From 8e37af7cdb18290db5d3f946dab347291b3a85a3 Mon Sep 17 00:00:00 2001 From: schwarze <> Date: Fri, 4 Nov 2016 15:29:03 +0000 Subject: convert X509 manuals from pod to mdoc --- .../libcrypto/doc/X509_NAME_ENTRY_get_object.pod | 70 ----- .../libcrypto/doc/X509_NAME_add_entry_by_txt.pod | 117 -------- .../libcrypto/doc/X509_NAME_get_index_by_NID.pod | 102 ------- src/lib/libcrypto/doc/X509_NAME_print_ex.pod | 103 ------- src/lib/libcrypto/doc/X509_STORE_CTX_get_error.pod | 323 --------------------- .../doc/X509_STORE_CTX_get_ex_new_index.pod | 43 --- src/lib/libcrypto/doc/X509_STORE_CTX_new.pod | 126 -------- .../libcrypto/doc/X509_STORE_CTX_set_verify_cb.pod | 165 ----------- .../doc/X509_STORE_set_verify_cb_func.pod | 54 ---- .../libcrypto/doc/X509_VERIFY_PARAM_set_flags.pod | 172 ----------- src/lib/libcrypto/doc/X509_new.pod | 38 --- src/lib/libcrypto/doc/X509_verify_cert.pod | 53 ---- src/lib/libcrypto/doc/d2i_X509.pod | 231 --------------- src/lib/libcrypto/doc/d2i_X509_ALGOR.pod | 26 -- src/lib/libcrypto/doc/d2i_X509_CRL.pod | 33 --- src/lib/libcrypto/doc/d2i_X509_NAME.pod | 27 -- src/lib/libcrypto/doc/d2i_X509_REQ.pod | 32 -- src/lib/libcrypto/doc/d2i_X509_SIG.pod | 26 -- src/lib/libcrypto/doc/x509.pod | 64 ---- 19 files changed, 1805 deletions(-) delete mode 100644 src/lib/libcrypto/doc/X509_NAME_ENTRY_get_object.pod delete mode 100644 src/lib/libcrypto/doc/X509_NAME_add_entry_by_txt.pod delete mode 100644 src/lib/libcrypto/doc/X509_NAME_get_index_by_NID.pod delete mode 100644 src/lib/libcrypto/doc/X509_NAME_print_ex.pod delete mode 100644 src/lib/libcrypto/doc/X509_STORE_CTX_get_error.pod delete mode 100644 src/lib/libcrypto/doc/X509_STORE_CTX_get_ex_new_index.pod delete mode 100644 src/lib/libcrypto/doc/X509_STORE_CTX_new.pod delete mode 100644 src/lib/libcrypto/doc/X509_STORE_CTX_set_verify_cb.pod delete mode 100644 src/lib/libcrypto/doc/X509_STORE_set_verify_cb_func.pod delete mode 100644 src/lib/libcrypto/doc/X509_VERIFY_PARAM_set_flags.pod delete mode 100644 src/lib/libcrypto/doc/X509_new.pod delete mode 100644 src/lib/libcrypto/doc/X509_verify_cert.pod delete mode 100644 src/lib/libcrypto/doc/d2i_X509.pod delete mode 100644 src/lib/libcrypto/doc/d2i_X509_ALGOR.pod delete mode 100644 src/lib/libcrypto/doc/d2i_X509_CRL.pod delete mode 100644 src/lib/libcrypto/doc/d2i_X509_NAME.pod delete mode 100644 src/lib/libcrypto/doc/d2i_X509_REQ.pod delete mode 100644 src/lib/libcrypto/doc/d2i_X509_SIG.pod delete mode 100644 src/lib/libcrypto/doc/x509.pod (limited to 'src/lib/libcrypto/doc') diff --git a/src/lib/libcrypto/doc/X509_NAME_ENTRY_get_object.pod b/src/lib/libcrypto/doc/X509_NAME_ENTRY_get_object.pod deleted file mode 100644 index 4603202db8..0000000000 --- a/src/lib/libcrypto/doc/X509_NAME_ENTRY_get_object.pod +++ /dev/null @@ -1,70 +0,0 @@ -=pod - -=head1 NAME - -X509_NAME_ENTRY_get_object, X509_NAME_ENTRY_get_data, -X509_NAME_ENTRY_set_object, X509_NAME_ENTRY_set_data, -X509_NAME_ENTRY_create_by_txt, X509_NAME_ENTRY_create_by_NID, -X509_NAME_ENTRY_create_by_OBJ - X509_NAME_ENTRY utility functions - -=head1 SYNOPSIS - - #include - - ASN1_OBJECT * X509_NAME_ENTRY_get_object(X509_NAME_ENTRY *ne); - ASN1_STRING * X509_NAME_ENTRY_get_data(X509_NAME_ENTRY *ne); - - int X509_NAME_ENTRY_set_object(X509_NAME_ENTRY *ne, ASN1_OBJECT *obj); - int X509_NAME_ENTRY_set_data(X509_NAME_ENTRY *ne, int type, const unsigned char *bytes, int len); - - X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_txt(X509_NAME_ENTRY **ne, const char *field, int type, const unsigned char *bytes, int len); - X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_NID(X509_NAME_ENTRY **ne, int nid, int type,unsigned char *bytes, int len); - X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_OBJ(X509_NAME_ENTRY **ne, ASN1_OBJECT *obj, int type, const unsigned char *bytes, int len); - -=head1 DESCRIPTION - -X509_NAME_ENTRY_get_object() retrieves the field name of B in -and B structure. - -X509_NAME_ENTRY_get_data() retrieves the field value of B in -and B structure. - -X509_NAME_ENTRY_set_object() sets the field name of B to B. - -X509_NAME_ENTRY_set_data() sets the field value of B to string type -B and value determined by B and B. - -X509_NAME_ENTRY_create_by_txt(), X509_NAME_ENTRY_create_by_NID() -and X509_NAME_ENTRY_create_by_OBJ() create and return an -B structure. - -=head1 NOTES - -X509_NAME_ENTRY_get_object() and X509_NAME_ENTRY_get_data() can be -used to examine an B function as returned by -X509_NAME_get_entry() for example. - -X509_NAME_ENTRY_create_by_txt(), X509_NAME_ENTRY_create_by_NID(), -and X509_NAME_ENTRY_create_by_OBJ() create and return an - -X509_NAME_ENTRY_create_by_txt(), X509_NAME_ENTRY_create_by_OBJ(), -X509_NAME_ENTRY_create_by_NID() and X509_NAME_ENTRY_set_data() -are seldom used in practice because B structures -are almost always part of B structures and the -corresponding B functions are typically used to -create and add new entries in a single operation. - -The arguments of these functions support similar options to the similarly -named ones of the corresponding B functions such as -X509_NAME_add_entry_by_txt(). So for example B can be set to -B but in the case of X509_set_data() the field name must be -set first so the relevant field information can be looked up internally. - -=head1 RETURN VALUES - -=head1 SEE ALSO - -L, L, -L - -=cut diff --git a/src/lib/libcrypto/doc/X509_NAME_add_entry_by_txt.pod b/src/lib/libcrypto/doc/X509_NAME_add_entry_by_txt.pod deleted file mode 100644 index f97e05e683..0000000000 --- a/src/lib/libcrypto/doc/X509_NAME_add_entry_by_txt.pod +++ /dev/null @@ -1,117 +0,0 @@ -=pod - -=head1 NAME - -X509_NAME_add_entry_by_txt, X509_NAME_add_entry_by_OBJ, -X509_NAME_add_entry_by_NID, X509_NAME_add_entry, X509_NAME_delete_entry - -X509_NAME modification functions - -=head1 SYNOPSIS - - #include - - int X509_NAME_add_entry_by_txt(X509_NAME *name, const char *field, int type, const unsigned char *bytes, int len, int loc, int set); - - int X509_NAME_add_entry_by_OBJ(X509_NAME *name, ASN1_OBJECT *obj, int type, unsigned char *bytes, int len, int loc, int set); - - int X509_NAME_add_entry_by_NID(X509_NAME *name, int nid, int type, unsigned char *bytes, int len, int loc, int set); - - int X509_NAME_add_entry(X509_NAME *name,X509_NAME_ENTRY *ne, int loc, int set); - - X509_NAME_ENTRY *X509_NAME_delete_entry(X509_NAME *name, int loc); - -=head1 DESCRIPTION - -X509_NAME_add_entry_by_txt(), X509_NAME_add_entry_by_OBJ() and -X509_NAME_add_entry_by_NID() add a field whose name is defined -by a string B, an object B or a NID B respectively. -The field value to be added is in B of length B. If -B is -1 then the field length is calculated internally using -strlen(bytes). - -The type of field is determined by B which can either be a -definition of the type of B (such as B) or a -standard ASN1 type (such as B). The new entry is -added to a position determined by B and B. - -X509_NAME_add_entry() adds a copy of B structure B -to B. The new entry is added to a position determined by B -and B. Since a copy of B is added B must be freed up after -the call. - -X509_NAME_delete_entry() deletes an entry from B at position -B. The deleted entry is returned and must be freed up. - -=head1 NOTES - -The use of string types such as B or B -is strongly recommended for the B parameter. This allows the -internal code to correctly determine the type of the field and to -apply length checks according to the relevant standards. This is -done using ASN1_STRING_set_by_NID(). - -If instead an ASN1 type is used no checks are performed and the -supplied data in B is used directly. - -In X509_NAME_add_entry_by_txt() the B string represents -the field name using OBJ_txt2obj(field, 0). - -The B and B parameters determine where a new entry should -be added. For almost all applications B can be set to -1 and B -to 0. This adds a new entry to the end of B as a single valued -RelativeDistinguishedName (RDN). - -B actually determines the index where the new entry is inserted: -if it is -1 it is appended. - -B determines how the new type is added. If it is zero a -new RDN is created. - -If B is -1 or 1 it is added to the previous or next RDN -structure respectively. This will then be a multivalued RDN: -since multivalues RDNs are very seldom used B is almost -always set to zero. - -=head1 EXAMPLES - -Create an B structure: - -"C=UK, O=Disorganized Organization, CN=Joe Bloggs" - - X509_NAME *nm; - nm = X509_NAME_new(); - if (nm == NULL) - /* Some error */ - if (!X509_NAME_add_entry_by_txt(nm, MBSTRING_ASC, - "C", "UK", -1, -1, 0)) - /* Error */ - if (!X509_NAME_add_entry_by_txt(nm, MBSTRING_ASC, - "O", "Disorganized Organization", -1, -1, 0)) - /* Error */ - if (!X509_NAME_add_entry_by_txt(nm, MBSTRING_ASC, - "CN", "Joe Bloggs", -1, -1, 0)) - /* Error */ - -=head1 RETURN VALUES - -X509_NAME_add_entry_by_txt(), X509_NAME_add_entry_by_OBJ(), -X509_NAME_add_entry_by_NID() and X509_NAME_add_entry() return 1 for -success of 0 if an error occurred. - -X509_NAME_delete_entry() returns either the deleted B -structure of B if an error occurred. - -=head1 BUGS - -B can still be set to B to use a -different algorithm to determine field types. Since this form does -not understand multicharacter types, performs no length checks and -can result in invalid field types its use is strongly discouraged. - -=head1 SEE ALSO - -L, L - -=head1 HISTORY - -=cut diff --git a/src/lib/libcrypto/doc/X509_NAME_get_index_by_NID.pod b/src/lib/libcrypto/doc/X509_NAME_get_index_by_NID.pod deleted file mode 100644 index 48510890e8..0000000000 --- a/src/lib/libcrypto/doc/X509_NAME_get_index_by_NID.pod +++ /dev/null @@ -1,102 +0,0 @@ -=pod - -=head1 NAME - -X509_NAME_get_index_by_NID, X509_NAME_get_index_by_OBJ, X509_NAME_get_entry, -X509_NAME_entry_count, X509_NAME_get_text_by_NID, X509_NAME_get_text_by_OBJ - -X509_NAME lookup and enumeration functions - -=head1 SYNOPSIS - - #include - - int X509_NAME_get_index_by_NID(X509_NAME *name,int nid,int lastpos); - int X509_NAME_get_index_by_OBJ(X509_NAME *name,ASN1_OBJECT *obj, int lastpos); - - int X509_NAME_entry_count(X509_NAME *name); - X509_NAME_ENTRY *X509_NAME_get_entry(X509_NAME *name, int loc); - - int X509_NAME_get_text_by_NID(X509_NAME *name, int nid, char *buf,int len); - int X509_NAME_get_text_by_OBJ(X509_NAME *name, ASN1_OBJECT *obj, char *buf,int len); - -=head1 DESCRIPTION - -These functions allow an B structure to be examined. The -B structure is the same as the B type defined in -RFC2459 (and elsewhere) and used for example in certificate subject -and issuer names. - -X509_NAME_get_index_by_NID() and X509_NAME_get_index_by_OBJ() retrieve -the next index matching B or B after B. B -should initially be set to -1. If there are no more entries -1 is returned. - -X509_NAME_entry_count() returns the total number of entries in B. - -X509_NAME_get_entry() retrieves the B from B -corresponding to index B. Acceptable values for B run from -0 to (X509_NAME_entry_count(name) - 1). The value returned is an -internal pointer which must not be freed. - -X509_NAME_get_text_by_NID(), X509_NAME_get_text_by_OBJ() retrieve -the "text" from the first entry in B which matches B or -B, if no such entry exists -1 is returned. At most B bytes -will be written and the text written to B will be null -terminated. The length of the output string written is returned -excluding the terminating null. If B is then the amount -of space needed in B (excluding the final null) is returned. - -=head1 NOTES - -X509_NAME_get_text_by_NID() and X509_NAME_get_text_by_OBJ() are -legacy functions which have various limitations which make them -of minimal use in practice. They can only find the first matching -entry and will copy the contents of the field verbatim: this can -be highly confusing if the target is a multicharacter string type -like a BMPString or a UTF8String. - -For a more general solution X509_NAME_get_index_by_NID() or -X509_NAME_get_index_by_OBJ() should be used followed by -X509_NAME_get_entry() on any matching indices and then the -various B utility functions on the result. - -=head1 EXAMPLES - -Process all entries: - - int i; - X509_NAME_ENTRY *e; - - for (i = 0; i < X509_NAME_entry_count(nm); i++) { - e = X509_NAME_get_entry(nm, i); - /* Do something with e */ - } - -Process all commonName entries: - - int loc; - X509_NAME_ENTRY *e; - - loc = -1; - for (;;) { - lastpos = X509_NAME_get_index_by_NID(nm, NID_commonName, lastpos); - if (lastpos == -1) - break; - e = X509_NAME_get_entry(nm, lastpos); - /* Do something with e */ - } - -=head1 RETURN VALUES - -X509_NAME_get_index_by_NID() and X509_NAME_get_index_by_OBJ() -return the index of the next matching entry or -1 if not found. - -X509_NAME_entry_count() returns the total number of entries. - -X509_NAME_get_entry() returns an B pointer to the -requested entry or B if the index is invalid. - -=head1 SEE ALSO - -L, L - -=cut diff --git a/src/lib/libcrypto/doc/X509_NAME_print_ex.pod b/src/lib/libcrypto/doc/X509_NAME_print_ex.pod deleted file mode 100644 index 5cdf636c16..0000000000 --- a/src/lib/libcrypto/doc/X509_NAME_print_ex.pod +++ /dev/null @@ -1,103 +0,0 @@ -=pod - -=head1 NAME - -X509_NAME_print_ex, X509_NAME_print_ex_fp, X509_NAME_print, -X509_NAME_oneline - X509_NAME printing routines. - -=head1 SYNOPSIS - - #include - - int X509_NAME_print_ex(BIO *out, X509_NAME *nm, int indent, unsigned long flags); - int X509_NAME_print_ex_fp(FILE *fp, X509_NAME *nm, int indent, unsigned long flags); - char * X509_NAME_oneline(X509_NAME *a,char *buf,int size); - int X509_NAME_print(BIO *bp, X509_NAME *name, int obase); - -=head1 DESCRIPTION - -X509_NAME_print_ex() prints a human readable version of B to BIO B. -Each line (for multiline formats) is indented by B spaces. The output -format can be extensively customised by use of the B parameter. - -X509_NAME_print_ex_fp() is identical to X509_NAME_print_ex() except the output -is written to FILE pointer B. - -X509_NAME_oneline() prints an ASCII version of B to B. At most B -bytes will be written. If B is B then a buffer is dynamically -allocated and returned, otherwise B is returned. - -X509_NAME_print() prints out B to B indenting each line by B -characters. Multiple lines are used if the output (including indent) exceeds -80 characters. - -=head1 NOTES - -The functions X509_NAME_oneline() and X509_NAME_print() are legacy functions -which produce a non standard output form, they don't handle multi character -fields and have various quirks and inconsistencies. Their use is strongly -discouraged in new applications. - -Although there are a large number of possible flags for most purposes -B, B or B will suffice. -As noted on the L manual page -for UTF8 terminals the B should be unset: so for example -B would be used. - -The complete set of the flags supported