summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--lib/libcrypto/man/Makefile3
-rw-r--r--lib/libcrypto/man/PEM_read_bio_PrivateKey.37
-rw-r--r--lib/libcrypto/man/X509_CINF_new.35
-rw-r--r--lib/libcrypto/man/X509_add1_trust_object.35
-rw-r--r--lib/libcrypto/man/X509_check_purpose.35
-rw-r--r--lib/libcrypto/man/X509_check_trust.3207
-rw-r--r--lib/libcrypto/man/X509_new.35
7 files changed, 11 insertions, 226 deletions
diff --git a/lib/libcrypto/man/Makefile b/lib/libcrypto/man/Makefile
index 3b636f24415..a6a3cf78fcd 100644
--- a/lib/libcrypto/man/Makefile
+++ b/lib/libcrypto/man/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.293 2024/09/02 07:57:27 tb Exp $
+# $OpenBSD: Makefile,v 1.294 2024/09/02 08:04:32 tb Exp $
.include <bsd.own.mk>
@@ -354,7 +354,6 @@ MAN= \
X509_check_issued.3 \
X509_check_private_key.3 \
X509_check_purpose.3 \
- X509_check_trust.3 \
X509_cmp.3 \
X509_cmp_time.3 \
X509_digest.3 \
diff --git a/lib/libcrypto/man/PEM_read_bio_PrivateKey.3 b/lib/libcrypto/man/PEM_read_bio_PrivateKey.3
index 293c4da6558..9f452617254 100644
--- a/lib/libcrypto/man/PEM_read_bio_PrivateKey.3
+++ b/lib/libcrypto/man/PEM_read_bio_PrivateKey.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: PEM_read_bio_PrivateKey.3,v 1.22 2024/05/07 20:40:07 tb Exp $
+.\" $OpenBSD: PEM_read_bio_PrivateKey.3,v 1.23 2024/09/02 08:04:32 tb Exp $
.\" full merge up to:
.\" OpenSSL man3/PEM_read_bio_PrivateKey.pod 18bad535 Apr 9 15:13:55 2019 +0100
.\" OpenSSL man3/PEM_read_CMS.pod 83cf7abf May 29 13:07:08 2018 +0100
@@ -51,7 +51,7 @@
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
.\" OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd $Mdocdate: May 7 2024 $
+.Dd $Mdocdate: September 2 2024 $
.Dt PEM_READ_BIO_PRIVATEKEY 3
.Os
.Sh NAME
@@ -896,9 +896,6 @@ The
functions process a trusted X509 certificate using an
.Vt X509
structure.
-The
-.Xr X509_check_trust 3
-manual explains how the auxiliary trust information is used.
.Pp
The
.Sy X509_REQ
diff --git a/lib/libcrypto/man/X509_CINF_new.3 b/lib/libcrypto/man/X509_CINF_new.3
index f7de4d95249..6c09c585454 100644
--- a/lib/libcrypto/man/X509_CINF_new.3
+++ b/lib/libcrypto/man/X509_CINF_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_CINF_new.3,v 1.10 2021/07/24 14:33:14 schwarze Exp $
+.\" $OpenBSD: X509_CINF_new.3,v 1.11 2024/09/02 08:04:32 tb Exp $
.\"
.\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
.\"
@@ -14,7 +14,7 @@
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
-.Dd $Mdocdate: July 24 2021 $
+.Dd $Mdocdate: September 2 2024 $
.Dt X509_CINF_NEW 3
.Os
.Sh NAME
@@ -96,7 +96,6 @@ if an error occurs.
.Xr d2i_X509_CINF 3 ,
.Xr X509_add1_trust_object 3 ,
.Xr X509_CERT_AUX_print 3 ,
-.Xr X509_check_trust 3 ,
.Xr X509_keyid_set1 3 ,
.Xr X509_new 3
.Sh STANDARDS
diff --git a/lib/libcrypto/man/X509_add1_trust_object.3 b/lib/libcrypto/man/X509_add1_trust_object.3
index e1e38242085..067bf644644 100644
--- a/lib/libcrypto/man/X509_add1_trust_object.3
+++ b/lib/libcrypto/man/X509_add1_trust_object.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_add1_trust_object.3,v 1.3 2021/07/24 14:33:14 schwarze Exp $
+.\" $OpenBSD: X509_add1_trust_object.3,v 1.4 2024/09/02 08:04:32 tb Exp $
.\"
.\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
.\"
@@ -14,7 +14,7 @@
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
-.Dd $Mdocdate: July 24 2021 $
+.Dd $Mdocdate: September 2 2024 $
.Dt X509_ADD1_TRUST_OBJECT 3
.Os
.Sh NAME
@@ -93,7 +93,6 @@ does not contain a sub-object that can hold non-standard auxiliary data.
