From: tb Date: Thu, 28 Sep 2023 12:35:31 +0000 (+0000) Subject: Document X509v3_{addr,asid}_subset.3 X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=28dae3311ed2b42883949706dce544647da402e6;p=openbsd Document X509v3_{addr,asid}_subset.3 First RFC 3779 page without a BUG section. It could have one, but I'm in a lenient mood right now. Maybe it's just that this is bad but not quite as bad as EVP. --- diff --git a/lib/libcrypto/man/ASIdentifiers_new.3 b/lib/libcrypto/man/ASIdentifiers_new.3 index 4f6bf67f10f..ae5795c9a3a 100644 --- a/lib/libcrypto/man/ASIdentifiers_new.3 +++ b/lib/libcrypto/man/ASIdentifiers_new.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ASIdentifiers_new.3,v 1.7 2023/09/27 08:46:46 tb Exp $ +.\" $OpenBSD: ASIdentifiers_new.3,v 1.8 2023/09/28 12:35:31 tb Exp $ .\" .\" Copyright (c) 2021 Theo Buehler .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: September 27 2023 $ +.Dd $Mdocdate: September 28 2023 $ .Dt ASIDENTIFIERS_NEW 3 .Os .Sh NAME @@ -47,7 +47,7 @@ .Sh DESCRIPTION RFC 3779 defines two X.509v3 certificate extensions that allow the delegation of -IP address blocks and autonomous system (AS) identifiers +IP addresses and autonomous system (AS) identifiers from the issuer to the subject of the certificate. An .Vt ASIdentifiers @@ -112,8 +112,11 @@ or a value <= 0 if an error occurs. .Xr crypto 3 , .Xr IPAddressRange_new 3 , .Xr X509_new 3 , -.Xr X509v3_asid_add_id_or_range 3 , -.Xr X509v3_asid_inherits 3 +.Xr X509v3_addr_add_inherit 3 , +.Xr X509v3_addr_get_range 3 , +.Xr X509v3_addr_inherits 3 , +.Xr X509v3_addr_subset 3 , +.Xr X509v3_asid_add_id_or_range 3 .Sh STANDARDS RFC 3779: X.509 Extensions for IP Addresses and AS Identifiers: .Bl -dash -compact @@ -130,5 +133,5 @@ and have been available since .Ox 7.1 . .Sh BUGS There are no corresponding functions for the RFC 3779 -IP address blocks delegation extension represented by +IP address delegation extension represented by .Vt IPAddrBlocks . diff --git a/lib/libcrypto/man/ASRange_new.3 b/lib/libcrypto/man/ASRange_new.3 index 12eff267929..53da608cb13 100644 --- a/lib/libcrypto/man/ASRange_new.3 +++ b/lib/libcrypto/man/ASRange_new.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ASRange_new.3,v 1.5 2023/09/27 08:46:46 tb Exp $ +.\" $OpenBSD: ASRange_new.3,v 1.6 2023/09/28 12:35:31 tb Exp $ .\" .\" Copyright (c) 2023 Theo Buehler .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: September 27 2023 $ +.Dd $Mdocdate: September 28 2023 $ .Dt ASRANGE_NEW 3 .Os .Sh NAME @@ -90,7 +90,7 @@ autonomous system identifier delegation extension. .Pp All .Vt ASN1_INTEGER Ns s -in this manual should be representable as unsigned 32-bit integers. +in this manual must be representable as unsigned 32-bit integers. The API performs no corresponding checks. The library provides no convenient way of setting the value of an .Vt ASN1_INTEGER @@ -358,6 +358,7 @@ or a value <= 0 if an error occurs. .Xr crypto 3 , .Xr IPAddressRange_new 3 , .Xr s2i_ASN1_INTEGER 3 , +.Xr STACK_OF 3 , .Xr X509_new 3 , .Xr X509v3_asid_add_id_or_range 3 .Sh STANDARDS diff --git a/lib/libcrypto/man/IPAddressRange_new.3 b/lib/libcrypto/man/IPAddressRange_new.3 index 07c57f3e5d7..e15ff34509d 100644 --- a/lib/libcrypto/man/IPAddressRange_new.3 +++ b/lib/libcrypto/man/IPAddressRange_new.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: IPAddressRange_new.3,v 1.4 2023/09/27 08:46:46 tb Exp $ +.\" $OpenBSD: IPAddressRange_new.3,v 1.5 2023/09/28 12:35:31 tb Exp $ .\" .\" Copyright (c) 2023 Theo Buehler .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: September 27 2023 $ +.Dd $Mdocdate: September 28 2023 $ .Dt IPADDRESSRANGE_NEW 3 .Os .Sh NAME @@ -110,12 +110,12 @@ type representing the IP address delegation extension. Per RFC 3779, section 2.1.1, an IPv4 or an IPv6 address is encoded in network byte order in an ASN.1 BIT STRING of bit size 32 or 128 bits, respectively. -The bit size of a prefix is its prefix length. -In other words, all insignificant zero bits are omitted +The bit size of a prefix is its prefix length; +all insignificant zero bits are omitted from the encoding. An address range is expressed as a pair of BIT STRINGs -where all least significant zero bits of the lower bound -and the all least significant one bits of the upper bound are omitted. +where all the least significant zero bits of the lower bound +and all the least significant one bits of the upper bound are omitted. .Pp The library provides no API for directly converting an IP address or prefix (in any form) to and from an @@ -127,8 +127,11 @@ internals are subtle and directly manipulating them in the context of