by X509_NAME_print_ex() is listed below. - -Several options can be ored together. - -The options B, B, -B and B determine the field -separators to use. Two distinct separators are used between distinct -RelativeDistinguishedName components and separate values in the same RDN for a -multi-valued RDN. Multi-valued RDNs are currently very rare so the second -separator will hardly ever be used. - -B uses comma and plus as separators. -B uses comma and plus with spaces: this is more readable -that plain comma and plus. B uses spaced semicolon and -plus. B uses spaced newline and plus respectively. - -If B is set the whole DN is printed in reversed order. - -The fields B, B, B, -B determine how a field name is displayed. It will -use the short name (e.g. CN) the long name (e.g. commonName) always -use OID numerical form (normally OIDs are only used if the field name is not -recognised) and no field name respectively. - -If B is set then spaces will be placed around the '=' character -separating field names and values. - -If B is set then the encoding of unknown fields is -printed instead of the values. - -If B is set then field names are padded to 20 characters: this -is only of use for multiline format. - -Additionally all the options supported by ASN1_STRING_print_ex() can be used to -control how each field value is displayed. - -In addition a number options can be set for commonly used formats. - -B sets options which produce an output compatible with RFC2253 it -is equivalent to: - B - - -B is a more readable one line format which is the same as: - B - -B is a multiline format which is the same as: - B - -B uses a format identical to X509_NAME_print(): in fact it -calls X509_NAME_print() internally. - -=head1 SEE ALSO - -L - -=cut diff --git a/src/lib/libcrypto/doc/X509_STORE_CTX_get_error.pod b/src/lib/libcrypto/doc/X509_STORE_CTX_get_error.pod deleted file mode 100644 index 270b265ce5..0000000000 --- a/src/lib/libcrypto/doc/X509_STORE_CTX_get_error.pod +++ /dev/null @@ -1,323 +0,0 @@ -=pod - -=head1 NAME - -X509_STORE_CTX_get_error, X509_STORE_CTX_set_error, -X509_STORE_CTX_get_error_depth, X509_STORE_CTX_get_current_cert, -X509_STORE_CTX_get1_chain, X509_verify_cert_error_string - get or set -certificate verification status information - -=head1 SYNOPSIS - - #include - #include - - int X509_STORE_CTX_get_error(X509_STORE_CTX *ctx); - void X509_STORE_CTX_set_error(X509_STORE_CTX *ctx,int s); - int X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx); - X509 * X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx); - - STACK_OF(X509) *X509_STORE_CTX_get1_chain(X509_STORE_CTX *ctx); - - const char *X509_verify_cert_error_string(long n); - -=head1 DESCRIPTION - -These functions are typically called after X509_verify_cert() has indicated -an error or in a verification callback to determine the nature of an error. - -X509_STORE_CTX_get_error() returns the error code of B, see -the B section for a full description of all error codes. - -X509_STORE_CTX_set_error() sets the error code of B to B. For example -it might be used in a verification callback to set an error based on additional -checks. - -X509_STORE_CTX_get_error_depth() returns the B of the error. This is a -non-negative integer representing where in the certificate chain the error -occurred. If it is zero it occurred in the end entity certificate, one if -it is the certificate which signed the end entity certificate and so on. - -X509_STORE_CTX_get_current_cert() returns the certificate in B which -caused the error or B if no certificate is relevant. - -X509_STORE_CTX_get1_chain() returns a complete validate chain if a previous -call to X509_verify_cert() is successful. If the call to X509_verify_cert() -is B successful the returned chain may be incomplete or invalid. The -returned chain persists after the B structure is freed, when it is -no longer needed it should be free up using: - - sk_X509_pop_free(chain, X509_free); - -X509_verify_cert_error_string() returns a human readable error string for -verification error B. - -=head1 RETURN VALUES - -X509_STORE_CTX_get_error() returns B or an error code. - -X509_STORE_CTX_get_error_depth() returns a non-negative error depth. - -X509_STORE_CTX_get_current_cert() returns the certificate which caused the -error or B if no certificate is relevant to the error. - -X509_verify_cert_error_string() returns a human readable error string for -verification error B. - -=head1 ERROR CODES - -A list of error codes and messages is shown below. Some of the -error codes are defined but currently never returned: these are described as -"unused". - -=over 4 - -=item B - -the operation was successful. - -=item B - -the issuer certificate could not be found: this occurs if the issuer certificate -of an untrusted certificate cannot be found. - -=item B - -the CRL of a certificate could not be found. - -=item B - -the certificate signature could not be decrypted. This means that the actual -signature value could not be determined rather than it not matching the -expected value, this is only meaningful for RSA keys. - -=item B - -the CRL signature could not be decrypted: this means that the actual signature -value could not be determined rather than it not matching the expected value. -Unused. - -=item B - -the public key in the certificate SubjectPublicKeyInfo could not be read. - -=item B - -the signature of the certificate is invalid. - -=item B - -the signature of the certificate is invalid. - -=item B - -the certificate is not yet valid: the notBefore date is after the current time. - -=item B - -the certificate has expired: that is the notAfter date is before the current -time. - -=item B - -the CRL is not yet valid. - -=item B - -the CRL has expired. - -=item B - -the certificate notBefore field contains an invalid time. - -=item B - -the certificate notAfter field contains an invalid time. - -=item B - -the CRL lastUpdate field contains an invalid time. - -=item B - -the CRL nextUpdate field contains an invalid time. - -=item B - -an error occurred trying to allocate memory. This should never happen. - -=item B - -the passed certificate is self signed and the same certificate cannot be found -in the list of trusted certificates. - -=item B - -the certificate chain could be built up using the untrusted certificates but -the root could not be found locally. - -=item B - -the issuer certificate of a locally looked up certificate could not be found. -This normally means the list of trusted certificates is not complete. - -=item B - -no signatures could be verified because the chain contains only one certificate -and it is not self signed. - -=item B - -the certificate chain length is greater than the supplied maximum depth. Unused. - -=item B - -the certificate has been revoked. - -=item B - -a CA certificate is invalid. Either it is not a CA or its extensions are not -consistent with the supplied purpose. - -=item B - -the basicConstraints pathlength parameter has been exceeded. - -=item B - -the supplied certificate cannot be used for the specified purpose. - -=item B - -the root CA is not marked as trusted for the specified purpose. - -=item B - -the root CA is marked to reject the specified purpose. - -=item B - -the current candidate issuer certificate was rejected because its subject name -did not match the issuer name of the current certificate. This is only set -if issuer