.Xr EXTENDED_KEY_USAGE_new 3 ,
.Xr OBJ_nid2obj 3 ,
.Xr X509_CERT_AUX_new 3 ,
-.Xr X509_check_trust 3 ,
.Xr X509_new 3
.Sh HISTORY
These functions first appeared in OpenSSL 0.9.4 and have been available since
diff --git a/lib/libcrypto/man/X509_check_purpose.3 b/lib/libcrypto/man/X509_check_purpose.3
index ebd627bd573..8fea6679fce 100644
--- a/lib/libcrypto/man/X509_check_purpose.3
+++ b/lib/libcrypto/man/X509_check_purpose.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_check_purpose.3,v 1.11 2023/06/25 13:54:58 tb Exp $
+.\" $OpenBSD: X509_check_purpose.3,v 1.12 2024/09/02 08:04:32 tb Exp $
.\"
.\" Copyright (c) 2019, 2021 Ingo Schwarze <schwarze@openbsd.org>
.\"
@@ -14,7 +14,7 @@
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
-.Dd $Mdocdate: June 25 2023 $
+.Dd $Mdocdate: September 2 2024 $
.Dt X509_CHECK_PURPOSE 3
.Os
.Sh NAME
@@ -410,7 +410,6 @@ can be used as a CA for the
.Sh SEE ALSO
.Xr BASIC_CONSTRAINTS_new 3 ,
.Xr EXTENDED_KEY_USAGE_new 3 ,
-.Xr X509_check_trust 3 ,
.Xr X509_new 3 ,
.Xr X509_PURPOSE_set 3 ,
.Xr X509V3_get_d2i 3 ,
diff --git a/lib/libcrypto/man/X509_check_trust.3 b/lib/libcrypto/man/X509_check_trust.3
deleted file mode 100644
index f085bfcf209..00000000000
--- a/lib/libcrypto/man/X509_check_trust.3
+++ /dev/null
@@ -1,207 +0,0 @@
-.\" $OpenBSD: X509_check_trust.3,v 1.10 2024/08/17 09:19:04 tb Exp $
-.\"
-.\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: August 17 2024 $
-.Dt X509_CHECK_TRUST 3
-.Os
-.Sh NAME
-.Nm X509_check_trust
-.Nd check whether a certificate is trusted
-.Sh SYNOPSIS
-.In openssl/x509.h
-.Ft int
-.Fo X509_check_trust
-.Fa "X509 *certificate"
-.Fa "int trust"
-.Fa "int flags"
-.Fc
-.Sh DESCRIPTION
-.Fn X509_check_trust
-checks whether the
-.Fa certificate
-is marked as trusted for the purpose corresponding to the requested
-.Fa trust
-identifier.
-.Pp
-The standard algorithm used by all built-in trust checking functions
-performs the following tests in the following order.
-The first matching test terminates the algorithm
-and decides the return value.
-.Bl -enum
-.It
-If
-.Xr X509_add1_reject_object 3
-was previously called on the
-.Fa certificate
-with the ASN.1 object identifier corresponding to the requested
-.Fa trust
-identifier,
-.Dv X509_TRUST_REJECTED
-is returned.
-.It
-If
-.Xr X509_add1_trust_object 3
-was previously called on the
-.Fa certificate
-with the ASN.1 object identifier corresponding to the requested
-.Fa trust
-identifier,
-.Dv X509_TRUST_TRUSTED
-is returned.
-.It
-If
-.Xr X509_add1_reject_object 3
-or
-.Xr X509_add1_trust_object 3
-were previously called on the
-.Fa certificate ,
-but neither of them
-with the ASN.1 object identifier corresponding to the requested
-.Fa trust
-identifier,
-.Dv X509_TRUST_UNTRUSTED
-is returned.
-.It
-This so-called
-.Dq compatibility
-step is skipped by some of the trust checking functions.
-If neither
-.Xr X509_add1_reject_object 3
-nor
-.Xr X509_add1_trust_object 3
-was previously called on the
-.Fa certificate
-and if the
-.Fa certificate
-is a self-signed,
-.Dv X509_TRUST_TRUSTED
-is returned.
-.It
-Otherwise,
-.Dv X509_TRUST_UNTRUSTED
-is returned.
-.El
-.Pp
-By default, the following
-.Fa trust
-identifiers are supported.
-The
-.Dq ASN.1 NID
-column indicates the corresponding ASN.1 object identifier;
-for the relationship between ASN.1 NIDs and OIDs, see the
-.Xr OBJ_nid2obj 3
-manual page.
-The
-.Qq compat
-column indicates whether the compatibility step in the standard algorithm
-detailed above is used or skipped.
