From eb8dd9dca1228af0cd132f515509051ecfabf6f6 Mon Sep 17 00:00:00 2001 From: cvs2svn Date: Mon, 14 Apr 2025 17:32:06 +0000 Subject: This commit was manufactured by cvs2git to create tag 'tb_20250414'. --- src/lib/libcrypto/man/PKCS7_verify.3 | 252 ----------------------------------- 1 file changed, 252 deletions(-) delete mode 100644 src/lib/libcrypto/man/PKCS7_verify.3 (limited to 'src/lib/libcrypto/man/PKCS7_verify.3') diff --git a/src/lib/libcrypto/man/PKCS7_verify.3 b/src/lib/libcrypto/man/PKCS7_verify.3 deleted file mode 100644 index d091c03dfd..0000000000 --- a/src/lib/libcrypto/man/PKCS7_verify.3 +++ /dev/null @@ -1,252 +0,0 @@ -.\" $OpenBSD: PKCS7_verify.3,v 1.11 2022/03/31 17:27:17 naddy Exp $ -.\" OpenSSL a528d4f0 Oct 27 13:40:11 2015 -0400 -.\" -.\" This file was written by Dr. Stephen Henson . -.\" Copyright (c) 2002, 2006, 2013, 2014, 2015 The OpenSSL Project. All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in -.\" the documentation and/or other materials provided with the -.\" distribution. -.\" -.\" 3. All advertising materials mentioning features or use of this -.\" software must display the following acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -.\" -.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -.\" endorse or promote products derived from this software without -.\" prior written permission. For written permission, please contact -.\" openssl-core@openssl.org. -.\" -.\" 5. Products derived from this software may not be called "OpenSSL" -.\" nor may "OpenSSL" appear in their names without prior written -.\" permission of the OpenSSL Project. -.\" -.\" 6. Redistributions of any form whatsoever must retain the following -.\" acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -.\" OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd $Mdocdate: March 31 2022 $ -.Dt PKCS7_VERIFY 3 -.Os -.Sh NAME -.Nm PKCS7_verify , -.Nm PKCS7_get0_signers -.Nd verify a PKCS#7 signedData structure -.Sh SYNOPSIS -.In openssl/pkcs7.h -.Ft int -.Fo PKCS7_verify -.Fa "PKCS7 *p7" -.Fa "STACK_OF(X509) *certs" -.Fa "X509_STORE *store" -.Fa "BIO *indata" -.Fa "BIO *out" -.Fa "int flags" -.Fc -.Ft STACK_OF(X509) * -.Fo PKCS7_get0_signers -.Fa "PKCS7 *p7" -.Fa "STACK_OF(X509) *certs" -.Fa "int flags" -.Fc -.Sh DESCRIPTION -.Fn PKCS7_verify -verifies a PKCS#7 signedData structure. -.Fa p7 -is the -.Vt PKCS7 -structure to verify. -.Fa certs -is a set of certificates in which to search for the signer's -certificate. -.Fa store -is a trusted certificate store (used for chain verification). -.Fa indata -is the signed data if the content is not present in -.Fa p7 , -that is if it is detached. -The content is written to -.Fa out -if it is not -.Dv NULL . -.Pp -.Fa flags -is an optional set of flags, which can be used to modify the verify -operation. -.Pp -.Fn PKCS7_get0_signers -retrieves the signer's certificates from -.Fa p7 . -The signers must be freed with -.Fn sk_X509_free . -It does -.Sy not -check their validity or whether any signatures are valid. -The -.Fa certs -and -.Fa flags -parameters have the same meanings as in -.Fn PKCS7_verify . -.Pp -Normally the verify process proceeds as follows. -.Pp -Initially some sanity checks are performed on -.Fa p7 . -The type of -.Fa p7 -must be signedData. -There must be at least one signature on the data and if the content -is detached, -.Fa indata -cannot be -.Dv NULL . -.Pp -An attempt is made to locate all the signer's certificates, first -looking in the -.Fa certs -parameter (if it is not -.Dv NULL ) -and then looking in any certificates contained in the -.Fa p7 -structure itself. -If any signer's certificates cannot be located, the operation fails. -.Pp -Each signer's certificate is chain verified using the -.Sy smimesign -purpose and the supplied trusted certificate store. -Any internal certificates in the message are used as untrusted CAs. -If any chain verify fails, an error code is returned. -.Pp -Finally, the signed content is read (and written to -.Fa out -if it is not -.Dv NULL ) -and the signature's checked. -.Pp -If all signature's verify correctly then the function is successful. -.Pp -Any of the following flags (OR'ed together) can be passed in the -.Fa flags -parameter to change the default verify behaviour. -Only the flag -.Dv PKCS7_NOINTERN -is meaningful to -.Fn PKCS7_get0_signers . -.Pp -If -.Dv PKCS7_NOINTERN -is set, the certificates in the message itself are not searched when -locating the signer's certificate. -This means that all the signer's certificates must be in the -.Fa certs -parameter. -.Pp -If the -.Dv PKCS7_TEXT -flag is set, MIME headers for type -.Sy text/plain -are deleted from the content. -If the content is not of type -.Sy text/plain , -then an error is returned. -.Pp -If -.Dv PKCS7_NOVERIFY -is set, the signer's certificates are not chain verified. -.Pp -If -.Dv PKCS7_NOCHAIN -is set, then the certificates contained in the message are not used as -untrusted CAs. -This means that the whole verify chain (apart from the signer's -certificate) must be contained in the trusted store. -.Pp -If -.Dv PKCS7_NOSIGS -is set, then the signatures on the data are not checked. -.Pp -One application of -.Dv PKCS7_NOINTERN -is to only accept messages signed by a small number of certificates. -The acceptable certificates would be passed in the -.Fa certs -parameter. -In this case, if the signer is not one of the certificates supplied in -.Fa certs , -then the verify will fail because the signer cannot be found. -.Pp -Care should be taken when modifying the default verify behaviour, for -example setting -.Dv PKCS7_NOVERIFY | PKCS7_NOSIGS -will totally disable all verification and any signed message will be -considered valid. -This combination is however useful if one merely wishes to write the -content to -.Fa out -and its validity is not considered important. -.Pp -Chain verification should arguably be performed using the signing time -rather than the current time. -However since the signing time is supplied by the signer, it cannot be -trusted without additional evidence (such as a trusted timestamp). -.Sh RETURN VALUES -.Fn PKCS7_verify -returns 1 for a successful verification and 0 or a negative value if -an error occurs. -.Pp -.Fn PKCS7_get0_signers -returns all signers or -.Dv NULL -if an error occurred. -The signers must be freed with -.Fn sk_X509_free . -.Pp -The error can be obtained from -.Xr ERR_get_error 3 . -.Sh SEE ALSO -.Xr PKCS7_decrypt 3 , -.Xr PKCS7_new 3 , -.Xr PKCS7_sign 3 , -.Xr X509_STORE_new 3 -.Sh HISTORY -.Fn PKCS7_verify -and -.Fn PKCS7_get0_signers -first appeared in OpenSSL 0.9.5 and have been available since -.Ox 2.7 . -.Sh BUGS -The trusted certificate store is not searched for the signer's -certificate. -This is primarily due to the inadequacies of the current -.Vt X509_STORE -functionality. -.Pp -The lack of single pass processing and the need to hold all data -in memory as mentioned in -.Xr PKCS7_sign 3 -also applies to -.Fn PKCS7_verify . -- cgit v1.2.3-55-g6feb