diff options
author | Theo Buehler <tb@cvs.openbsd.org> | 2023-04-30 19:40:24 +0000 |
---|---|---|
committer | Theo Buehler <tb@cvs.openbsd.org> | 2023-04-30 19:40:24 +0000 |
commit | c6e47bc4ae19bf46d361c6c098eca3408bfa9410 (patch) | |
tree | c44aa85cb6bfe19a81d6797781c3e35606cd09d9 /lib | |
parent | 11e51fddd26734b8de4064eeba7c90eaffe9cb38 (diff) |
Remove most documentation pertaining to proxy certificates.
Update EXFLAG_PROXY and X509_V_FLAG_ALLOW_PROXY_CERTS documentation since
we need to keep them for the time being.
Diffstat (limited to 'lib')
-rw-r--r-- | lib/libcrypto/man/Makefile | 4 | ||||
-rw-r--r-- | lib/libcrypto/man/PROXY_POLICY_new.3 | 97 | ||||
-rw-r--r-- | lib/libcrypto/man/X509_EXTENSION_set_object.3 | 5 | ||||
-rw-r--r-- | lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3 | 6 | ||||
-rw-r--r-- | lib/libcrypto/man/X509_get_extension_flags.3 | 6 | ||||
-rw-r--r-- | lib/libcrypto/man/d2i_PROXY_POLICY.3 | 97 |
6 files changed, 10 insertions, 205 deletions
diff --git a/lib/libcrypto/man/Makefile b/lib/libcrypto/man/Makefile index fc3204e3a2c..42b4c2fbe10 100644 --- a/lib/libcrypto/man/Makefile +++ b/lib/libcrypto/man/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.249 2023/04/30 14:49:47 tb Exp $ +# $OpenBSD: Makefile,v 1.250 2023/04/30 19:40:23 tb Exp $ .include <bsd.own.mk> @@ -265,7 +265,6 @@ MAN= \ PKCS8_pkey_set0.3 \ PKEY_USAGE_PERIOD_new.3 \ POLICYINFO_new.3 \ - PROXY_POLICY_new.3 \ RAND_add.3 \ RAND_bytes.3 \ RAND_load_file.3 \ @@ -407,7 +406,6 @@ MAN= \ d2i_PKCS8_PRIV_KEY_INFO.3 \ d2i_PKEY_USAGE_PERIOD.3 \ d2i_POLICYINFO.3 \ - d2i_PROXY_POLICY.3 \ d2i_PrivateKey.3 \ d2i_RSAPublicKey.3 \ d2i_TS_REQ.3 \ diff --git a/lib/libcrypto/man/PROXY_POLICY_new.3 b/lib/libcrypto/man/PROXY_POLICY_new.3 deleted file mode 100644 index c23a620177e..00000000000 --- a/lib/libcrypto/man/PROXY_POLICY_new.3 +++ /dev/null @@ -1,97 +0,0 @@ -.\" $OpenBSD: PROXY_POLICY_new.3,v 1.6 2021/10/27 11:24:47 schwarze Exp $ -.\" -.\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org> -.\" -.\" Permission to use, copy, modify, and distribute this software for any -.\" purpose with or without fee is hereby granted, provided that the above -.\" copyright notice and this permission notice appear in all copies. -.\" -.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES -.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF -.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR -.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES -.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN -.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF -.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -.\" -.Dd $Mdocdate: October 27 2021 $ -.Dt PROXY_POLICY_NEW 3 -.Os -.Sh NAME -.Nm PROXY_POLICY_new , -.Nm PROXY_POLICY_free , -.Nm PROXY_CERT_INFO_EXTENSION_new , -.Nm PROXY_CERT_INFO_EXTENSION_free -.Nd X.509 proxy certificate extension -.Sh SYNOPSIS -.In openssl/x509v3.h -.Ft PROXY_POLICY * -.Fn PROXY_POLICY_new void -.Ft void -.Fn PROXY_POLICY_free "PROXY_POLICY *pp" -.Ft PROXY_CERT_INFO_EXTENSION * -.Fn PROXY_CERT_INFO_EXTENSION_new void -.Ft void -.Fn PROXY_CERT_INFO_EXTENSION_free "PROXY_CERT_INFO_EXTENSION *pcie" -.Sh DESCRIPTION -If a given non-CA certificate grants any privileges, using that -certificate to issue a proxy certificate and handing that proxy -certificate over to another person, organization, or service allows -the bearer of the proxy certificate to exercise some or all of the -privileges on behalf of the subject of the original certificate. -.Pp -.Fn PROXY_POLICY_new -allocates and initializes an empty -.Vt PROXY_POLICY -object, representing an ASN.1 -.Vt ProxyPolicy -structure defined in RFC 3820 section 3.8. -It defines which privileges are to be delegated. -.Fn