summaryrefslogtreecommitdiff
path: root/lib
diff options
context:
space:
mode:
authorTheo Buehler <tb@cvs.openbsd.org>2023-04-30 19:40:24 +0000
committerTheo Buehler <tb@cvs.openbsd.org>2023-04-30 19:40:24 +0000
commitc6e47bc4ae19bf46d361c6c098eca3408bfa9410 (patch)
treec44aa85cb6bfe19a81d6797781c3e35606cd09d9 /lib
parent11e51fddd26734b8de4064eeba7c90eaffe9cb38 (diff)
Remove most documentation pertaining to proxy certificates.
Update EXFLAG_PROXY and X509_V_FLAG_ALLOW_PROXY_CERTS documentation since we need to keep them for the time being.
Diffstat (limited to 'lib')
-rw-r--r--lib/libcrypto/man/Makefile4
-rw-r--r--lib/libcrypto/man/PROXY_POLICY_new.397
-rw-r--r--lib/libcrypto/man/X509_EXTENSION_set_object.35
-rw-r--r--lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.36
-rw-r--r--lib/libcrypto/man/X509_get_extension_flags.36
-rw-r--r--lib/libcrypto/man/d2i_PROXY_POLICY.397
6 files changed, 10 insertions, 205 deletions
diff --git a/lib/libcrypto/man/Makefile b/lib/libcrypto/man/Makefile
index fc3204e3a2c..42b4c2fbe10 100644
--- a/lib/libcrypto/man/Makefile
+++ b/lib/libcrypto/man/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.249 2023/04/30 14:49:47 tb Exp $
+# $OpenBSD: Makefile,v 1.250 2023/04/30 19:40:23 tb Exp $
.include <bsd.own.mk>
@@ -265,7 +265,6 @@ MAN= \
PKCS8_pkey_set0.3 \
PKEY_USAGE_PERIOD_new.3 \
POLICYINFO_new.3 \
- PROXY_POLICY_new.3 \
RAND_add.3 \
RAND_bytes.3 \
RAND_load_file.3 \
@@ -407,7 +406,6 @@ MAN= \
d2i_PKCS8_PRIV_KEY_INFO.3 \
d2i_PKEY_USAGE_PERIOD.3 \
d2i_POLICYINFO.3 \
- d2i_PROXY_POLICY.3 \
d2i_PrivateKey.3 \
d2i_RSAPublicKey.3 \
d2i_TS_REQ.3 \
diff --git a/lib/libcrypto/man/PROXY_POLICY_new.3 b/lib/libcrypto/man/PROXY_POLICY_new.3
deleted file mode 100644
index c23a620177e..00000000000
--- a/lib/libcrypto/man/PROXY_POLICY_new.3
+++ /dev/null
@@ -1,97 +0,0 @@
-.\" $OpenBSD: PROXY_POLICY_new.3,v 1.6 2021/10/27 11:24:47 schwarze Exp $
-.\"
-.\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: October 27 2021 $
-.Dt PROXY_POLICY_NEW 3
-.Os
-.Sh NAME
-.Nm PROXY_POLICY_new ,
-.Nm PROXY_POLICY_free ,
-.Nm PROXY_CERT_INFO_EXTENSION_new ,
-.Nm PROXY_CERT_INFO_EXTENSION_free
-.Nd X.509 proxy certificate extension
-.Sh SYNOPSIS
-.In openssl/x509v3.h
-.Ft PROXY_POLICY *
-.Fn PROXY_POLICY_new void
-.Ft void
-.Fn PROXY_POLICY_free "PROXY_POLICY *pp"
-.Ft PROXY_CERT_INFO_EXTENSION *
-.Fn PROXY_CERT_INFO_EXTENSION_new void
-.Ft void
-.Fn PROXY_CERT_INFO_EXTENSION_free "PROXY_CERT_INFO_EXTENSION *pcie"
-.Sh DESCRIPTION
-If a given non-CA certificate grants any privileges, using that
-certificate to issue a proxy certificate and handing that proxy
-certificate over to another person, organization, or service allows
-the bearer of the proxy certificate to exercise some or all of the
-privileges on behalf of the subject of the original certificate.
-.Pp
-.Fn PROXY_POLICY_new
-allocates and initializes an empty
-.Vt PROXY_POLICY
-object, representing an ASN.1
-.Vt ProxyPolicy
-structure defined in RFC 3820 section 3.8.
-It defines which privileges are to be delegated.
-.Fn PROXY_POLICY_free
-frees
-.Fa pp .
-.Pp
-.Fn PROXY_CERT_INFO_EXTENSION_new
-allocates and initializes an empty
-.Vt PROXY_CERT_INFO_EXTENSION
-object, representing an ASN.1
-.Vt ProxyCertInfo
-structure defined in RFC 3820 section 3.8.
