1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
|
.\" $OpenBSD: PROXY_POLICY_new.3,v 1.6 2021/10/27 11:24:47 schwarze Exp $
.\"
.\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.Dd $Mdocdate: October 27 2021 $
.Dt PROXY_POLICY_NEW 3
.Os
.Sh NAME
.Nm PROXY_POLICY_new ,
.Nm PROXY_POLICY_free ,
.Nm PROXY_CERT_INFO_EXTENSION_new ,
.Nm PROXY_CERT_INFO_EXTENSION_free
.Nd X.509 proxy certificate extension
.Sh SYNOPSIS
.In openssl/x509v3.h
.Ft PROXY_POLICY *
.Fn PROXY_POLICY_new void
.Ft void
.Fn PROXY_POLICY_free "PROXY_POLICY *pp"
.Ft PROXY_CERT_INFO_EXTENSION *
.Fn PROXY_CERT_INFO_EXTENSION_new void
.Ft void
.Fn PROXY_CERT_INFO_EXTENSION_free "PROXY_CERT_INFO_EXTENSION *pcie"
.Sh DESCRIPTION
If a given non-CA certificate grants any privileges, using that
certificate to issue a proxy certificate and handing that proxy
certificate over to another person, organization, or service allows
the bearer of the proxy certificate to exercise some or all of the
privileges on behalf of the subject of the original certificate.
.Pp
.Fn PROXY_POLICY_new
allocates and initializes an empty
.Vt PROXY_POLICY
object, representing an ASN.1
.Vt ProxyPolicy
structure defined in RFC 3820 section 3.8.
It defines which privileges are to be delegated.
.Fn PROXY_POLICY_free
frees
.Fa pp .
.Pp
.Fn PROXY_CERT_INFO_EXTENSION_new
allocates and initializes an empty
.Vt PROXY_CERT_INFO_EXTENSION
object, representing an ASN.1
.Vt ProxyCertInfo
structure defined in RFC 3820 section 3.8.
It can contain a
.Vt PROXY_POLICY
object, and it can additionally restrict the maximum depth of the
path of proxy certificates that can be signed by this proxy
certificate.
.Fn PROXY_CERT_INFO_EXTENSION_free
frees
.Fa pcie .
.Pp
If a non-CA certificate contains a
.Vt PROXY_CERT_INFO_EXTENSION ,
it is a proxy certificate; otherwise, it is an end entity certificate.
.Sh RETURN VALUES
.Fn PROXY_POLICY_new
and
.Fn PROXY_CERT_INFO_EXTENSION_new
return the new
.Vt PROXY_POLICY
or
.Vt PROXY_CERT_INFO_EXTENSION
object, respectively, or
.Dv NULL
if an error occurs.
.Sh SEE ALSO
.Xr BASIC_CONSTRAINTS_new 3 ,
.Xr d2i_PROXY_POLICY 3 ,
.Xr EXTENDED_KEY_USAGE_new 3 ,
.Xr POLICYINFO_new 3 ,
.Xr X509_EXTENSION_new 3 ,
.Xr X509_get_extension_flags 3 ,
.Xr X509_new 3
.Sh STANDARDS
RFC 3820: Internet X.509 Public Key Infrastructure (PKI) Proxy
Certificate Profile
.Sh HISTORY
These functions first appeared in OpenSSL 0.9.7g
and have been available since
.Ox 3.8 .
|