PROXY_POLICY_free -frees -.Fa pp . -.Pp -.Fn PROXY_CERT_INFO_EXTENSION_new -allocates and initializes an empty -.Vt PROXY_CERT_INFO_EXTENSION -object, representing an ASN.1 -.Vt ProxyCertInfo -structure defined in RFC 3820 section 3.8. -It can contain a -.Vt PROXY_POLICY -object, and it can additionally restrict the maximum depth of the -path of proxy certificates that can be signed by this proxy -certificate. -.Fn PROXY_CERT_INFO_EXTENSION_free -frees -.Fa pcie . -.Pp -If a non-CA certificate contains a -.Vt PROXY_CERT_INFO_EXTENSION , -it is a proxy certificate; otherwise, it is an end entity certificate. -.Sh RETURN VALUES -.Fn PROXY_POLICY_new -and -.Fn PROXY_CERT_INFO_EXTENSION_new -return the new -.Vt PROXY_POLICY -or -.Vt PROXY_CERT_INFO_EXTENSION -object, respectively, or -.Dv NULL -if an error occurs. -.Sh SEE ALSO -.Xr BASIC_CONSTRAINTS_new 3 , -.Xr d2i_PROXY_POLICY 3 , -.Xr EXTENDED_KEY_USAGE_new 3 , -.Xr POLICYINFO_new 3 , -.Xr X509_EXTENSION_new 3 , -.Xr X509_get_extension_flags 3 , -.Xr X509_new 3 -.Sh STANDARDS -RFC 3820: Internet X.509 Public Key Infrastructure (PKI) Proxy -Certificate Profile -.Sh HISTORY -These functions first appeared in OpenSSL 0.9.7g -and have been available since -.Ox 3.8 . diff --git a/lib/libcrypto/man/X509_EXTENSION_set_object.3 b/lib/libcrypto/man/X509_EXTENSION_set_object.3 index 3ade50e4d66..dcfe075ebdd 100644 --- a/lib/libcrypto/man/X509_EXTENSION_set_object.3 +++ b/lib/libcrypto/man/X509_EXTENSION_set_object.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: X509_EXTENSION_set_object.3,v 1.16 2023/04/25 18:48:32 tb Exp $ +.\" $OpenBSD: X509_EXTENSION_set_object.3,v 1.17 2023/04/30 19:40:23 tb Exp $ .\" full merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400 .\" .\" This file is a derived work. @@ -65,7 +65,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: April 25 2023 $ +.Dd $Mdocdate: April 30 2023 $ .Dt X509_EXTENSION_SET_OBJECT 3 .Os .Sh NAME @@ -291,7 +291,6 @@ pointer. .Xr OCSP_SERVICELOC_new 3 , .Xr PKEY_USAGE_PERIOD_new 3 , .Xr POLICYINFO_new 3 , -.Xr PROXY_POLICY_new 3 , .Xr TS_REQ_new 3 , .Xr X509_check_ca 3 , .Xr X509_check_host 3 , diff --git a/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3 b/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3 index 65e20f1ad8c..a0ae839f9a4 100644 --- a/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3 +++ b/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: X509_VERIFY_PARAM_set_flags.3,v 1.28 2023/04/30 14:49:47 tb Exp $ +.\" $OpenBSD: X509_VERIFY_PARAM_set_flags.3,v 1.29 2023/04/30 19:40:23 tb Exp $ .\" full merge up to: OpenSSL d33def66 Feb 9 14:17:13 2016 -0500 .\" selective merge up to: OpenSSL 24a535ea Sep 22 13:14:20 2020 +0100 .\" @@ -540,7 +540,9 @@ flag disables workarounds for some broken certificates and makes the verification strictly apply X509 rules. .Pp .Dv X509_V_FLAG_ALLOW_PROXY_CERTS -enables proxy certificate verification. +deprecated flag that used to +enable proxy certificate verification. +In LibreSSL, this flag has no effect. .Pp .Dv X509_V_FLAG_POLICY_CHECK enables certificate policy checking; by default no policy checking is diff --git a/lib/libcrypto/man/X509_get_extension_flags.3 b/lib/libcrypto/man/X509_get_extension_flags.3 index 1f63c6a9106..1d7f29c687c 100644 --- a/lib/libcrypto/man/X509_get_extension_flags.3 +++ b/lib/libcrypto/man/X509_get_extension_flags.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: X509_get_extension_flags.3,v 1.3 2021/11/11 13:58:59 schwarze Exp $ +.\" $OpenBSD: X509_get_extension_flags.3,v 1.4 2023/04/30 19:40:23 tb Exp $ .\" full merge up to: OpenSSL 361136f4 Sep 1 18:56:58 2015 +0100 .\" selective merge up to: OpenSSL 2b2e3106f Feb 16 15:04:45 2021 +0000 .