Write new BASIC_CONSTRAINTS_new(3) manual from scratch, explaining

the important point of how to distinguish CA certificates from end
entity certificates.  Both functions are listed in <openssl/x509v3.h>
and in OpenSSL doc/man3/X509_dup.pod.
OpenSSL documentation specifies the wrong header file.

2 files changed, 81 insertions, 1 deletions

diff --git a/lib/libcrypto/man/BASIC_CONSTRAINTS_new.3 b/lib/libcrypto/man/BASIC_CONSTRAINTS_new.3
new file mode 100644
index 00000000000..1293be0050c
--- /dev/null
+++ b/lib/libcrypto/man/BASIC_CONSTRAINTS_new.3
@@ -0,0 +1,79 @@
+.\"	$OpenBSD: BASIC_CONSTRAINTS_new.3,v 1.1 2016/12/23 17:02:41 schwarze Exp $
+.\"
+.\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\"
+.Dd $Mdocdate: December 23 2016 $
+.Dt BASIC_CONSTRAINTS_NEW 3
+.Os
+.Sh NAME
+.Nm BASIC_CONSTRAINTS_new ,
+.Nm BASIC_CONSTRAINTS_free
+.Nd X.509 extension to mark CA certificates
+.Sh SYNOPSIS
+.In openssl/x509v3.h
+.Ft BASIC_CONSTRAINTS *
+.Fn BASIC_CONSTRAINTS_new void
+.Ft void
+.Fn BASIC_CONSTRAINTS_free "BASIC_CONSTRAINTS *bc"
+.Sh DESCRIPTION
+.Fn BASIC_CONSTRAINTS_new
+allocates and initializes an empty
+.Vt BASIC_CONSTRAINTS
+object, representing an ASN.1 BasicConstraints structure
+defined in RFC 5280 section 4.2.1.9.
+.Pp
+This object contains two fields.
+The field
+.Fa "int ca"
+is non-zero if the certificate is a CA certificate.
+The field
+.Fa "ASN1_INTEGER *pathlen"
+specifies the maximum number of non-self-issued intermediate
+certificates that may follow this certificate in a valid
+certification path.
+.Pp
+If an X.509 version 3 certificate does not contain this extension
+or if the
+.Fa ca
+field of the
+.Vt BASIC_CONSTRAINTS
+object is 0, or if the certificate contains a key usage extension
+having the
+.Dv KU_KEY_CERT_SIGN
+bit unset, then it is not a CA certificate but an end entity
+certificate.
+.Pp
+.Fn BASIC_CONSTRAINTS_free
+frees
+.Fa bc .
+.Sh RETURN VALUES
+.Fn BASIC_CONSTRAINTS_new
+returns the new
+.Vt BASIC_CONSTRAINTS
+object or
+.Dv NULL
+if an error occurs.
+.Sh SEE ALSO
+.Xr X509_EXTENSION_new 3 ,
+.Xr X509_new 3
+.Sh STANDARDS
+RFC 5280: Internet X.509 Public Key Infrastructure Certificate and
+Certificate Revocation List (CRL) Profile:
+.Bl -dash -compact
+.It
+section 4.2.1.9: Basic Constraints
+.It
+section 6.1: Basic Path Validation
+.El
diff --git a/lib/libcrypto/man/Makefile b/lib/libcrypto/man/Makefile
index 41c850357c1..0aed9e0fadb 100644
--- a/lib/libcrypto/man/Makefile
+++ b/lib/libcrypto/man/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.92 2016/12/23 15:25:19 schwarze Exp $
+# $OpenBSD: Makefile,v 1.93 2016/12/23 17:02:41 schwarze Exp $
 
 .include <bsd.own.mk>
 
@@ -12,6 +12,7 @@ MAN=	\
 	ASN1_generate_nconf.3 \
 	ASN1_time_parse.3 \
 	AUTHORITY_KEYID_new.3 \
+	BASIC_CONSTRAINTS_new.3 \
 	BF_set_key.3 \
 	BIO_ctrl.3 \
 	BIO_f_base64.3 \