-It can contain a
-.Vt PROXY_POLICY
-object, and it can additionally restrict the maximum depth of the
-path of proxy certificates that can be signed by this proxy
-certificate.
-.Fn PROXY_CERT_INFO_EXTENSION_free
-frees
-.Fa pcie .
-.Pp
-If a non-CA certificate contains a
-.Vt PROXY_CERT_INFO_EXTENSION ,
-it is a proxy certificate; otherwise, it is an end entity certificate.
-.Sh RETURN VALUES
-.Fn PROXY_POLICY_new
-and
-.Fn PROXY_CERT_INFO_EXTENSION_new
-return the new
-.Vt PROXY_POLICY
-or
-.Vt PROXY_CERT_INFO_EXTENSION
-object, respectively, or
-.Dv NULL
-if an error occurs.
-.Sh SEE ALSO
-.Xr BASIC_CONSTRAINTS_new 3 ,
-.Xr d2i_PROXY_POLICY 3 ,
-.Xr EXTENDED_KEY_USAGE_new 3 ,
-.Xr POLICYINFO_new 3 ,
-.Xr X509_EXTENSION_new 3 ,
-.Xr X509_get_extension_flags 3 ,
-.Xr X509_new 3
-.Sh STANDARDS
-RFC 3820: Internet X.509 Public Key Infrastructure (PKI) Proxy
-Certificate Profile
-.Sh HISTORY
-These functions first appeared in OpenSSL 0.9.7g
-and have been available since
-.Ox 3.8 .
diff --git a/lib/libcrypto/man/X509_EXTENSION_set_object.3 b/lib/libcrypto/man/X509_EXTENSION_set_object.3
index 3ade50e4d66..dcfe075ebdd 100644
--- a/lib/libcrypto/man/X509_EXTENSION_set_object.3
+++ b/lib/libcrypto/man/X509_EXTENSION_set_object.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_EXTENSION_set_object.3,v 1.16 2023/04/25 18:48:32 tb Exp $
+.\" $OpenBSD: X509_EXTENSION_set_object.3,v 1.17 2023/04/30 19:40:23 tb Exp $
.\" full merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
.\"
.\" This file is a derived work.
@@ -65,7 +65,7 @@
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
.\" OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd $Mdocdate: April 25 2023 $
+.Dd $Mdocdate: April 30 2023 $
.Dt X509_EXTENSION_SET_OBJECT 3
.Os
.Sh NAME
@@ -291,7 +291,6 @@ pointer.
.Xr OCSP_SERVICELOC_new 3 ,
.Xr PKEY_USAGE_PERIOD_new 3 ,
.Xr POLICYINFO_new 3 ,
-.Xr PROXY_POLICY_new 3 ,
.Xr TS_REQ_new 3 ,
.Xr X509_check_ca 3 ,
.Xr X509_check_host 3 ,
diff --git a/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3 b/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3
index 65e20f1ad8c..a0ae839f9a4 100644
--- a/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3
+++ b/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_VERIFY_PARAM_set_flags.3,v 1.28 2023/04/30 14:49:47 tb Exp $
+.\" $OpenBSD: X509_VERIFY_PARAM_set_flags.3,v 1.29 2023/04/30 19:40:23 tb Exp $
.\" full merge up to: OpenSSL d33def66 Feb 9 14:17:13 2016 -0500
.\" selective merge up to: OpenSSL 24a535ea Sep 22 13:14:20 2020 +0100
.\"
@@ -540,7 +540,9 @@ flag disables workarounds for some broken certificates and makes the
verification strictly apply X509 rules.
.Pp
.Dv X509_V_FLAG_ALLOW_PROXY_CERTS
-enables proxy certificate verification.
+deprecated flag that used to
+enable proxy certificate verification.
+In LibreSSL, this flag has no effect.
.Pp
.Dv X509_V_FLAG_POLICY_CHECK
enables certificate policy checking; by default no policy checking is
diff --git a/lib/libcrypto/man/X509_get_extension_flags.3 b/lib/libcrypto/man/X509_get_extension_flags.3
index 1f63c6a9106..1d7f29c687c 100644
--- a/lib/libcrypto/man/X509_get_extension_flags.3
+++ b/lib/libcrypto/man/X509_get_extension_flags.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_get_extension_flags.3,v 1.3 2021/11/11 13:58:59 schwarze Exp $
+.\" $OpenBSD: X509_get_extension_flags.3,v 1.4 2023/04/30 19:40:23 tb Exp $
.\" full merge up to: OpenSSL 361136f4 Sep 1 18:56:58 2015 +0100
.\" selective merge up to: OpenSSL 2b2e3106f Feb 16 15:04:45 2021 +0000
.\"
@@ -49,7 +49,7 @@
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
.\" OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd $Mdocdate: November 11 2021 $
+.Dd $Mdocdate: April 30 2023 $
.Dt X509_GET_EXTENSION_FLAGS 3
.Os
.Sh NAME
@@ -87,6 +87,7 @@ The certificate contains a basic constraints extension.
