344	.El
		345	.Pp
		346	If
		347	.Fa ca
		348	is 0, the following values can also be returned:
		349	.Bl -column -1 Failure -compact
		350	.It 1 Ta Success Ta The
		351	.Fa certificate
		352	can be used for the
		353	.Fa purpose .
		354	.It 2 Ta Unknown Ta \&No decision can be made.
		355	.El
		356	.Pp
		357	If
		358	.Fa ca
		359	is non-zero, the following values can also be returned:
		360	.Bl -column -1 Failure -compact
		361	.It 1 Ta Success Ta The
		362	.Fa certificate
		363	can be used as a CA for the
		364	.Fa purpose .
		365	.It 3 Ta Success Ta The Fa certificate No is a version 1 CA.
		366	.It 4 Ta Success Ta The Key Usage allows Dv keyCertSign .
		367	.It 5 Ta Success Ta A Netscape Cert Type allows usage as a CA.
		368	.El
		369	.Sh SEE ALSO
		370	.Xr BASIC_CONSTRAINTS_new 3 ,
		371	.Xr EXTENDED_KEY_USAGE_new 3 ,
		372	.Xr X509_new 3 ,
		373	.Xr X509V3_get_d2i 3 ,
		374	.Xr x509v3.cnf 5
		375	.Sh STANDARDS
		376	RFC 5280: Internet X.509 Public Key Infrastructure Certificate and
		377	Certificate Revocation List (CRL) Profile
		378	.Bl -dash -offset indent -compact
		379	.It
		380	section 4.2.1.3: Key Usage
		381	.It
		382	section 4.2.1.9: Basic Constraints
		383	.It
		384	section 4.2.1.12: Extended Key Usage
		385	.El
		386	.Sh HISTORY
		387	.Fn X509_check_purpose
		388	first appeared in OpenSSL 0.9.5 and has been available since
		389	.Ox 2.7 .


diff --git a/src/lib/libcrypto/man/X509_new.3 b/src/lib/libcrypto/man/X509_new.3 index 25b45b39bd..c7a62c2215 100644 --- a/src/lib/libcrypto/man/X509_new.3 +++ b/src/lib/libcrypto/man/X509_new.3
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: X509_new.3,v 1.19 2019/08/20 13:27:19 schwarze Exp $	1	.\" $OpenBSD: X509_new.3,v 1.20 2019/08/22 15:15:35 schwarze Exp $
2	.\" full merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400	2	.\" full merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
3	.\"	3	.\"
4	.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.	4	.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -49,7 +49,7 @@
49	.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED	49	.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50	.\" OF THE POSSIBILITY OF SUCH DAMAGE.	50	.\" OF THE POSSIBILITY OF SUCH DAMAGE.
51	.\"	51	.\"
52	.Dd $Mdocdate: August 20 2019 $	52	.Dd $Mdocdate: August 22 2019 $
53	.Dt X509_NEW 3	53	.Dt X509_NEW 3
54	.Os	54	.Os
55	.Sh NAME	55	.Sh NAME
@@ -146,6 +146,7 @@ if an error occurs.
146	.Xr X509_check_host 3 ,	146	.Xr X509_check_host 3 ,
147	.Xr X509_check_issued 3 ,	147	.Xr X509_check_issued 3 ,
148	.Xr X509_check_private_key 3 ,	148	.Xr X509_check_private_key 3 ,
		149	.Xr X509_check_purpose 3 ,
149	.Xr X509_CINF_new 3 ,	150	.Xr X509_CINF_new 3 ,
150	.Xr X509_cmp 3 ,	151	.Xr X509_cmp 3 ,
151	.Xr X509_CRL_new 3 ,	152	.Xr X509_CRL_new 3 ,