\" @@ -49,7 +49,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: November 11 2021 $ +.Dd $Mdocdate: April 30 2023 $ .Dt X509_GET_EXTENSION_FLAGS 3 .Os .Sh NAME @@ -87,6 +87,7 @@ The certificate contains a basic constraints extension. The certificate contains basic constraints and asserts the CA flag. .It Dv EXFLAG_PROXY The certificate is a valid proxy certificate. +In LibreSSL this flag is never set. .It Dv EXFLAG_SI The certificate is self issued (that is subject and issuer names match). .It Dv EXFLAG_SS @@ -217,7 +218,6 @@ return sets of flags corresponding to the certificate extension values. .Xr BASIC_CONSTRAINTS_new 3 , .Xr EXTENDED_KEY_USAGE_new 3 , .Xr POLICYINFO_new 3 , -.Xr PROXY_CERT_INFO_EXTENSION_new 3 , .Xr X509_check_ca 3 , .Xr X509_check_purpose 3 , .Xr X509_EXTENSION_new 3 , diff --git a/lib/libcrypto/man/d2i_PROXY_POLICY.3 b/lib/libcrypto/man/d2i_PROXY_POLICY.3 deleted file mode 100644 index 794c6edcecd..00000000000 --- a/lib/libcrypto/man/d2i_PROXY_POLICY.3 +++ /dev/null @@ -1,97 +0,0 @@ -.\" $OpenBSD: d2i_PROXY_POLICY.3,v 1.2 2018/03/22 22:07:12 schwarze Exp $ -.\" -.\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org> -.\" -.\" Permission to use, copy, modify, and distribute this software for any -.\" purpose with or without fee is hereby granted, provided that the above -.\" copyright notice and this permission notice appear in all copies. -.\" -.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES -.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF -.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR -.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES -.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN -.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF -.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -.\" -.Dd $Mdocdate: March 22 2018 $ -.Dt D2I_PROXY_POLICY 3 -.Os -.Sh NAME -.Nm d2i_PROXY_POLICY , -.Nm i2d_PROXY_POLICY , -.Nm d2i_PROXY_CERT_INFO_EXTENSION , -.Nm i2d_PROXY_CERT_INFO_EXTENSION -.Nd decode and encode X.509 proxy certificate extensions -.Sh SYNOPSIS -.In openssl/x509v3.h -.Ft PROXY_POLICY * -.Fo d2i_PROXY_POLICY -.Fa "PROXY_POLICY **val_out" -.Fa "const unsigned char **der_in" -.Fa "long length" -.Fc -.Ft int -.Fo i2d_PROXY_POLICY -.Fa "PROXY_POLICY *val_in" -.Fa "unsigned char **der_out" -.Fc -.Ft PROXY_CERT_INFO_EXTENSION * -.Fo d2i_PROXY_CERT_INFO_EXTENSION -.Fa "PROXY_CERT_INFO_EXTENSION **val_out" -.Fa "const unsigned char **der_in" -.Fa "long length" -.Fc -.Ft int -.Fo i2d_PROXY_CERT_INFO_EXTENSION -.Fa "PROXY_CERT_INFO_EXTENSION *val_in" -.Fa "unsigned char **der_out" -.Fc -.Sh DESCRIPTION -These functions encode and decode X.509 extensions that decide -whether a certificate is a proxy certificate, and which policies -apply to it. -For details about the semantics, examples, caveats, and bugs, see -.Xr ASN1_item_d2i 3 . -.Pp -.Fn d2i_PROXY_POLICY -and -.Fn i2d_PROXY_POLICY -decode and encode an ASN.1 -.Vt ProxyPolicy -structure defined in RFC 3820 section 3.8. -.Pp -.Fn d2i_PROXY_CERT_INFO_EXTENSION -and -.Fn i2d_PROXY_CERT_INFO_EXTENSION -decode and encode an ASN.1 -.Vt ProxyCertInfo -structure defined in RFC 3820 section 3.8. -.Sh RETURN VALUES -.Fn d2i_PROXY_POLICY -and -.Fn d2i_PROXY_CERT_INFO_EXTENSION -return a -.Vt PROXY_POLICY -or -.Vt PROXY_CERT_INFO_EXTENSION -object, respectively, or -.Dv NULL -if an error occurs. -.Pp -.Fn i2d_PROXY_POLICY -and -.Fn i2d_PROXY_CERT_INFO_EXTENSION -return the number of bytes successfully encoded or a negative value -if an error occurs. -.Sh SEE ALSO -.Xr ASN1_item_d2i 3 , -.Xr PROXY_POLICY_new 3 , -.Xr X509_EXTENSION_new 3 -.Sh STANDARDS -RFC 3820: Internet X.509 Public Key Infrastructure (PKI) Proxy -Certificate Profile -.Sh HISTORY -These functions first appeared in OpenSSL 0.9.7g -and have been available since -.Ox 3.8 . |