document X509_STORE_CTX_get0_policy_tree(3)

and X509_STORE_CTX_get_explicit_policy(3)

1 files changed, 41 insertions, 4 deletions

diff --git a/lib/libcrypto/man/X509_STORE_CTX_get_error.3 b/lib/libcrypto/man/X509_STORE_CTX_get_error.3
index 3ea3175b98b..f7466c4bd9e 100644
--- a/lib/libcrypto/man/X509_STORE_CTX_get_error.3
+++ b/lib/libcrypto/man/X509_STORE_CTX_get_error.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_STORE_CTX_get_error.3,v 1.16 2021/07/22 15:35:50 schwarze Exp $
+.\" $OpenBSD: X509_STORE_CTX_get_error.3,v 1.17 2021/07/28 14:48:09 schwarze Exp $
 .\" full merge up to:
 .\" OpenSSL crypto/X509_STORE_CTX_get_error f0e0fd51 Apr 14 23:59:26 2016 -0400
 .\" selective merge up to:
@@ -70,7 +70,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: July 22 2021 $
+.Dd $Mdocdate: July 28 2021 $
 .Dt X509_STORE_CTX_GET_ERROR 3
 .Os
 .Sh NAME
@@ -83,6 +83,8 @@
 .Nm X509_STORE_CTX_get0_chain ,
 .Nm X509_STORE_CTX_get_chain ,
 .Nm X509_STORE_CTX_get1_chain ,
+.Nm X509_STORE_CTX_get0_policy_tree ,
+.Nm X509_STORE_CTX_get_explicit_policy ,
 .Nm X509_verify_cert_error_string
 .Nd get or set certificate verification status information
 .Sh SYNOPSIS
@@ -124,15 +126,24 @@
 .Fo X509_STORE_CTX_get1_chain
 .Fa "X509_STORE_CTX *ctx"
 .Fc
+.Ft X509_POLICY_TREE *
+.Fo X509_STORE_CTX_get0_policy_tree
+.Fa "X509_STORE_CTX *ctx"
+.Fc
+.Ft int
+.Fo X509_STORE_CTX_get_explicit_policy
+.Fa "X509_STORE_CTX *ctx"
+.Fc
 .In openssl/x509.h
 .Ft const char *
 .Fo X509_verify_cert_error_string
 .Fa "long n"
 .Fc
 .Sh DESCRIPTION
-These functions are typically called after
+Most of these functions are typically called after
 .Xr X509_verify_cert 3
-has indicated an error or in a verification callback to determine the
+to inspect status information related to certificate verification.
+Some may also be called in a verification callback to determine the
 nature of an error.
 .Pp
 .Fn X509_STORE_CTX_get_error
@@ -238,6 +249,24 @@ return a pointer to a stack of certificates or
 .Dv NULL
 if an error occurs.
 .Pp
+.Fn X509_STORE_CTX_get0_policy_tree
+returns an internal pointer to the
+.Fa valid_policy_tree
+created by
+.Xr X509_policy_check 3
+or
+.Dv NULL
+if validation failed or the resulting tree was empty.
+.Pp
+.Fn X509_STORE_CTX_get_explicit_policy
+returns the
+.Pf * Fa pexplicit_policy
+output argument of
+.Xr X509_policy_check 3 .
+If validation succeeded, it is 1 if
+.Dv X509_V_FLAG_EXPLICIT_POLICY
+was requested or 0 otherwise.
+.Pp
 .Fn X509_verify_cert_error_string
 returns a human readable error string for verification error
 .Fa n .
@@ -412,6 +441,8 @@ An application specific error.
 This will never be returned unless explicitly set by an application.
 .El
 .Sh SEE ALSO
+.Xr X509_policy_check 3 ,
+.Xr X509_policy_tree_level_count 3 ,
 .Xr X509_STORE_CTX_new 3 ,
 .Xr X509_up_ref 3 ,
 .Xr X509_verify_cert 3
@@ -430,6 +461,12 @@ first appeared in SSLeay 0.8.0 and have been available since
 first appeared in OpenSSL 0.9.5 and has been available since
 .Ox 2.7 .
 .Pp
+.Fn X509_STORE_CTX_get0_policy_tree
+and
+.Fn X509_STORE_CTX_get_explicit_policy
+first appeared in OpenSSL 0.9.8 and have been available since
+.Ox 4.5 .
+.Pp
 .Fn X509_STORE_CTX_get0_current_issuer
 and
 .Fn X509_STORE_CTX_get0_current_crl