diff options
author | Richard Levitte <levitte@openssl.org> | 2019-03-07 15:26:34 +0100 |
---|---|---|
committer | Richard Levitte <levitte@openssl.org> | 2019-11-03 18:38:23 +0100 |
commit | fd3397fc47bfd92e7e33d88aa566cb0c8bd29330 (patch) | |
tree | 463778bc2ded727930631bec442d7ec7b7509488 /doc | |
parent | 6dcb100f89d0ef081771d533fed342412ac7a13f (diff) |
Add -CAstore and similar to all openssl commands that have -CApath
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8442)
Diffstat (limited to 'doc')
-rw-r--r-- | doc/man1/openssl-cms.pod.in | 4 | ||||
-rw-r--r-- | doc/man1/openssl-crl.pod.in | 3 | ||||
-rw-r--r-- | doc/man1/openssl-ocsp.pod.in | 10 | ||||
-rw-r--r-- | doc/man1/openssl-pkcs12.pod.in | 3 | ||||
-rw-r--r-- | doc/man1/openssl-s_client.pod.in | 8 | ||||
-rw-r--r-- | doc/man1/openssl-s_server.pod.in | 15 | ||||
-rw-r--r-- | doc/man1/openssl-s_time.pod.in | 9 | ||||
-rw-r--r-- | doc/man1/openssl-smime.pod.in | 4 | ||||
-rw-r--r-- | doc/man1/openssl-ts.pod.in | 8 | ||||
-rw-r--r-- | doc/man1/openssl-verify.pod.in | 18 | ||||
-rw-r--r-- | doc/man1/openssl.pod | 17 | ||||
-rw-r--r-- | doc/perlvars.pm | 7 |
12 files changed, 78 insertions, 28 deletions
diff --git a/doc/man1/openssl-cms.pod.in b/doc/man1/openssl-cms.pod.in index 3d8bcd792e..83eb4fdb57 100644 --- a/doc/man1/openssl-cms.pod.in +++ b/doc/man1/openssl-cms.pod.in @@ -736,6 +736,10 @@ the list of permitted ciphers in a database and only use those. No revocation checking is done on the signer's certificate. +=head1 SEE ALSO + +L<ossl_store-file(7)> + =head1 HISTORY The use of multiple B<-signer> options and the B<-resign> command were first diff --git a/doc/man1/openssl-crl.pod.in b/doc/man1/openssl-crl.pod.in index 7441de446c..829c2a7235 100644 --- a/doc/man1/openssl-crl.pod.in +++ b/doc/man1/openssl-crl.pod.in @@ -120,7 +120,8 @@ and files too. L<openssl(1)>, L<openssl-crl2pkcs7(1)>, L<openssl-ca(1)>, -L<openssl-x509(1)> +L<openssl-x509(1)>, +L<ossl_store-file(7)> =head1 COPYRIGHT diff --git a/doc/man1/openssl-ocsp.pod.in b/doc/man1/openssl-ocsp.pod.in index a3358e724a..e1634301a2 100644 --- a/doc/man1/openssl-ocsp.pod.in +++ b/doc/man1/openssl-ocsp.pod.in @@ -395,9 +395,9 @@ the OCSP request checked using the responder certificate's public key. Then a normal certificate verify is performed on the OCSP responder certificate building up a certificate chain in the process. The locations of the trusted -certificates used to build the chain can be specified by the B<-CAfile> -and B<-CApath> options or they will be looked for in the standard OpenSSL -certificates directory. +certificates used to build the chain can be specified by the B<-CAfile>, +B<-CApath> or B<-CAstore> options or they will be looked for in the +standard OpenSSL certificates directory. If the initial verify fails then the OCSP verify process halts with an error. @@ -432,8 +432,8 @@ with the B<-VAfile> option. =head1 NOTES As noted, most of the verify options are for testing or debugging purposes. -Normally only the B<-CApath>, B<-CAfile> and (if the responder is a 'global -VA') B<-VAfile> options need to be used. +Normally only the B<-CApath>, B<-CAfile>, B<-CAstore> and (if the responder +is a 'global VA') B<-VAfile> options need to be used. The OCSP server is only useful for test and demonstration purposes: it is not really usable as a full OCSP responder. It contains only a very diff --git a/doc/man1/openssl-pkcs12.pod.in b/doc/man1/openssl-pkcs12.pod.in index 09b75111db..3eef9dc856 100644 --- a/doc/man1/openssl-pkcs12.pod.in +++ b/doc/man1/openssl-pkcs12.pod.in @@ -338,7 +338,8 @@ Include some extra certificates: =head1 SEE ALSO L<openssl(1)>, -L<openssl-pkcs8(1)> +L<openssl-pkcs8(1)>, +L<ossl_store-file(7)> =head1 COPYRIGHT diff --git a/doc/man1/openssl-s_client.pod.in b/doc/man1/openssl-s_client.pod.in index 9752407a82..005e12ab2d 100644 --- a/doc/man1/openssl-s_client.pod.in +++ b/doc/man1/openssl-s_client.pod.in @@ -35,6 +35,7 @@ B<openssl> B<s_client> [B<-pass> I<arg>] [B<-chainCApath> I<directory>] [B<-chainCAfile> I<filename>] +[B<-chainCAstore> I<uri>] [B<-requestCAfile> I<filename>] [B<-dane_tlsa_domain> I<domain>] [B<-dane_tlsa_rrdata> I<rrdata>] @@ -303,6 +304,10 @@ information. A file containing trusted certificates to use when attempting to build the client certificate chain. +=item B<-chainCAstore> I<uri> + +The URI to use when attempting to build the client certificate chain. + =item B<-requestCAfile> I<file> A file containing a list of certificates whose subject names will be sent @@ -807,7 +812,8 @@ L<openssl-ciphers(1)>, L<SSL_CONF_cmd(3)>, L<SSL_CTX_set_max_send_fragment(3)>, L<SSL_CTX_set_split_send_fragment(3)>, -L<SSL_CTX_set_max_pipelines(3)> +L<SSL_CTX_set_max_pipelines(3)>, +L<ossl_store-file(7)> =head1 HISTORY diff --git a/doc/man1/openssl-s_server.pod.in b/doc/man1/openssl-s_server.pod.in index 638516695f..9e1c1d3e0e 100644 --- a/doc/man1/openssl-s_server.pod.in +++ b/doc/man1/openssl-s_server.pod.in @@ -61,6 +61,8 @@ B<openssl> B<s_server> [B<-dcert_chain> I<infile>] [B<-chainCApath> I<dir>] [B<-verifyCApath> I<dir>] +[B<-chainCAstore> I<uri>] +[B<-verifyCAstore> I<uri>] [B<-no_cache>] [B<-ext_cache>] [B<-verify_return_error>] @@ -369,6 +371,16 @@ information. A file containing trusted certificates to use when attempting to build the server certificate chain. +=item B<-chainCAstore> I<uri> + +The URI to a store to use for building the chain provided to the client. +The URI may indicate a single certificate, as well as a collection of +them. +With URIs in the C<file:> scheme, this acts as B<-chainCAfile> or +B<-chainCApath>, depending on if the URI indicates a directory or a +single file. +See L<ossl_store-file(7)> for more information on the C<file:> scheme. + =item B<-nocert> If this option is set then no certificate is used. This restricts the @@ -810,7 +822,8 @@ L<openssl-ciphers(1)>, L<SSL_CONF_cmd(3)>, L<SSL_CTX_set_max_send_fragment(3)>, L<SSL_CTX_set_split_send_fragment(3)>, -L<SSL_CTX_set_max_pipelines(3)> +L<SSL_CTX_set_max_pipelines(3)>, +L<ossl_store-file(7)> =head1 HISTORY diff --git a/doc/man1/openssl-s_time.pod.in b/doc/man1/openssl-s_time.pod.in index 737424da87..18e243146e 100644 --- a/doc/man1/openssl-s_time.pod.in +++ b/doc/man1/openssl-s_time.pod.in @@ -87,12 +87,6 @@ I<option> argument can be a single option or multiple options separated by commas. Alternatively the B<-nameopt> switch may be used more than once to set multiple options. See the L<openssl-x509(1)> manual page for details. -=item B<-CApath> I<directory> - -The directory to use for server certificate verification. This directory -must be in "hash format", see L<openssl-verify(1)> for more information. -These are also used when building the client certificate chain. - =item B<-new> Performs the timing test using a new session ID for each connection. @@ -193,7 +187,8 @@ fails. L<openssl(1)>, L<openssl-s_client(1)>, L<openssl-s_server(1)>, -L<openssl-ciphers(1)> +L<openssl-ciphers(1)>, +L<ossl_store-file(7)> =head1 COPYRIGHT diff --git a/doc/man1/openssl-smime.pod.in b/doc/man1/openssl-smime.pod.in index 4e07af3860..0f1c9bdf00 100644 --- a/doc/man1/openssl-smime.pod.in +++ b/doc/man1/openssl-smime.pod.in @@ -479,6 +479,10 @@ No revocation checking is done on the signer's certificate. The current code can only handle S/MIME v2 messages, the more complex S/MIME v3 structures may cause parsing errors. +=head1 SEE ALSO + +L<ossl_store-file(7)> + =head1 HISTORY The use of multiple B<-signer> options and the B<-resign> command were first diff --git a/doc/man1/openssl-ts.pod.in b/doc/man1/openssl-ts.pod.in index d9354b2ab7..035763260d 100644 --- a/doc/man1/openssl-ts.pod.in +++ b/doc/man1/openssl-ts.pod.in @@ -52,6 +52,7 @@ B<-verify> [B<-token_in>] [B<-CApath> I<trusted_cert_path>] [B<-CAfile> I<trusted_certs.pem>] +[B<-CAstore> I<trusted_certs_uri>] [B<-untrusted> I<cert_file.pem>] [I<verify options>] @@ -352,10 +353,12 @@ This flag can be used together with the B<-in> option and indicates that the input is a DER encoded timestamp token (ContentInfo) instead of a timestamp response (TimeStampResp). (Optional) -=item B<-CAfile> I<file>, B<-CApath> I<dir> +=item B<-CAfile> I<file>, B<-CApath> I<dir>, B<-CAstore> I<uri> See L<openssl(1)/Trusted Certificate Options> for more information. +At least one of