The certificate contains basic constraints and asserts the CA flag.
.It Dv EXFLAG_PROXY
The certificate is a valid proxy certificate.
+In LibreSSL this flag is never set.
.It Dv EXFLAG_SI
The certificate is self issued (that is subject and issuer names match).
.It Dv EXFLAG_SS
@@ -217,7 +218,6 @@ return sets of flags corresponding to the certificate extension values.
.Xr BASIC_CONSTRAINTS_new 3 ,
.Xr EXTENDED_KEY_USAGE_new 3 ,
.Xr POLICYINFO_new 3 ,
-.Xr PROXY_CERT_INFO_EXTENSION_new 3 ,
.Xr X509_check_ca 3 ,
.Xr X509_check_purpose 3 ,
.Xr X509_EXTENSION_new 3 ,
diff --git a/lib/libcrypto/man/d2i_PROXY_POLICY.3 b/lib/libcrypto/man/d2i_PROXY_POLICY.3
deleted file mode 100644
index 794c6edcecd..00000000000
--- a/lib/libcrypto/man/d2i_PROXY_POLICY.3
+++ /dev/null
@@ -1,97 +0,0 @@
-.\" $OpenBSD: d2i_PROXY_POLICY.3,v 1.2 2018/03/22 22:07:12 schwarze Exp $
-.\"
-.\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: March 22 2018 $
-.Dt D2I_PROXY_POLICY 3
-.Os
-.Sh NAME
-.Nm d2i_PROXY_POLICY ,
-.Nm i2d_PROXY_POLICY ,
-.Nm d2i_PROXY_CERT_INFO_EXTENSION ,
-.Nm i2d_PROXY_CERT_INFO_EXTENSION
-.Nd decode and encode X.509 proxy certificate extensions
-.Sh SYNOPSIS
-.In openssl/x509v3.h
-.Ft PROXY_POLICY *
-.Fo d2i_PROXY_POLICY
-.Fa "PROXY_POLICY **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_PROXY_POLICY
-.Fa "PROXY_POLICY *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Ft PROXY_CERT_INFO_EXTENSION *
-.Fo d2i_PROXY_CERT_INFO_EXTENSION
-.Fa "PROXY_CERT_INFO_EXTENSION **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_PROXY_CERT_INFO_EXTENSION
-.Fa "PROXY_CERT_INFO_EXTENSION *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Sh DESCRIPTION
-These functions encode and decode X.509 extensions that decide
-whether a certificate is a proxy certificate, and which policies
-apply to it.
-For details about the semantics, examples, caveats, and bugs, see
-.Xr ASN1_item_d2i 3 .
-.Pp
-.Fn d2i_PROXY_POLICY
-and
-.Fn i2d_PROXY_POLICY
-decode and encode an ASN.1
-.Vt ProxyPolicy
-structure defined in RFC 3820 section 3.8.
-.Pp
-.Fn d2i_PROXY_CERT_INFO_EXTENSION
-and
-.Fn i2d_PROXY_CERT_INFO_EXTENSION
-decode and encode an ASN.1
-.Vt ProxyCertInfo
-structure defined in RFC 3820 section 3.8.
-.Sh RETURN VALUES
-.Fn d2i_PROXY_POLICY
-and
-.Fn d2i_PROXY_CERT_INFO_EXTENSION
-return a
-.Vt PROXY_POLICY
-or
-.Vt PROXY_CERT_INFO_EXTENSION
-object, respectively, or
-.Dv NULL
-if an error occurs.
-.Pp
-.Fn i2d_PROXY_POLICY
-and
-.Fn i2d_PROXY_CERT_INFO_EXTENSION
-return the number of bytes successfully encoded or a negative value
-if an error occurs.
-.Sh SEE ALSO
-.Xr ASN1_item_d2i 3 ,
-.Xr PROXY_POLICY_new 3 ,
-.Xr X509_EXTENSION_new 3
-.Sh STANDARDS
-RFC 3820: Internet X.509 Public Key Infrastructure (PKI) Proxy
-Certificate Profile
-.Sh HISTORY
-These functions first appeared in OpenSSL 0.9.7g
-and have been available since
-.Ox 3.8 .