X509: Add "code sign" as purpose for verification of certificates

Code signing certificates have other properties as for example described in CA Browser Forum documents. This leads to "unsupported certificate purpose" errors when verifying signed objects. This patch adds the purpose "codesign" to the table in X.509 certificate verification and the verification parameter "code_sign" to X509_VERIFY_PARAM. Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18567)
author: Lutz Jaenicke <ljaenicke@phoenixcontact.com> 2021-10-14 15:24:18 +0200
committer: Tomas Mraz <tomas@openssl.org> 2022-08-18 10:24:53 +0200
commit: 178696d6020878361a088086243d56203e0beaa9 (patch)
tree: 4f48ea1960042b738a6c463c9f4506156f33bf19 /doc
parent: 1a68a3e42142a2c188f4b69c7337438c89502143 (diff)
3 files changed, 4 insertions, 2 deletions
diff --git a/doc/man1/openssl-verification-options.pod b/doc/man1/openssl-verification-options.pod
index 6888d5244f..57b29dc583 100644
--- a/doc/man1/openssl-verification-options.pod
+++ b/doc/man1/openssl-verification-options.pod
@@ -458,7 +458,7 @@ Set policy variable inhibit-policy-mapping (see RFC5280).
 The intended use for the certificate.
 Currently defined purposes are C<sslclient>, C<sslserver>, C<nssslserver>,
 C<smimesign>, C<smimeencrypt>, C<crlsign>, C<ocsphelper>, C<timestampsign>,
-and C<any>.
+C<codesign> and C<any>.
 If peer certificate verification is enabled, by default the TLS implementation
 as well as the commands B<s_client> and B<s_server> check for consistency
 with TLS server or TLS client use, respectively.
diff --git a/doc/man3/X509_STORE_CTX_new.pod b/doc/man3/X509_STORE_CTX_new.pod
index 2996a34eb6..72f60093d7 100644
--- a/doc/man3/X509_STORE_CTX_new.pod
+++ b/doc/man3/X509_STORE_CTX_new.pod
@@ -187,7 +187,8 @@ verified in the I<ctx>. Built-in available values for the I<purpose> argument
 are B<X509_PURPOSE_SSL_CLIENT>, B<X509_PURPOSE_SSL_SERVER>,
 B<X509_PURPOSE_NS_SSL_SERVER>, B<X509_PURPOSE_SMIME_SIGN>,
 B<X509_PURPOSE_SMIME_ENCRYPT>, B<X509_PURPOSE_CRL_SIGN>, B<X509_PURPOSE_ANY>,
-B<X509_PURPOSE_OCSP_HELPER> and B<X509_PURPOSE_TIMESTAMP_SIGN>. It is also
+B<X509_PURPOSE_OCSP_HELPER>, B<X509_PURPOSE_TIMESTAMP_SIGN> and
+B<X509_PURPOSE_CODE_SIGN>.  It is also
 possible to create a custom purpose value. Setting a purpose will ensure that
 the key usage declared within certificates in the chain being verified is
 consistent with that purpose as well as, potentially, other checks. Every
diff --git a/doc/man3/X509_check_purpose.pod b/doc/man3/X509_check_purpose.pod
index a3cfb78d61..4331cfad92 100644
--- a/doc/man3/X509_check_purpose.pod
+++ b/doc/man3/X509_check_purpose.pod
@@ -29,6 +29,7 @@ Below are the potential ID's that can be checked:
  # define X509_PURPOSE_ANY               7
  # define X509_PURPOSE_OCSP_HELPER       8
  # define X509_PURPOSE_TIMESTAMP_SIGN    9
+ # define X509_PURPOSE_CODE_SIGN        10
 
 The checks performed take into account the X.509 extensions
 keyUsage, extendedKeyUsage, and basicConstraints.
author	Lutz Jaenicke <ljaenicke@phoenixcontact.com>	2021-10-14 15:24:18 +0200
committer	Tomas Mraz <tomas@openssl.org>	2022-08-18 10:24:53 +0200
commit	178696d6020878361a088086243d56203e0beaa9 (patch)
tree	4f48ea1960042b738a6c463c9f4506156f33bf19 /doc
parent	1a68a3e42142a2c188f4b69c7337438c89502143 (diff)