From: tb Date: Tue, 10 May 2022 19:44:29 +0000 (+0000) Subject: Add a BUGS section to describe the problem of potential lies and X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=dac1a32dc2e52cf6b92d2e0f0dead5962d825ad5;p=openbsd Add a BUGS section to describe the problem of potential lies and indicating a workaround. input/ok jsing --- diff --git a/lib/libcrypto/man/X509_check_ca.3 b/lib/libcrypto/man/X509_check_ca.3 index b78e3490841..114bac69e7c 100644 --- a/lib/libcrypto/man/X509_check_ca.3 +++ b/lib/libcrypto/man/X509_check_ca.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: X509_check_ca.3,v 1.6 2022/02/18 01:41:17 jsg Exp $ +.\" $OpenBSD: X509_check_ca.3,v 1.7 2022/05/10 19:44:29 tb Exp $ .\" OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400 .\" .\" This file was written by Victor B. Wagner . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: February 18 2022 $ +.Dd $Mdocdate: May 10 2022 $ .Dt X509_CHECK_CA 3 .Os .Sh NAME @@ -93,6 +93,7 @@ that it is a CA certificate .Xr BASIC_CONSTRAINTS_new 3 , .Xr EXTENDED_KEY_USAGE_new 3 , .Xr X509_check_issued 3 , +.Xr X509_check_purpose 3 , .Xr X509_EXTENSION_new 3 , .Xr X509_new 3 , .Xr X509_verify_cert 3 @@ -100,3 +101,17 @@ that it is a CA certificate .Fn X509_check_ca first appeared in OpenSSL 0.9.7f and has been available since .Ox 3.8 . +.Sh BUGS +If +.Fn X509_check_ca +fails to cache X509v3 extension values, the return value may +be incorrect. +An application should +call +.Xr X509_check_purpose 3 +with a +.Fa purpose +argument of \-1, +ensuring that the X509v3 extensions are cached, +before calling +.Fn X509_check_ca .