check debugging is enabled it is used for status notification and -is B in itself an error. - -=item B - -the current candidate issuer certificate was rejected because its subject key -identifier was present and did not match the authority key identifier current -certificate. This is only set if issuer check debugging is enabled it is used -for status notification and is B in itself an error. - -=item B - -the current candidate issuer certificate was rejected because its issuer name -and serial number was present and did not match the authority key identifier of -the current certificate. This is only set if issuer check debugging is enabled -it is used for status notification and is B in itself an error. - -=item B - -the current candidate issuer certificate was rejected because its keyUsage -extension does not permit certificate signing. This is only set if issuer check -debugging is enabled it is used for status notification and is B in itself -an error. - -=item B - -A certificate extension had an invalid value (for example an incorrect -encoding) or some value inconsistent with other extensions. - - -=item B - -A certificate policies extension had an invalid value (for example an incorrect -encoding) or some value inconsistent with other extensions. This error only -occurs if policy processing is enabled. - -=item B - -The verification flags were set to require and explicit policy but none was -present. - -=item B - -The only CRLs that could be found did not match the scope of the certificate. - -=item B - -Some feature of a certificate extension is not supported. Unused. - -=item B - -A name constraint violation occurred in the permitted subtrees. - -=item B - -A name constraint violation occurred in the excluded subtrees. - -=item B - -A certificate name constraints extension included a minimum or maximum field: -this is not supported. - -=item B - -An unsupported name constraint type was encountered. OpenSSL currently only -supports directory name, DNS name, email and URI types. - -=item B - -The format of the name constraint is not recognised: for example an email -address format of a form not mentioned in RFC3280. This could be caused by -a garbage extension or some new feature not currently supported. - -=item B - -An error occurred when attempting to verify the CRL path. This error can only -happen if extended CRL checking is enabled. - -=item B - -an application specific error. This will never be returned unless explicitly -set by an application. - -=back - -=head1 NOTES - -The above functions should be used instead of directly referencing the fields -in the B structure. - -In versions of OpenSSL before 1.0 the current certificate returned by -X509_STORE_CTX_get_current_cert() was never B. Applications should -check the return value before printing out any debugging information relating -to the current certificate. - -If an unrecognised error code is passed to X509_verify_cert_error_string() the -numerical value of the unknown code is returned in a static buffer. This is not -thread safe but will never happen unless an invalid code is passed. - -=head1 SEE ALSO - -L - -=cut diff --git a/src/lib/libcrypto/doc/X509_STORE_CTX_get_ex_new_index.pod b/src/lib/libcrypto/doc/X509_STORE_CTX_get_ex_new_index.pod deleted file mode 100644 index 25224cef1b..0000000000 --- a/src/lib/libcrypto/doc/X509_STORE_CTX_get_ex_new_index.pod +++ /dev/null @@ -1,43 +0,0 @@ -=pod - -=head1 NAME - -X509_STORE_CTX_get_ex_new_index, X509_STORE_CTX_set_ex_data, -X509_STORE_CTX_get_ex_data - add application specific data to X509_STORE_CTX -structures - -=head1 SYNOPSIS - - #include - - int X509_STORE_CTX_get_ex_new_index(long argl, void *argp, - CRYPTO_EX_new *new_func, - CRYPTO_EX_dup *dup_func, - CRYPTO_EX_free *free_func); - - int X509_STORE_CTX_set_ex_data(X509_STORE_CTX *d, int idx, void *arg); - - void *X509_STORE_CTX_get_ex_data(X509_STORE_CTX *d, int idx); - -=head1 DESCRIPTION - -These functions handle application specific data in X509_STORE_CTX structures. -Their usage is identical to that of RSA_get_ex_new_index(), RSA_set_ex_data() -and RSA_get_ex_data() as described in L. - -=head1 NOTES - -This mechanism is used internally by the B library to store the B -structure associated with a verification operation in an B -structure. - -=head1 SEE ALSO - -L - -=head1 HISTORY - -X509_STORE_CTX_get_ex_new_index(), X509_STORE_CTX_set_ex_data() and -X509_STORE_CTX_get_ex_data() are available since OpenSSL 0.9.5. - -=cut diff --git a/src/lib/libcrypto/doc/X509_STORE_CTX_new.pod b/src/lib/libcrypto/doc/X509_STORE_CTX_new.pod deleted file mode 100644 index 66c0da04d2..0000000000 --- a/src/lib/libcrypto/doc/X509_STORE_CTX_new.pod +++ /dev/null @@ -1,126 +0,0 @@ -=pod - -=head1 NAME - -X509_STORE_CTX_new, X509_STORE_CTX_cleanup, X509_STORE_CTX_free, -X509_STORE_CTX_init, X509_STORE_CTX_trusted_stack, X509_STORE_CTX_set_cert, -X509_STORE_CTX_set_chain, X509_STORE_CTX_set0_crls, X509_STORE_CTX_get0_param, -X509_STORE_CTX_set0_param, X509_STORE_CTX_set_default - X509_STORE_CTX -initialisation - -=head1 SYNOPSIS - - #include - - X509_STORE_CTX *X509_STORE_CTX_new(void); - void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx); - void X509_STORE_CTX_free(X509_STORE_CTX *ctx); - - int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, - X509 *x509, STACK_OF(X509) *chain); - - void X509_STORE_CTX_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk); - - void X509_STORE_CTX_set_cert(X509_STORE_CTX *ctx,X509 *x); - void X509_STORE_CTX_set_chain(X509_STORE_CTX *ctx,STACK_OF(X509) *sk); - void X509_STORE_CTX_set0_crls(X509_STORE_CTX *ctx, STACK_OF(X509_CRL) *sk); - - X509_VERIFY_PARAM *X509_STORE_CTX_get0_param(X509_STORE_CTX *ctx); - void X509_STORE_CTX_set0_param(X509_STORE_CTX *ctx, X509_VERIFY_PARAM *param); - int X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, const char *name); - -=head1 DESCRIPTION - -These functions initialise an B structure for subsequent use -by X509_verify_cert(). - -X509_STORE_CTX_new() returns a newly initialised B structure. - -X509_STORE_CTX_cleanup() internally cleans up an B structure. -The context can then be reused with an new call to X509_STORE_CTX_init(). - -X509_STORE_CTX_free() completely frees up B. After this call B -is no longer valid. - -X509_STORE_CTX_init() sets up B for a subsequent verification operation. -The trusted certificate store is set to B, the end entity certificate -to be verified is set to B and a set of additional certificates (which -will be untrusted but may be used to build the chain) in B. Any or -all of the B, B and B parameters can be B. - -X509_STORE_CTX_trusted_stack() sets the set of trusted certificates of B -to B. This is an alternative way of specifying trusted certificates -instead of using an B. - -X509_STORE_CTX_set_cert() sets the certificate to be verified in B to -B. - -X509_STORE_CTX_set_chain() sets the additional certificate chain used by B -to B. - -X509_STORE_CTX_set0_crls() sets a set of CRLs to use to aid certificate -verification to B. These CRLs will only be used if CRL verification is -enabled in the associated B structure. This might be -used where additional "useful" CRLs are supplied as part of a protocol, -for example in a PKCS#7 structure. - -X509_VERIFY_PARAM *X509_STORE_CTX_get0_param() retrieves an internal pointer -to the verification parameters associated with B. - -X509_STORE_CTX_set0_param() sets