B<-CApath>, B<-CAfile> or B<-CAstore> must be specified. + =item B<-untrusted> I<cert_file.pem> Set of additional untrusted certificates in PEM format which may be @@ -649,7 +652,8 @@ L<openssl-req(1)>, L<openssl-x509(1)>, L<openssl-ca(1)>, L<openssl-genrsa(1)>, -L<config(5)> +L<config(5)>, +L<ossl_store-file(7)> =head1 COPYRIGHT diff --git a/doc/man1/openssl-verify.pod.in b/doc/man1/openssl-verify.pod.in index 72ef98cc85..9a92cb6f32 100644 --- a/doc/man1/openssl-verify.pod.in +++ b/doc/man1/openssl-verify.pod.in @@ -190,8 +190,8 @@ P-256 and P-384. =item B<-trusted_first> When constructing the certificate chain, use the trusted certificates specified -via B<-CAfile>, B<-CApath> or B<-trusted> before any certificates specified via -B<-untrusted>. +via B<-CAfile>, B<-CApath>, B<-CAstore> or B<-trusted> before any certificates +specified via B<-untrusted>. This can be useful in environments with Bridge or Cross-Certified CAs. As of OpenSSL 1.1.0 this option is on by default and cannot be disabled. @@ -222,9 +222,9 @@ consulted. That is, the only trust-anchors are those listed in I<file>. This option can be specified more than once to include trusted certificates from multiple I<file>s. -This option implies the B<-no-CAfile> and B<-no-CApath> options. -This option cannot be used in combination with either of the B<-CAfile> or -B<-CApath> options. +This option implies the B<-no-CAfile>, B<-no-CApath> and B<-no-CAstore> options. +This option cannot be used in combination with any of the B<-CAfile>, +B<-CApath> or B<-CAstore> options. =item B<-use_deltas> @@ -743,8 +743,9 @@ Although the issuer checks are a considerable improvement over the old technique they still suffer from limitations in the underlying X509_LOOKUP API. One consequence of this is that trusted certificates with matching subject name must either appear in a file (as specified by the B<-CAfile> -option) or a directory (as specified by B<-CApath>). If they occur in -both then only the certificates in the file will be recognised. +option), a directory (as specified by B<-CApath>), or a store (as specified +by B<-CAstore>). If they occur in more than one location then only the +certificates in the file will be recognised. Previous versions of OpenSSL assume certificates with matching subject name are identical and mishandled them. @@ -756,7 +757,8 @@ B<X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY> error codes. =head1 SEE ALSO L<openssl(1)>, -L<openssl-x509(1)> +L<openssl-x509(1)>, +L<ossl_store-file(7)> =head1 HISTORY diff --git a/doc/man1/openssl.pod b/doc/man1/openssl.pod index 3198f90e22..e13a6969b7 100644 --- a/doc/man1/openssl.pod +++ b/doc/man1/openssl.pod @@ -700,6 +700,23 @@ See L<openssl-rehash(1)> for information on creating this type of directory. Do not use the default directory of trusted certificates. +=item B<-CAstore> I<uri> + +Use I<uri> as a store of trusted CA certificates. The URI may +indicate a single certificate, as well as a collection of them. +With URIs in the C<file:> scheme, this acts as B<-CAfile> or +B<-CApath>, depending on if the URI indicates a single file or +directory. +See L<ossl_store-file(7)> for more information on the C<file:> scheme. + +These certificates are also used when building the server certificate +chain (for example with L<openssl-s_server(1)>) or client certificate +chain (for example with L<openssl-s_time(1)>). + +=item B<-no-CAstore> + +Do not use the default store. + =back =head2 Random State Options diff --git a/doc/perlvars.pm b/doc/perlvars.pm index ca62ca5ce9..da61f77897 100644 --- a/doc/perlvars.pm +++ b/doc/perlvars.pm @@ -82,9 +82,12 @@ $OpenSSL::safe::opt_trust_synopsis = "" . "[B<-CAfile> I<file>]\n" . "[B<-no-CAfile>]\n" . "[B<-CApath> I<dir>]\n" -. "[B<-no-CApath>]"; +. "[B<-no-CApath>]\n" +. "[B<-CAstore> I<uri>]\n" +. "[B<-no-CAstore>]"; $OpenSSL::safe::opt_trust_item = "" -. "=item B<-CAfile> I<file>, B<-no-CAfile>, B<-CApath> I<dir>, B<-no-CApath>\n" +. "=item B<-CAfile> I<file>, B<-no-CAfile>, B<-CApath> I<dir>, B<-no-CApath>,\n" +. "B<-CAstore> I<uri>, B<-no-CAstore>\n" . "\n" . "See L<openssl(1)/Trusted Certificate Options> for details."; |