From efc80f802df2fbe1374ed12a9ed74ed5e424ab55 Mon Sep 17 00:00:00 2001 From: job Date: Thu, 16 Mar 2023 15:21:44 +0000 Subject: [PATCH] Add X509_STORE_{set,get}_check_issued and X509_STORE_CTX_get_check_issued to manpage with and OK tb@ --- lib/libcrypto/man/X509_STORE_CTX_set_verify.3 | 78 ++++++++++++++++++- 1 file changed, 75 insertions(+), 3 deletions(-) diff --git a/lib/libcrypto/man/X509_STORE_CTX_set_verify.3 b/lib/libcrypto/man/X509_STORE_CTX_set_verify.3 index 1c7797bbfcb..a7c8954416f 100644 --- a/lib/libcrypto/man/X509_STORE_CTX_set_verify.3 +++ b/lib/libcrypto/man/X509_STORE_CTX_set_verify.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: X509_STORE_CTX_set_verify.3,v 1.3 2022/11/16 14:55:40 schwarze Exp $ +.\" $OpenBSD: X509_STORE_CTX_set_verify.3,v 1.4 2023/03/16 15:21:44 job Exp $ .\" .\" Copyright (c) 2021, 2022 Ingo Schwarze .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: November 16 2022 $ +.Dd $Mdocdate: March 16 2023 $ .Dt X509_STORE_CTX_SET_VERIFY 3 .Os .Sh NAME @@ -23,7 +23,10 @@ .Nm X509_STORE_CTX_get_verify , .Nm X509_STORE_set_verify , .Nm X509_STORE_set_verify_func , -.Nm X509_STORE_get_verify +.Nm X509_STORE_get_verify , +.Nm X509_STORE_set_check_issued , +.Nm X509_STORE_get_check_issued , +.Nm X509_STORE_CTX_get_check_issued .Nd user-defined certificate chain verification function .Sh SYNOPSIS .In openssl/x509_vfy.h @@ -54,6 +57,25 @@ .Fo X509_STORE_get_verify .Fa "X509_STORE_CTX *ctx" .Fc +.Ft typedef int +.Fo "(*X509_STORE_CTX_check_issued_fn) +.Fa "X509_STORE_CTX *ctx" +.Fa "X509 *subject" +.Fa "X509 *issuer" +.Fc +.Ft void +.Fo X509_STORE_set_check_issued +.Fa "X509_STORE *store" +.Fa "X509_STORE_CTX_check_issued_fn check_issued" +.Fc +.Ft X509_STORE_CTX_check_issued_fn +.Fo X509_STORE_get_check_issued +.Fa "X509_STORE *store" +.Fc +.Ft X509_STORE_CTX_check_issued_fn +.Fo X509_STORE_CTX_get_check_issued +.Fa "X509_STORE_CTX *ctx" +.Fc .Sh DESCRIPTION .Fn X509_STORE_CTX_set_verify configures @@ -97,6 +119,27 @@ is later passed as an argument to is an alias for .Fn X509_STORE_set_verify implemented as a macro. +.Pp +.Fn X509_STORE_set_check_issued +saves the function pointer +.Fa check_issued +in the given +.Fa store +object. +That pointer will be copied to an +.Vt X509_STORE_CTX +object when +.Fa store +is later passed as an argument to +.Fn X509_STORE_CTX_init 3 . +.Pp +The +.Fa check_issued +function provided by the user should check whether a given certificate +.Fa subject +was issued using the CA certificate +.Fa issuer , +and must return 0 on failure and 1 on success. .Sh RETURN VALUES .Fn X509_STORE_CTX_verify_fn is supposed to return 1 to indicate that the chain is valid @@ -120,6 +163,27 @@ or .Dv NULL if that function was not called on the .Fa store . +.Pp +.Fn X509_STORE_get_check_issued +returns the function pointer previously set with +.Fn X509_STORE_set_check_issued , +or +.Dv NULL +if that function was not called on the +.Fa store . +.Pp +.Fn X509_STORE_CTX_get_check_issued +returns the +.Fn check_issued +function set on the +.Vt X509_STORE_CTX . +This is either the +.Fn check_issued +function inherited from the +.Fa store +used in +.Xr X509_STORE_CTX_init 3 +or the library's default implementation. .Sh SEE ALSO .Xr X509_STORE_CTX_init 3 , .Xr X509_STORE_CTX_set_error 3 , @@ -130,6 +194,7 @@ if that function was not called on the .Xr X509_STORE_set_verify_cb 3 , .Xr X509_verify_cert 3 , .Xr X509_VERIFY_PARAM_set_flags 3 +.Xr X509_check_issued 3 .Sh HISTORY .Fn X509_STORE_set_verify_func first appeared in SSLeay 0.8.0 and has been available since @@ -147,3 +212,10 @@ and .Fn X509_STORE_get_verify first appeared in OpenSSL 1.1.0 and have been available since .Ox 7.2 . +.Pp +.Fn X509_STORE_set_check_issued , +.Fn X509_STORE_get_check_issued , +and +.Fn X509_STORE_CTX_get_check_issued +first appeared in OpenSSL 1.1.0 and have been available since +.Ox 7.3 . -- 2.20.1