-.Pp
-.Bl -column X509_TRUST_OCSP_REQUEST NID_anyExtendedKeyUsage compat -compact
-.It Fa trust No identifier Ta Em ASN.1 NID Ta Em compat
-.It Dv X509_TRUST_SSL_CLIENT Ta Dv NID_client_auth Ta use
-.It Dv X509_TRUST_SSL_SERVER Ta Dv NID_server_auth Ta use
-.It Dv X509_TRUST_EMAIL Ta Dv NID_email_protect Ta use
-.It Dv X509_TRUST_OBJECT_SIGN Ta Dv NID_code_sign Ta use
-.It Dv X509_TRUST_OCSP_SIGN Ta Dv NID_OCSP_sign Ta skip
-.It Dv X509_TRUST_OCSP_REQUEST Ta Dv NID_ad_OCSP Ta skip
-.It Dv X509_TRUST_TSA Ta Dv NID_time_stamp Ta use
-.It Dv X509_TRUST_COMPAT Ta none Ta only
-.It 0 Ta Dv NID_anyExtendedKeyUsage Ta special
-.It \-1 Ta none Ta trusted
-.It invalid Ta Fa trust No argument Ta skip
-.El
-.Pp
-For the following
-.Fa trust
-identifiers, the standard algorithm is modified:
-.Bl -tag -width Ds
-.It Dv X509_TRUST_COMPAT
-.Xr X509_add1_reject_object 3
-and
-.Xr X509_add1_trust_object 3
-settings are completely ignored
-and all steps before the compatibility step are skipped.
-The
-.Fa certificate
-is trusted if and only if it is self-signed.
-.It 0
-The third step in the standard algorithm is skipped, and the
-compatibility step is used even if
-.Xr X509_add1_reject_object 3
-or
-.Xr X509_add1_trust_object 3
-were called with ASN.1 object identifiers not corresponding to
-.Dv NID_anyExtendedKeyUsage .
-.It \-1
-The
-.Fa certificate
-is not inspected and
-.Dv X509_TRUST_TRUSTED
-is always returned.
-.It invalid
-If the
-.Fa trust
-argument is neither 0 nor \-1 nor valid as a trust identifier,
-it is re-interpreted as an ASN.1 NID
-and used itself for the standard algorithm.
-The compatibility step is skipped in this case.
-.El
-.Pp
-The
-.Fa flags
-argument is ignored by all built-in trust checking functions,
-but user-specified trust checking functions might use it.
-.Pp
-If the function
-.Xr X509_TRUST_add 3
-was called before
-.Fn X509_check_trust ,
-it may have installed different, user-supplied checking functions
-for some of the standard
-.Fa trust
-identifiers listed above, or it may have installed additional,
-user-supplied checking functions for user-defined
-.Fa trust
-identifiers not listed above.
-.Sh RETURN VALUES
-.Fn X509_check_trust
-returns the following values:
-.Bl -tag -width Ds
-.It Dv X509_TRUST_TRUSTED
-The
-.Fa certificate
-is explicitly or implicitly trusted for the requested purpose.
-.It Dv X509_TRUST_REJECTED
-The
-.Fa certificate
-is explicitly rejected for the requested purpose.
-.It Dv X509_TRUST_UNTRUSTED
-The
-.Fa certificate
-is neither trusted nor explicitly rejected,
-which implies that it is not trusted.
-.El
-.Sh SEE ALSO
-.Xr PEM_read_X509_AUX 3 ,
-.Xr X509_add1_trust_object 3 ,
-.Xr X509_CERT_AUX_new 3 ,
-.Xr X509_check_purpose 3 ,
-.Xr X509_new 3 ,
-.Xr X509_VERIFY_PARAM_set_trust 3
-.Sh HISTORY
-.Fn X509_check_trust
-first appeared in OpenSSL 0.9.5 and has been available since
-.Ox 2.7 .
diff --git a/lib/libcrypto/man/X509_new.3 b/lib/libcrypto/man/X509_new.3
index 9bc3ee95c84..7b62363d4da 100644
--- a/lib/libcrypto/man/X509_new.3
+++ b/lib/libcrypto/man/X509_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_new.3,v 1.44 2024/08/17 09:16:37 tb Exp $
+.\" $OpenBSD: X509_new.3,v 1.45 2024/09/02 08:04:32 tb Exp $
.\" full merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
.\"
.\" This file is a derived work.
@@ -66,7 +66,7 @@
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
.\" OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd $Mdocdate: August 17 2024 $
+.Dd $Mdocdate: September 2 2024 $
.Dt X509_NEW 3
.Os
.Sh NAME
@@ -208,7 +208,6 @@ if an error occurs.
.Xr X509_check_issued 3 ,
.Xr X509_check_private_key 3 ,
.Xr X509_check_purpose 3 ,
-.Xr X509_check_trust 3 ,
.Xr X509_CINF_new 3 ,
.Xr X509_cmp 3 ,
.Xr X509_CRL_new 3 ,