diff options
author | Ingo Schwarze <schwarze@cvs.openbsd.org> | 2021-07-25 14:05:04 +0000 |
---|---|---|
committer | Ingo Schwarze <schwarze@cvs.openbsd.org> | 2021-07-25 14:05:04 +0000 |
commit | 2a9394e8109993c6701127713c1e8926e65c69c3 (patch) | |
tree | c7391464cb8af741b82da0ef47da3be837b55fc8 | |
parent | a5acc4bd564aa0afbdce76d528ed7bca09e7407a (diff) |
Document X509_STORE_CTX_set_trust(3), X509_STORE_CTX_set_purpose(3),
and X509_STORE_CTX_purpose_inherit(3). These functions look deceptively
simple on first sight, but their semantics is surprisingly complicated.
-rw-r--r-- | lib/libcrypto/man/X509_STORE_CTX_set_flags.3 | 230 |
1 files changed, 226 insertions, 4 deletions
diff --git a/lib/libcrypto/man/X509_STORE_CTX_set_flags.3 b/lib/libcrypto/man/X509_STORE_CTX_set_flags.3 index d84b1e7ae4e..72479273855 100644 --- a/lib/libcrypto/man/X509_STORE_CTX_set_flags.3 +++ b/lib/libcrypto/man/X509_STORE_CTX_set_flags.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: X509_STORE_CTX_set_flags.3,v 1.2 2021/07/22 19:44:30 schwarze Exp $ +.\" $OpenBSD: X509_STORE_CTX_set_flags.3,v 1.3 2021/07/25 14:05:03 schwarze Exp $ .\" full merge up to: OpenSSL aae41f8c Jun 25 09:47:15 2015 +0100 .\" selective merge up to: OpenSSL 24a535ea Sep 22 13:14:20 2020 +0100 .\" @@ -67,13 +67,16 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: July 22 2021 $ +.Dd $Mdocdate: July 25 2021 $ .Dt X509_STORE_CTX_SET_FLAGS 3 .Os .Sh NAME .Nm X509_STORE_CTX_set_flags , .Nm X509_STORE_CTX_set_time , .Nm X509_STORE_CTX_set_depth , +.Nm X509_STORE_CTX_set_trust , +.Nm X509_STORE_CTX_set_purpose , +.Nm X509_STORE_CTX_purpose_inherit , .Nm X509_STORE_CTX_get0_param , .Nm X509_STORE_CTX_set0_param , .Nm X509_STORE_CTX_set_default @@ -96,6 +99,23 @@ .Fa "X509_STORE_CTX *ctx" .Fa "int depth" .Fc +.Ft int +.Fo X509_STORE_CTX_set_trust +.Fa "X509_STORE_CTX *ctx" +.Fa "int trust" +.Fc +.Ft int +.Fo X509_STORE_CTX_set_purpose +.Fa "X509_STORE_CTX *ctx" +.Fa "int purpose" +.Fc +.Ft int +.Fo X509_STORE_CTX_purpose_inherit +.Fa "X509_STORE_CTX *ctx" +.Fa "int def_purpose" +.Fa "int purpose" +.Fa "int trust" +.Fc .Ft X509_VERIFY_PARAM * .Fo X509_STORE_CTX_get0_param .Fa "X509_STORE_CTX *ctx" @@ -132,17 +152,122 @@ for a description of the verification flags. .Pp .Fn X509_STORE_CTX_set_time sets the verification -.Fa time . +.Fa time +using +.Xr X509_VERIFY_PARAM_set_time 3 . The .Fa dummy argument is ignored. .Pp .Fn X509_STORE_CTX_set_depth sets the maximum verification -.Fa depth . +.Fa depth +using +.Xr X509_VERIFY_PARAM_set_depth 3 . That is the maximum number of untrusted CA certificates that can appear in a chain. .Pp +.Fn X509_STORE_CTX_set_trust +sets the +.Fa trust +identifier that can also be set using +.Xr X509_VERIFY_PARAM_set_trust 3 . +If the +.Fa trust +argument is 0 or invalid +or the trust identifier is already set to a non-zero value in the +.Vt X509_VERIFY_PARAM +object, no action occurs. +Here and in the following, +.Dv X509_TRUST_DEFAULT +counts as invalid. +.Pp +.Fn X509_STORE_CTX_set_purpose +sets the +.Fa purpose +identifier that can also be set using +.Xr X509_VERIFY_PARAM_set_purpose 3 . +If the +.Fa purpose +argument is 0 or any failure occurs, nothing is changed. +.Pp +In the following, the trust identifier contained in the +.Vt X509_PURPOSE +object associated with +.Fa purpose +is called the +.Dq associated trust . +.Pp +The function fails if the +.Fa purpose +argument or the associated trust is not 0 but invalid; otherwise, +.Fn X509_STORE_CTX_set_purpose +also does the equivalent of calling +.Fn X509_STORE_CTX_set_trust +with the associated trust. +.Pp +If the purpose identifier is already set to a non-zero value in the +.Vt X509_VERIFY_PARAM +object, it is not changed, even if the +.Fa purpose +argument is valid, too. +.Pp +.Fn X509_STORE_CTX_purpose_inherit +is similar to +.Fn X509_STORE_CTX_set_purpose , +with the following modifications: +.Bl -bullet +.It +If the +.Fa purpose +argument is 0, +.Fa def_purpose +is used instead. +.It +If the associated trust is +.Dv X509_TRUST_DEFAULT , +the trust