diff options
author | Lutz Jaenicke <ljaenicke@phoenixcontact.com> | 2021-10-14 15:24:18 +0200 |
---|---|---|
committer | Tomas Mraz <tomas@openssl.org> | 2022-08-18 10:24:53 +0200 |
commit | 178696d6020878361a088086243d56203e0beaa9 (patch) | |
tree | 4f48ea1960042b738a6c463c9f4506156f33bf19 /doc | |
parent | 1a68a3e42142a2c188f4b69c7337438c89502143 (diff) |
X509: Add "code sign" as purpose for verification of certificates
Code signing certificates have other properties as for example described in
CA Browser Forum documents. This leads to "unsupported certificate purpose" errors when
verifying signed objects.
This patch adds the purpose "codesign" to the table in X.509 certificate verification and
the verification parameter "code_sign" to X509_VERIFY_PARAM.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18567)
Diffstat (limited to 'doc')
-rw-r--r-- | doc/man1/openssl-verification-options.pod | 2 | ||||
-rw-r--r-- | doc/man3/X509_STORE_CTX_new.pod | 3 | ||||
-rw-r--r-- | doc/man3/X509_check_purpose.pod | 1 |
3 files changed, 4 insertions, 2 deletions
diff --git a/doc/man1/openssl-verification-options.pod b/doc/man1/openssl-verification-options.pod index 6888d5244f..57b29dc583 100644 --- a/doc/man1/openssl-verification-options.pod +++ b/doc/man1/openssl-verification-options.pod @@ -458,7 +458,7 @@ Set policy variable inhibit-policy-mapping (see RFC5280). The intended use for the certificate. Currently defined purposes are C<sslclient>, C<sslserver>, C<nssslserver>, C<smimesign>, C<smimeencrypt>, C<crlsign>, C<ocsphelper>, C<timestampsign>, -and C<any>. +C<codesign> and C<any>. If peer certificate verification is enabled, by default the TLS implementation as well as the commands B<s_client> and B<s_server> check for consistency with TLS server or TLS client use, respectively. diff --git a/doc/man3/X509_STORE_CTX_new.pod b/doc/man3/X509_STORE_CTX_new.pod index 2996a34eb6..72f60093d7 100644 --- a/doc/man3/X509_STORE_CTX_new.pod +++ b/doc/man3/X509_STORE_CTX_new.pod @@ -187,7 +187,8 @@ verified in the I<ctx>. Built-in available values for the I<purpose> argument are B<X509_PURPOSE_SSL_CLIENT>, B<X509_PURPOSE_SSL_SERVER>, B<X509_PURPOSE_NS_SSL_SERVER>, B<X509_PURPOSE_SMIME_SIGN>, B<X509_PURPOSE_SMIME_ENCRYPT>, B<X509_PURPOSE_CRL_SIGN>, B<X509_PURPOSE_ANY>, -B<X509_PURPOSE_OCSP_HELPER> and B<X509_PURPOSE_TIMESTAMP_SIGN>. It is also +B<X509_PURPOSE_OCSP_HELPER>, B<X509_PURPOSE_TIMESTAMP_SIGN> and +B<X509_PURPOSE_CODE_SIGN>. It is also possible to create a custom purpose value. Setting a purpose will ensure that the key usage declared within certificates in the chain being verified is consistent with that purpose as well as, potentially, other checks. Every diff --git a/doc/man3/X509_check_purpose.pod b/doc/man3/X509_check_purpose.pod index a3cfb78d61..4331cfad92 100644 --- a/doc/man3/X509_check_purpose.pod +++ b/doc/man3/X509_check_purpose.pod @@ -29,6 +29,7 @@ Below are the potential ID's that can be checked: # define X509_PURPOSE_ANY 7 # define X509_PURPOSE_OCSP_HELPER 8 # define X509_PURPOSE_TIMESTAMP_SIGN 9 + # define X509_PURPOSE_CODE_SIGN 10 The checks performed take into account the X.509 extensions keyUsage, extendedKeyUsage, and basicConstraints. |