the RFC 3779 API is discouraged. The bit size of an .Vt ASN1_BIT_STRING -representing an IP address prefix or range is eight times its length -member minus the lowest three bits of its flags, provided the +representing an IP address prefix or range is eight times its +.Fa length +member minus the lowest three bits of its +.Fa flags , +provided the .Dv ASN1_STRING_FLAG_BITS_LEFT flag is set. .Pp @@ -460,7 +463,8 @@ or a value <= 0 if an error occurs. .Xr crypto 3 , .Xr X509_new 3 , .Xr X509v3_addr_add_inherit 3 , -.Xr X509v3_addr_inherits 3 +.Xr X509v3_addr_inherits 3 , +.Xr X509v3_addr_subset 3 .Sh STANDARDS RFC 3779: X.509 Extensions for IP Addresses and AS Identifiers: .Bl -dash -compact @@ -483,7 +487,7 @@ section 2.2.3.7: Type IPAddressOrRange .It section 2.2.3.8: Element addressPrefix and Type IPAddress .It -section 2.2.3.9: Elements addressRange and Type IPAddressRange +section 2.2.3.9: Element addressRange and Type IPAddressRange .El .Pp ITU-T Recommendation X.690, also known as ISO/IEC 8825-1: diff --git a/lib/libcrypto/man/Makefile b/lib/libcrypto/man/Makefile index 9bf40343e4a..e6a97f30048 100644 --- a/lib/libcrypto/man/Makefile +++ b/lib/libcrypto/man/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.274 2023/09/26 20:42:45 tb Exp $ +# $OpenBSD: Makefile,v 1.275 2023/09/28 12:35:31 tb Exp $ .include @@ -395,6 +395,7 @@ MAN= \ X509v3_addr_add_inherit.3 \ X509v3_addr_get_range.3 \ X509v3_addr_inherits.3 \ + X509v3_addr_subset.3 \ X509v3_asid_add_id_or_range.3 \ X509v3_asid_add_id_or_range.3 \ X509v3_get_ext_by_NID.3 \ diff --git a/lib/libcrypto/man/X509_new.3 b/lib/libcrypto/man/X509_new.3 index dea1b256ce6..a669bf06083 100644 --- a/lib/libcrypto/man/X509_new.3 +++ b/lib/libcrypto/man/X509_new.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: X509_new.3,v 1.41 2023/09/26 20:42:45 tb Exp $ +.\" $OpenBSD: X509_new.3,v 1.42 2023/09/28 12:35:31 tb Exp $ .\" full merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400 .\" .\" This file is a derived work. @@ -66,7 +66,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: September 26 2023 $ +.Dd $Mdocdate: September 28 2023 $ .Dt X509_NEW 3 .Os .Sh NAME @@ -245,6 +245,7 @@ if an error occurs. .Xr X509v3_addr_add_inherit 3 , .Xr X509v3_addr_get_range 3 , .Xr X509v3_addr_inherits 3 , +.Xr X509v3_addr_subset 3 , .Xr X509v3_asid_add_id_or_range 3 .Sh STANDARDS RFC 5280: Internet X.509 Public Key Infrastructure Certificate and diff --git a/lib/libcrypto/man/X509v3_addr_add_inherit.3 b/lib/libcrypto/man/X509v3_addr_add_inherit.3 index 3ca9bc59aeb..81e73f76e54 100644 --- a/lib/libcrypto/man/X509v3_addr_add_inherit.3 +++ b/lib/libcrypto/man/X509v3_addr_add_inherit.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: X509v3_addr_add_inherit.3,v 1.5 2023/09/27 08:46:46 tb Exp $ +.\" $OpenBSD: X509v3_addr_add_inherit.3,v 1.6 2023/09/28 12:35:31 tb Exp $ .\" .\" Copyright (c) 2023 Theo Buehler .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: September 27 2023 $ +.Dd $Mdocdate: September 28 2023 $ .Dt X509V3_ADDR_ADD_INHERIT 3 .Os .Sh NAME @@ -60,7 +60,7 @@ An .Vt IPAddrBlocks object represents the content of -an X509v3 IP address blocks delegation extension +an IP address delegation extension as defined in RFC 3779, section 2.2.3.1. It holds lists of IP address prefixes and IP address ranges delegated from the issuer to the subject of the certificate. @@ -399,8 +399,8 @@ is desired. .Xr inet_ntop 3 , .Xr IPAddressRange_new 3 , .Xr X509_new 3 , -.Xr X509v3_asid_add_id_or_range 3 , -.Xr X509v3_addr_get_range 3 +.Xr X509v3_addr_get_range 3 , +.Xr X509v3_asid_add_id_or_range 3 .Sh STANDARDS RFC 3779: X.509 Extensions for IP Addresses and AS Identifiers: .Bl -dash -compact diff --git a/lib/libcrypto/man/X509v3_asid_add_id_or_range.3 b/lib/libcrypto/man/X509v3_asid_add_id_or_range.3 index c9ff6bf13b1..1b42a449e15 100644 --- a/lib/libcrypto/man/X509v3_asid_add_id_or_range.3 +++ b/lib/libcrypto/man/X509v3_asid_add_id_or_range.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: X509v3_asid_add_id_or_range.3,v 1.5 2023/09/27 08:46:46 tb Exp $ +.\" $OpenBSD: X509v3_asid_add_id_or_range.3,v 1.6 2023/09/28 12:35:31 tb Exp $ .\" .\" Copyright (c) 2021-2023 Theo Buehler .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: September 27 2023 $ +.Dd $Mdocdate: September 28 2023 $ .Dt X509V3_ASID_ADD_ID_OR_RANGE 3 .Os .Sh NAME @@ -48,7 +48,7 @@ .Sh DESCRIPTION An .Vt ASIdentifiers -object represents the content of the X509v3 certificate extension +object represents the content of the certificate extension defined in RFC 3779, section 3.2.3.1. It can be instantiated with .Xr ASIdentifiers_new 3