associated with +.Fa def_purpose +is used instead, or if +.Fa def_purpose +is 0 or invalid, the function fails. +.It +If the +.Fa trust +argument is not 0, it is used instead of the associated trust, +and the equivalent of calling +.Fn X509_STORE_CTX_set_trust +is done even if both +.Fa purpose +and +.Fa def_purpose +are 0. +Even if the +.Fa trust +argument is not 0, if the (then unused) associated trust is +.Dv X509_TRUST_DEFAULT , +.Fa def_purpose +is still required to be valid. +.El +.Pp +Note that, even if all arguments are valid and the return value is 1, +it is possible that nothing changed, or that only either one of the +purpose and trust identifiers were set, or that both were set. +It can also happen that the purpose identifier gets set according to the +.Fa purpose +argument, but the trust identifier gets set according to the +.Fa def_purpose +argument in the same call. +.Pp +The intended way of using this function is to pass the purpose and +trust attributes of another structure of an arbitrary type as the +.Fa purpose +and +.Fa trust +arguments, and to provide +.Fa def_purpose +as a fallback in case the settings in the other structure are incomplete. +.Pp .Fn X509_STORE_CTX_get0_param retrieves an internal pointer to the verification parameters associated with @@ -163,6 +288,61 @@ This uses the function to find an appropriate set of parameters from .Fa name . .Sh RETURN VALUES +.Fn X509_STORE_CTX_set_trust +returns 1 if the +.Fa trust +argument is 0 or valid or 0 if it is not 0 but invalid. +A return value of 1 does +.Em not +imply that the trust identifier stored in the +.Vt X509_VERIFY_PARAM +object was changed. +.Pp +.Fn X509_STORE_CTX_set_purpose +returns 1 if both the +.Fa purpose +argument and the associated trust are 0 or valid. +It returns 0 if either the +.Fa purpose +argument or the associated trust is not 0 but invalid. +A return value of 1 does not imply that any data was changed. +.Pp +.Fn X509_STORE_CTX_purpose_inherit +returns 0 if: +.Bl -bullet +.It +The +.Fa purpose +argument is not 0 and invalid. +.It +The +.Fa purpose +argument is 0 and the +.Fa def_purpose +argument is not 0 and invalid. +.It +The associated trust is +.Dv X509_TRUST_DEFAULT +and the +.Fa def_purpose +argument is 0 or invalid, +or the trust identifier associated with it is not 0 but invalid. +.It +The +.Fa trust +argument is not 0 and invalid. +.It +The +.Fa trust +argument is 0 and the associated trust is neither 0 nor +.Dv X509_TRUST_DEFAULT +but invalid. +.El +.Pp +Otherwise, +.Fn X509_STORE_CTX_purpose_inherit +returns 1, which does not imply that any data was changed. +.Pp .Fn X509_STORE_CTX_get0_param returns a pointer to an .Vt X509_VERIFY_PARAM @@ -172,6 +352,41 @@ if an error occurred. .Pp .Fn X509_STORE_CTX_set_default returns 1 for success or 0 if an error occurred. +.Sh ERRORS +For +.Fn X509_STORE_CTX_set_trust , +.Fn X509_STORE_CTX_set_purpose , +and +.Fn X509_STORE_CTX_purpose_inherit , +the following diagnostics can be retrieved with +.Xr ERR_get_error 3 , +.Xr ERR_GET_REASON 3 , +and +.Xr ERR_reason_error_string 3 : +.Bl -tag -width Ds +.It Dv X509_R_UNKNOWN_TRUST_ID Qq "unknown trust id" +The +.Fa trust +argument or the trust identifier associated with +.Fa purpose +or +.Fa def_purpose +is not 0 but invalid, +.It Dv X509_R_UNKNOWN_PURPOSE_ID Qq "unknown purpose id" +The +.Fa purpose +argument is not 0 and invalid. +Or it is 0 and the +.Fa def_purpose +argument is not 0 and invalid. +Or the associated trust is +.Dv X509_TRUST_DEFAULT +and +.Fa def_purpose +is 0 or invalid. +.El +.Pp +The other functions provide no diagnostics. .Sh SEE ALSO .Xr X509_STORE_CTX_get_error 3 , .Xr X509_STORE_CTX_new 3 , @@ -184,6 +399,13 @@ returns 1 for success or 0 if an error occurred. first appeared in OpenSSL 0.9.3 and has been available since .Ox 2.4 . .Pp +.Fn X509_STORE_CTX_set_trust , +.Fn X509_STORE_CTX_set_purpose , +and +.Fn X509_STORE_CTX_purpose_inherit +first appeared in OpenSSL 0.9.5 and have been available since +.Ox 2.7 . +.Pp .Fn X509_STORE_CTX_set_flags and .Fn X509_STORE_CTX_set_time |