the internal verification parameter pointer -to B. After this call B should not be used. - -X509_STORE_CTX_set_default() looks up and sets the default verification -method to B. This uses the function X509_VERIFY_PARAM_lookup() to -find an appropriate set of parameters from B. - -=head1 NOTES - -The certificates and CRLs in a store are used internally and should B -be freed up until after the associated B is freed. Legacy -applications might implicitly use an B like this: - - X509_STORE_CTX ctx; - X509_STORE_CTX_init(&ctx, store, cert, chain); - -this is B recommended in new applications they should instead do: - - X509_STORE_CTX *ctx; - ctx = X509_STORE_CTX_new(); - if (ctx == NULL) - /* Bad error */ - X509_STORE_CTX_init(ctx, store, cert, chain); - -=head1 BUGS - -The certificates and CRLs in a context are used internally and should B -be freed up until after the associated B is freed. Copies -should be made or reference counts increased instead. - -=head1 RETURN VALUES - -X509_STORE_CTX_new() returns an newly allocates context or B is an -error occurred. - -X509_STORE_CTX_init() returns 1 for success or 0 if an error occurred. - -X509_STORE_CTX_get0_param() returns a pointer to an B -structure or B if an error occurred. - -X509_STORE_CTX_cleanup(), X509_STORE_CTX_free(), X509_STORE_CTX_trusted_stack(), -X509_STORE_CTX_set_cert(), X509_STORE_CTX_set_chain(), -X509_STORE_CTX_set0_crls() and X509_STORE_CTX_set0_param() do not return -values. - -X509_STORE_CTX_set_default() returns 1 for success or 0 if an error occurred. - -=head1 SEE ALSO - -L -L - -=head1 HISTORY - -X509_STORE_CTX_set0_crls() was first added to OpenSSL 1.0.0 - -=cut diff --git a/src/lib/libcrypto/doc/X509_STORE_CTX_set_verify_cb.pod b/src/lib/libcrypto/doc/X509_STORE_CTX_set_verify_cb.pod deleted file mode 100644 index 7dfe430c4c..0000000000 --- a/src/lib/libcrypto/doc/X509_STORE_CTX_set_verify_cb.pod +++ /dev/null @@ -1,165 +0,0 @@ -=pod - -=head1 NAME - -X509_STORE_CTX_set_verify_cb - set verification callback - -=head1 SYNOPSIS - - #include - - void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx, - int (*verify_cb)(int ok, X509_STORE_CTX *ctx)); - -=head1 DESCRIPTION - -X509_STORE_CTX_set_verify_cb() sets the verification callback of B to -B overwriting any existing callback. - -The verification callback can be used to customise the operation of certificate -verification, either by overriding error conditions or logging errors for -debugging purposes. - -However a verification callback is B essential and the default operation -is often sufficient. - -The B parameter to the callback indicates the value the callback should -return to retain the default behaviour. If it is zero then and error condition -is indicated. If it is 1 then no error occurred. If the flag -B is set then B is set to 2 to indicate the -policy checking is complete. - -The B parameter to the callback is the B structure that -is performing the verification operation. A callback can examine this -structure and receive additional information about the error, for example -by calling X509_STORE_CTX_get_current_cert(). Additional application data can -be passed to the callback via the B mechanism. - -=head1 WARNING - -In general a verification callback should B unconditionally return 1 in -all circumstances because this will allow verification to succeed no matter -what the error. This effectively removes all security from the application -because B certificate (including untrusted generated ones) will be -accepted. - -=head1 NOTES - -The verification callback can be set and inherited from the parent structure -performing the operation. In some cases (such as S/MIME verification) the -B structure is created and destroyed internally and the -only way to set a custom verification callback is by inheriting it from the -associated B. - -=head1 RETURN VALUES - -X509_STORE_CTX_set_verify_cb() does not return a value. - -=head1 EXAMPLES - -Default callback operation: - - int - verify_callback(int ok, X509_STORE_CTX *ctx) - { - return ok; - } - -Simple example, suppose a certificate in the chain is expired and we wish -to continue after this error: - - int - verify_callback(int ok, X509_STORE_CTX *ctx) - { - /* Tolerate certificate expiration */ - if (X509_STORE_CTX_get_error(ctx) == X509_V_ERR_CERT_HAS_EXPIRED) - return 1; - /* Otherwise don't override */ - return ok; - } - -More complex example, we don't wish to continue after B certificate has -expired just one specific case: - - int - verify_callback(int ok, X509_STORE_CTX *ctx) - { - int err = X509_STORE_CTX_get_error(ctx); - X509 *err_cert = X509_STORE_CTX_get_current_cert(ctx); - - if (err == X509_V_ERR_CERT_HAS_EXPIRED) { - if (check_is_acceptable_expired_cert(err_cert) - return 1; - } - return ok; - } - -Full featured logging callback. In this case the B is assumed to be -a global logging B, an alternative would to store a BIO in B using -B. - - int - verify_callback(int ok, X509_STORE_CTX *ctx) - { - X509 *err_cert; - int err,depth; - - err_cert = X509_STORE_CTX_get_current_cert(ctx); - err = X509_STORE_CTX_get_error(ctx); - depth = X509_STORE_CTX_get_error_depth(ctx); - - BIO_printf(bio_err,"depth=%d ",depth); - if (err_cert) { - X509_NAME_print_ex(bio_err, - X509_get_subject_name(err_cert), 0, - XN_FLAG_ONELINE); - BIO_puts(bio_err, "\n"); - } else - BIO_puts(bio_err, "\n"); - if (!ok) - BIO_printf(bio_err, "verify error:num=%d:%s\n", - err, X509_verify_cert_error_string(err)); - switch (err) { - case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: - BIO_puts(bio_err, "issuer= "); - X509_NAME_print_ex(bio_err, - X509_get_issuer_name(err_cert), 0, - XN_FLAG_ONELINE); - BIO_puts(bio_err, "\n"); - break; - case X509_V_ERR_CERT_NOT_YET_VALID: - case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: - BIO_printf(bio_err, "notBefore="); - ASN1_TIME_print(bio_err, - X509_get_notBefore(err_cert)); - BIO_printf(bio_err, "\n"); - break; - case X509_V_ERR_CERT_HAS_EXPIRED: - case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: - BIO_printf(bio_err, "notAfter="); - ASN1_TIME_print(bio_err, X509_get_notAfter(err_cert)); - BIO_printf(bio_err, "\n"); - break; - case X509_V_ERR_NO_EXPLICIT_POLICY: - policies_print(bio_err, ctx); - break; - } - if (err == X509_V_OK && ok == 2) - /* print out policies */ - - BIO_printf(bio_err,"verify return:%d\n",ok); - return(ok); - } - -=head1 SEE ALSO - -L -L -L - -=head1 HISTORY - -X509_STORE_CTX_set_verify_cb() is available in all versions of SSLeay and -OpenSSL. - -=cut diff --git a/src/lib/libcrypto/doc/X509_STORE_set_verify_cb_func.pod b/src/lib/libcrypto/doc/X509_STORE_set_verify_cb_func.pod deleted file mode 100644 index 754512341c..0000000000 --- a/src/lib/libcrypto/doc/X509_STORE_set_verify_cb_func.pod +++ /dev/null @@ -1,54 +0,0 @@ -=pod - -=head1 NAME - -X509_STORE_set_verify_cb_func, X509_STORE_set_verify_cb - set verification -callback - -=head1 SYNOPSIS - - #include - - void X509_STORE_set_verify_cb(X509_STORE *st, - int (*verify_cb)(int ok, X509_STORE_CTX *ctx)); - - void X509_STORE_set_verify_cb_func(X509_STORE *st, - int (*verify_cb)(int ok, X509_STORE_CTX *ctx)); - -=head1 DESCRIPTION - -X509_STORE_set_verify_cb() sets the verification callback of B to -B overwriting any existing callback. - -X509_STORE_set_verify_cb_func() also sets the verification callback but it -is implemented as a macro. - -=head1 NOTES - -The verification callback from an B is inherited by -the corresponding B structure when it is initialized. This can -be used to set the verification callback when the B is -otherwise inaccessible (for example during S/MIME verification). - -=head1 BUGS - -The macro version of this function was the only one available before -OpenSSL 1.0.0. - -=head1 RETURN VALUES - -X509_STORE_set_verify_cb() and X509_STORE_set_verify_cb_func() do not return -a value. - -=head1 SEE ALSO - -L - -=head1 HISTORY - -X509_STORE_set_verify_cb_func() is available in all versions of SSLeay and -OpenSSL. - -X509_STORE_set_verify_cb() was added to OpenSSL 1.0.0. - -=cut diff --git a/src/lib/libcrypto/doc/X509_VERIFY_PARAM_set_flags.pod b/src/lib/libcrypto/doc/X509_VERIFY_PARAM_set_flags.pod deleted file mode 100644 index 6c88aec49e..0000000000 --- a/src/lib/libcrypto/doc/X509_VERIFY_PARAM_set_flags.pod +++ /dev/null @@ -1,172 +0,0 @@ -=pod - -=head1 NAME - -X509_VERIFY_PARAM_set_flags, X509_VERIFY_PARAM_clear_flags, -X509_VERIFY_PARAM_get_flags, X509_VERIFY_PARAM_set_purpose, -X509_VERIFY_PARAM_set_trust, X509_VERIFY_PARAM_set_depth, -X509_VERIFY_PARAM_get_depth, X509_VERIFY_PARAM_set_time, -X509_VERIFY_PARAM_add0_policy, X509_VERIFY_PARAM_set1_policies - X509 -verification parameters - -=head1 SYNOPSIS - - #include - - int X509_VERIFY_PARAM_set_flags(X509_VERIFY_PARAM *param, unsigned long flags); - int X509_VERIFY_PARAM_clear_flags(X509_VERIFY_PARAM *param, - unsigned long flags); - unsigned long X509_VERIFY_PARAM_get_flags(X509_VERIFY_PARAM *param); - - int X509_VERIFY_PARAM_set_purpose(X509_VERIFY_PARAM *param, int purpose); - int X509_VERIFY_PARAM_set_trust(X509_VERIFY_PARAM *param, int trust); - - void X509_VERIFY_PARAM_set_time(X509_VERIFY_PARAM *param, time_t t); - - int X509_VERIFY_PARAM_add0_policy(X509_VERIFY_PARAM *param, - ASN1_OBJECT *policy); - int X509_VERIFY_PARAM_set1_policies(X509_VERIFY_PARAM *param, - STACK_OF(ASN1_OBJECT) *policies); - - void X509_VERIFY_PARAM_set_depth(X509_VERIFY_PARAM *param, int depth); - int X509_VERIFY_PARAM_get_depth(const X509_VERIFY_PARAM *param); - -=head1 DESCRIPTION - -These functions manipulate the B structure associated with -a certificate verification operation. - -The X509_VERIFY_PARAM_set_flags() function sets the flags in B by oring -it with B. See the B section for a complete -description of values the B parameter can take. - -X509_VERIFY_PARAM_get_flags() returns the flags in B. - -X509_VERIFY_PARAM_clear_flags() clears the flags B in B. - -X509_VERIFY_PARAM_set_purpose() sets the verification purpose in B -to B. This determines the acceptable purpose of the certificate -chain, for example SSL client or SSL server. - -X509_VERIFY_PARAM_set_trust() sets the trust setting in B to -B. - -X509_VERIFY_PARAM_set_time() sets the verification time in B to -B. Normally the current time is used. - -X509_VERIFY_PARAM_add0_policy() enables policy checking (it is disabled -by default) and adds B to the acceptable policy set. - -X509_VERIFY_PARAM_set1_policies() enables policy checking (it is disabled -by default) and sets the acceptable policy set to B. Any existing -policy set is cleared. The B parameter can be B to clear -an existing policy set. - -X509_VERIFY_PARAM_set_depth() sets the maximum verification depth to B. -That is the maximum number of untrusted CA certificates that can appear in a -chain. - -=head1 RETURN VALUES - -X509_VERIFY_PARAM_set_flags(), X509_VERIFY_PARAM_clear_flags(), -X509_VERIFY_PARAM_set_purpose(), X509_VERIFY_PARAM_set_trust(), -X509_VERIFY_PARAM_add0_policy() and X509_VERIFY_PARAM_set1_policies() return 1 -for success and 0 for failure. - -X509_VERIFY_PARAM_get_flags() returns the current verification flags. - -X509_VERIFY_PARAM_set_time() and X509_VERIFY_PARAM_set_depth() do not return -values. - -X509_VERIFY_PARAM_get_depth() returns the current verification depth. - -=head1 VERIFICATION FLAGS - -The verification flags consists of zero or more of the following flags -ored together. - -B enables CRL checking for the certificate chain leaf -certificate. An error occurs if a suitable CRL cannot be found. - -B enables CRL checking for the entire certificate -chain. - -B disabled critical extension checking. By default -any unhandled critical extensions in certificates or (if checked) CRLs results -in a fatal error. If this flag is set unhandled critical extensions are -ignored. B setting this option for anything other than debugging -purposes can be a security risk. Finer control over which extensions are -supported can be performed in the verification callback. - -THe B flag disables workarounds for some broken -certificates and makes the verification strictly apply B rules. - -B enables proxy certificate verification. - -B enables certificate policy checking, by default -no policy checking is performed. Additional information is sent to the -verification callback relating to policy checking. - -B, B and -B set the B, B and B flags respectively as defined in -B. Policy checking is automatically enabled if any of these flags -are set. - -If B is set and the policy checking is successful -a special status code is set to the verification callback. This permits it -to examine the valid policy tree and perform additional checks or simply -log it for debugging purposes. - -By default some additional features such as indirect CRLs and CRLs signed by -different keys are disabled. If B is set -they are enabled. - -If B ise set delta CRLs (if present) are used to -determine certificate status. If not set deltas are ignored. - -B enables checking of the root CA self signed -certificate signature. By default this check is disabled because it doesn't -add any additional security but in some cases applications might want to -check the signature anyway. A side effect of not checking the root CA -signature is that disabled or unsupported message digests on the root CA -are not treated as fatal errors. - -The B flag enables debugging of certificate -issuer checks. It is B needed unless you are logging certificate -verification. If this flag is set then additional status codes will be sent -to the verification callback and it B be prepared to handle such cases -without assuming they are hard errors. - -=head1 NOTES - -The above functions should be used to manipulate verification parameters -instead of legacy functions which work in specific structures such as -X509_STORE_CTX_set_flags(). - -=head1 BUGS - -Delta CRL checking is currently primitive. Only a single delta can be used and -(partly due to limitations of B) constructed CRLs are not -maintained. - -If CRLs checking is enable CRLs are expected to be available in the -corresponding B structure. No attempt is made to download -CRLs from the CRL distribution points extension. - -=head1 EXAMPLE - -Enable CRL checking when performing certificate verification during SSL -connections associated with an B structure B: - - X509_VERIFY_PARAM *param; - param = X509_VERIFY_PARAM_new(); - X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CRL_CHECK); - SSL_CTX_set1_param(ctx, param); - X509_VERIFY_PARAM_free(param); - -=head1 SEE ALSO - -L - -=cut diff --git a/src/lib/libcrypto/doc/X509_new.pod b/src/lib/libcrypto/doc/X509_new.pod deleted file mode 100644 index a36808b825..0000000000 --- a/src/lib/libcrypto/doc/X509_new.pod +++ /dev/null @@ -1,38 +0,0 @@ -=pod - -=head1 NAME - -X509_new, X509_free - X509 certificate ASN1 allocation functions - -=head1 SYNOPSIS - - #include - - X509 *X509_new(void); - void X509_free(X509 *a); - -=head1 DESCRIPTION - -The X509 ASN1 allocation routines, allocate and free an -X509 structure, which represents an X509 certificate. - -X509_new() allocates and initializes a X509 structure. - -X509_free() frees up the B structure B. -If B is a B pointer, no action occurs. - -=head1 RETURN VALUES - -If the allocation fails, X509_new() returns B and sets an error -code that can be obtained by L. -Otherwise it returns a pointer to the newly allocated structure. - -=head1 SEE ALSO - -L, L - -=head1 HISTORY - -X509_new() and X509_free() are available in all versions of SSLeay and OpenSSL. - -=cut diff --git a/src/lib/libcrypto/doc/X509_verify_cert.pod b/src/lib/libcrypto/doc/X509_verify_cert.pod deleted file mode 100644 index f05edd8333..0000000000 --- a/src/lib/libcrypto/doc/X509_verify_cert.pod +++ /dev/null @@ -1,53 +0,0 @@ -=pod - -=head1 NAME - -X509_verify_cert - discover and verify X509 certificate chain - -=head1 SYNOPSIS - - #include - - int X509_verify_cert(X509_STORE_CTX *ctx); - -=head1 DESCRIPTION - -The X509_verify_cert() function attempts to discover and validate a -certificate chain based on parameters in B. A complete description of -the process is contained in the L manual page. - -=head1 RETURN VALUES - -If a complete chain can be built and validated this function returns 1, -otherwise it return zero, in exceptional circumstances it can also -return a negative code. - -If the function fails additional error information can be obtained by -examining B using, for example X509_STORE_CTX_get_error(). - -=head1 NOTES - -Applications rarely call this function directly but it is used by -OpenSSL internally for certificate validation, in both the S/MIME and -SSL/TLS code. - -The negative return value from X509_verify_cert() can only occur if no -certificate is set in B (due to a programming error) or if a retry -operation is requested during internal lookups (which never happens with -standard lookup methods). It is however recommended that application check -for <= 0 return value on error. - -=head1 BUGS - -This function uses the header B as opposed to most chain verification -functions which use B. - -=head1 SEE ALSO - -L - -=head1 HISTORY - -X509_verify_cert() is available in all versions of SSLeay and OpenSSL. - -=cut diff --git a/src/lib/libcrypto/doc/d2i_X509.pod b/src/lib/libcrypto/doc/d2i_X509.pod deleted file mode 100644 index fad4e8c35b..0000000000 --- a/src/lib/libcrypto/doc/d2i_X509.pod +++ /dev/null @@ -1,231 +0,0 @@ -=pod - -=head1 NAME - -d2i_X509, i2d_X509, d2i_X509_bio, d2i_X509_fp, i2d_X509_bio, -i2d_X509_fp - X509 encode and decode functions - -=head1 SYNOPSIS - - #include - - X509 *d2i_X509(X509 **px, const unsigned char **in, int len); - int i2d_X509(X509 *x, unsigned char **out); - - X509 *d2i_X509_bio(BIO *bp, X509 **x); - X509 *d2i_X509_fp(FILE *fp, X509 **x); - - int i2d_X509_bio(BIO *bp, X509 *x); - int i2d_X509_fp(FILE *fp, X509 *x); - -=head1 DESCRIPTION - -The X509 encode and decode routines encode and parse an -B structure, which represents an X509 certificate. - -d2i_X509() attempts to decode B bytes at B<*in>. If -successful a pointer to the B structure is returned. If an error -occurred then B is returned. If B is not B then the -returned structure is written to B<*px>. If B<*px> is not B -then it is assumed that B<*px> contains a valid B -structure and an attempt is made to reuse it. If the call is -successful B<*in> is incremented to the byte following the -parsed data. - -i2d_X509() encodes the structure pointed to by B into DER format. -If B is not B is writes the DER encoded data to the buffer -at B<*out>, and increments it to point after the data just written. -If the return value is negative an error occurred, otherwise it -returns the length of the encoded data. - -For OpenSSL 0.9.7 and later if B<*out> is B memory will be -allocated for a buffer and the encoded data written to it. In this -case B<*out> is not incremented and it points to the start of the -data just written. - -d2i_X509_bio() is similar to d2i_X509() except it attempts -to parse data from BIO B. - -d2i_X509_fp() is similar to d2i_X509() except it attempts -to parse data from FILE pointer B. - -i2d_X509_bio() is similar to i2d_X509() except it writes -the encoding of the structure B to BIO B and it -returns 1 for success and 0 for failure. - -i2d_X509_fp() is similar to i2d_X509() except it writes -the encoding of the structure B to BIO B and it -returns 1 for success and 0 for failure. - -=head1 NOTES - -The letters B and B in for example B stand for -"internal" (that is an internal C structure) and "DER". So that -B converts from internal to DER. - -The functions can also understand B forms. - -The actual X509 structure passed to i2d_X509() must be a valid -populated B structure it can B simply be fed with an -empty structure such as that returned by X509_new(). - -The encoded data is in binary form and may contain embedded zeroes. -Therefore any FILE pointers or BIOs should be opened in binary mode. -Functions such as B will B return the correct length -of the encoded structure. - -The ways that B<*in> and B<*out> are incremented after the operation -can trap the unwary. See the B section for some common -errors. - -The reason for the auto increment behaviour is to reflect a typical -usage of ASN1 functions: after one structure is encoded or decoded -another will processed after it. - -=head1 EXAMPLES - -Allocate and encode the DER encoding of an X509 structure: - - int len; - unsigned char *buf, *p; - - len = i2d_X509(x, NULL); - - buf = malloc(len); - - if (buf == NULL) - /* error */ - - p = buf; - - i2d_X509(x, &p); - -If you are using OpenSSL 0.9.7 or later then this can be -simplified to: - - - int len; - unsigned char *buf; - - buf = NULL; - - len = i2d_X509(x, &buf); - - if (len < 0) - /* error */ - -Attempt to decode a buffer: - - X509 *x; - - unsigned char *buf, *p; - - int len; - - /* Something to setup buf and len */ - - p = buf; - - x = d2i_X509(NULL, &p, len); - - if (x == NULL) - /* Some error */ - -Alternative technique: - - X509 *x; - - unsigned char *buf, *p; - - int len; - - /* Something to setup buf and len */ - - p = buf; - - x = NULL; - - if(!d2i_X509(&x, &p, len)) - /* Some error */ - - -=head1 WARNINGS - -The use of temporary variable is mandatory. A common -mistake is to attempt to use a buffer directly as follows: - - int len; - unsigned char *buf; - - len = i2d_X509(x, NULL); - - buf = malloc(len); - - if (buf == NULL) - /* error */ - - i2d_X509(x, &buf); - - /* Other stuff ... */ - - free(buf); - -This code will result in B apparently containing garbage because -it was incremented after the call to point after the data just written. -Also B will no longer contain the pointer allocated by B -and the subsequent call to B may well crash. - -The auto allocation feature (setting buf to NULL) only works on OpenSSL -0.9.7 and later. Attempts to use it on earlier versions will typically -cause a segmentation violation. - -Another trap to avoid is misuse of the B argument to B: - - X509 *x; - - if (!d2i_X509(&x, &p, len)) - /* Some error */ - -This will probably crash somewhere in B. The reason for this -is that the variable B is uninitialized and an attempt will be made to -interpret its (invalid) value as an B structure, typically causing -a segmentation violation. If B is set to NULL first then this will not -happen. - -=head1 BUGS - -In some versions of OpenSSL the "reuse" behaviour of d2i_X509() when -B<*px> is valid is broken and some parts of the reused structure may -persist if they are not present in the new one. As a result the use -of this "reuse" behaviour is strongly discouraged. - -i2d_X509() will not return an error in many versions of OpenSSL, -if mandatory fields are not initialized due to a programming error -then the encoded structure may contain invalid data or omit the -fields entirely and will not be parsed by d2i_X509(). This may be -fixed in future so code should not assume that i2d_X509() will -always succeed. - -=head1 RETURN VALUES - -d2i_X509(), d2i_X509_bio() and d2i_X509_fp() return a valid B structure -or B if an error occurs. The error code that can be obtained by -L. - -i2d_X509() returns the number of bytes successfully encoded or a negative -value if an error occurs. The error code can be obtained by -L. - -i2d_X509_bio() and i2d_X509_fp() return 1 for success and 0 if an error -occurs The error code can be obtained by L. - -=head1 SEE ALSO - -L - -=head1 HISTORY - -d2i_X509, i2d_X509, d2i_X509_bio, d2i_X509_fp, i2d_X509_bio and i2d_X509_fp -are available in all versions of SSLeay and OpenSSL. - -=cut diff --git a/src/lib/libcrypto/doc/d2i_X509_ALGOR.pod b/src/lib/libcrypto/doc/d2i_X509_ALGOR.pod deleted file mode 100644 index 68011679fd..0000000000 --- a/src/lib/libcrypto/doc/d2i_X509_ALGOR.pod +++ /dev/null @@ -1,26 +0,0 @@ -=pod - -=head1 NAME - -d2i_X509_ALGOR, i2d_X509_ALGOR - AlgorithmIdentifier functions. - -=head1 SYNOPSIS - - #include - - X509_ALGOR *d2i_X509_ALGOR(X509_ALGOR **a, unsigned char **pp, long length); - int i2d_X509_ALGOR(X509_ALGOR *a, unsigned char **pp); - -=head1 DESCRIPTION - -These functions decode and encode an B structure which is -equivalent to the B structure. - -Othewise these behave in a similar way to d2i_X509() and i2d_X509() -described in the L manual page. - -=head1 SEE ALSO - -L - -=cut diff --git a/src/lib/libcrypto/doc/d2i_X509_CRL.pod b/src/lib/libcrypto/doc/d2i_X509_CRL.pod deleted file mode 100644 index 563e4de8e0..0000000000 --- a/src/lib/libcrypto/doc/d2i_X509_CRL.pod +++ /dev/null @@ -1,33 +0,0 @@ -=pod - -=head1 NAME - -d2i_X509_CRL, i2d_X509_CRL, d2i_X509_CRL_bio, d2i_X509_CRL_fp, -i2d_X509_CRL_bio, i2d_X509_CRL_fp - PKCS#10 certificate request functions. - -=head1 SYNOPSIS - - #include - - X509_CRL *d2i_X509_CRL(X509_CRL **a, const unsigned char **pp, long length); - int i2d_X509_CRL(X509_CRL *a, unsigned char **pp); - - X509_CRL *d2i_X509_CRL_bio(BIO *bp, X509_CRL **x); - X509_CRL *d2i_X509_CRL_fp(FILE *fp, X509_CRL **x); - - int i2d_X509_CRL_bio(BIO *bp, X509_CRL *x); - int i2d_X509_CRL_fp(FILE *fp, X509_CRL *x); - -=head1 DESCRIPTION - -These functions decode and encode an X509 CRL (certificate revocation -list). - -Othewise the functions behave in a similar way to d2i_X509() and i2d_X509() -described in the L manual page. - -=head1 SEE ALSO - -L - -=cut diff --git a/src/lib/libcrypto/doc/d2i_X509_NAME.pod b/src/lib/libcrypto/doc/d2i_X509_NAME.pod deleted file mode 100644 index 2219885338..0000000000 --- a/src/lib/libcrypto/doc/d2i_X509_NAME.pod +++ /dev/null @@ -1,27 +0,0 @@ -=pod - -=head1 NAME - -d2i_X509_NAME, i2d_X509_NAME - X509_NAME encoding functions - -=head1 SYNOPSIS - - #include - - X509_NAME *d2i_X509_NAME(X509_NAME **a, unsigned char **pp, long length); - int i2d_X509_NAME(X509_NAME *a, unsigned char **pp); - -=head1 DESCRIPTION - -These functions decode and encode an B structure which is the -same as the B type defined in RFC2459 (and elsewhere) and used -for example in certificate subject and issuer names. - -Othewise the functions behave in a similar way to d2i_X509() and i2d_X509() -described in the L manual page. - -=head1 SEE ALSO - -L - -=cut diff --git a/src/lib/libcrypto/doc/d2i_X509_REQ.pod b/src/lib/libcrypto/doc/d2i_X509_REQ.pod deleted file mode 100644 index baa8ae391e..0000000000 --- a/src/lib/libcrypto/doc/d2i_X509_REQ.pod +++ /dev/null @@ -1,32 +0,0 @@ -=pod - -=head1 NAME - -d2i_X509_REQ, i2d_X509_REQ, d2i_X509_REQ_bio, d2i_X509_REQ_fp, -i2d_X509_REQ_bio, i2d_X509_REQ_fp - PKCS#10 certificate request functions. - -=head1 SYNOPSIS - - #include - - X509_REQ *d2i_X509_REQ(X509_REQ **a, const unsigned char **pp, long length); - int i2d_X509_REQ(X509_REQ *a, unsigned char **pp); - - X509_REQ *d2i_X509_REQ_bio(BIO *bp, X509_REQ **x); - X509_REQ *d2i_X509_REQ_fp(FILE *fp, X509_REQ **x); - - int i2d_X509_REQ_bio(BIO *bp, X509_REQ *x); - int i2d_X509_REQ_fp(FILE *fp, X509_REQ *x); - -=head1 DESCRIPTION - -These functions decode and encode a PKCS#10 certificate request. - -Othewise these behave in a similar way to d2i_X509() and i2d_X509() -described in the L manual page. - -=head1 SEE ALSO - -L - -=cut diff --git a/src/lib/libcrypto/doc/d2i_X509_SIG.pod b/src/lib/libcrypto/doc/d2i_X509_SIG.pod deleted file mode 100644 index 00d03f5ba1..0000000000 --- a/src/lib/libcrypto/doc/d2i_X509_SIG.pod +++ /dev/null @@ -1,26 +0,0 @@ -=pod - -=head1 NAME - -d2i_X509_SIG, i2d_X509_SIG - DigestInfo functions. - -=head1 SYNOPSIS - - #include - - X509_SIG *d2i_X509_SIG(X509_SIG **a, unsigned char **pp, long length); - int i2d_X509_SIG(X509_SIG *a, unsigned char **pp); - -=head1 DESCRIPTION - -These functions decode and encode an X509_SIG structure which is -equivalent to the B structure defined in PKCS#1 and PKCS#7. - -Othewise these behave in a similar way to d2i_X509() and i2d_X509() -described in the L manual page. - -=head1 SEE ALSO - -L - -=cut diff --git a/src/lib/libcrypto/doc/x509.pod b/src/lib/libcrypto/doc/x509.pod deleted file mode 100644 index f9e58e0e41..0000000000 --- a/src/lib/libcrypto/doc/x509.pod +++ /dev/null @@ -1,64 +0,0 @@ -=pod - -=head1 NAME - -x509 - X.509 certificate handling - -=head1 SYNOPSIS - - #include - -=head1 DESCRIPTION - -A X.509 certificate is a structured grouping of information about -an individual, a device, or anything one can imagine. A X.509 CRL -(certificate revocation list) is a tool to help determine if a -certificate is still valid. The exact definition of those can be -found in the X.509 document from ITU-T, or in RFC3280 from PKIX. -In OpenSSL, the type X509 is used to express such a certificate, and -the type X509_CRL is used to express a CRL. - -A related structure is a certificate request, defined in PKCS#10 from -RSA Security, Inc, also reflected in RFC2896. In OpenSSL, the type -X509_REQ is used to express such a certificate request. - -To handle some complex parts of a certificate, there are the types -X509_NAME (to express a certificate name), X509_ATTRIBUTE (to express -a certificate attributes), X509_EXTENSION (to express a certificate -extension) and a few more. - -Finally, there's the supertype X509_INFO, which can contain a CRL, a -certificate and a corresponding private key. - -BI<...>, BI<...> and BI<...> handle X.509 -certificates, with some exceptions, shown below. - -BI<...>, BI<...> and BI<...> -handle X.509 CRLs. - -BI<...>, BI<...> and BI<...> -handle PKCS#10 certificate requests. - -BI<...> handle certificate names. - -BI<...> handle certificate attributes. - -BI<...> handle certificate extensions. - -=head1 SEE ALSO - -L, -L, -L, -L, -L, -L, -L, -L, -L, -L, -L, -L, -L - -=cut -- cgit v1.2.3-55-g6feb