diff options
author | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2019-12-28 12:33:12 +0100 |
---|---|---|
committer | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2020-07-01 11:14:54 +0200 |
commit | 0d8dbb52e3900fdd096ca1765137958340fb8497 (patch) | |
tree | f9cb418c313f4b175c5dffe5a83cc86f1b62bf69 /doc | |
parent | 4cec750c2f08faa7f7cdfcfa02fc4264d3c2ac95 (diff) |
Add X509_self_signed(), extending and improving documenation and tests
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10587)
Diffstat (limited to 'doc')
-rw-r--r-- | doc/internal/man3/ossl_cmp_sk_X509_add1_cert.pod | 8 | ||||
-rw-r--r-- | doc/man3/X509_check_issued.pod | 2 | ||||
-rw-r--r-- | doc/man3/X509_verify.pod | 14 |
3 files changed, 17 insertions, 7 deletions
diff --git a/doc/internal/man3/ossl_cmp_sk_X509_add1_cert.pod b/doc/internal/man3/ossl_cmp_sk_X509_add1_cert.pod index d8f617f55c..289428878e 100644 --- a/doc/internal/man3/ossl_cmp_sk_X509_add1_cert.pod +++ b/doc/internal/man3/ossl_cmp_sk_X509_add1_cert.pod @@ -15,9 +15,9 @@ ossl_cmp_X509_STORE_get1_certs int ossl_cmp_sk_X509_add1_cert(STACK_OF(X509) *sk, X509 *cert, int no_dup, int prepend); int ossl_cmp_sk_X509_add1_certs(STACK_OF(X509) *sk, STACK_OF(X509) *certs, - int no_self_issued, int no_dups, int prepend); + int no_self_signed, int no_dups, int prepend); int ossl_cmp_X509_STORE_add1_certs(X509_STORE *store, STACK_OF(X509) *certs, - int only_self_issued); + int only_self_signed); STACK_OF(X509) *ossl_cmp_X509_STORE_get1_certs(X509_STORE *store); =head1 DESCRIPTION @@ -29,10 +29,10 @@ On success the reference count of the certificate is increased. ossl_cmp_sk_X509_add1_certs() appends or prepends (depending on the I<prepend> argument) a list of certificates to the given list, -optionally only if not self-issued and optionally only if not already contained. +optionally only if not self-signed and optionally only if not already contained. The reference counts of those certificates appended successfully are increased. -ossl_cmp_X509_STORE_add1_certs() adds all or only self-issued certificates from +ossl_cmp_X509_STORE_add1_certs() adds all or only self-signed certificates from the given stack to given store. The I<certs> parameter may be NULL. ossl_cmp_X509_STORE_get1_certs() retrieves a copy of all certificates in the diff --git a/doc/man3/X509_check_issued.pod b/doc/man3/X509_check_issued.pod index cc98541bba..0aedefa459 100644 --- a/doc/man3/X509_check_issued.pod +++ b/doc/man3/X509_check_issued.pod @@ -31,7 +31,7 @@ or some B<X509_V_ERR*> constant to indicate an error. =head1 SEE ALSO L<X509_verify_cert(3)>, L<X509_verify(3)>, L<X509_check_ca(3)>, -L<openssl-verify(1)> +L<openssl-verify(1)>, L<X509_self_signed(3)> =head1 COPYRIGHT diff --git a/doc/man3/X509_verify.pod b/doc/man3/X509_verify.pod index a1ed4d32fe..e0028473a2 100644 --- a/doc/man3/X509_verify.pod +++ b/doc/man3/X509_verify.pod @@ -2,7 +2,7 @@ =head1 NAME -X509_verify_ex, X509_verify, +X509_verify_ex, X509_verify, X509_self_signed, X509_REQ_verify_ex, X509_REQ_verify, X509_CRL_verify - verify certificate, certificate request, or CRL signature @@ -14,6 +14,7 @@ verify certificate, certificate request, or CRL signature int X509_verify_ex(X509 *x, EVP_PKEY *pkey, OPENSSL_CTX *libctx, const char *propq); int X509_verify(X509 *x, EVP_PKEY *pkey); + int X509_self_signed(X509 *cert, int verify_signature); int X509_REQ_verify_ex(X509_REQ *a, EVP_PKEY *pkey, OPENSSL_CTX *libctx, const char *propq); @@ -31,6 +32,12 @@ no other checks (such as certificate chain validity) are performed. X509_verify() is the same as X509_verify_ex() except that the default library context and property query string are used. +X509_self_signed() checks whether a certificate is self-signed. +For success the issuer and subject names must match, the components of the +authority key identifier (if present) must match the subject key identifier etc. +The signature itself is actually verified only if B<verify_signature> is 1, as +for explicitly trusted certificates this verification is not worth the effort. + X509_REQ_verify_ex(), X509_REQ_verify() and X509_CRL_verify() verify the signatures of certificate requests and CRLs, respectively. @@ -42,6 +49,9 @@ return 1 if the signature is valid and 0 if the signature check fails. If the signature could not be checked at all because it was ill-formed or some other error occurred then -1 is returned. +X509_self_signed() returns the same values but also returns 1 +if all respective fields match and B<verify_signature> is 0. + =head1 SEE ALSO L<d2i_X509(3)>, @@ -65,7 +75,7 @@ L<OPENSSL_CTX(3)> The X509_verify(), X509_REQ_verify(), and X509_CRL_verify() functions are available in all versions of OpenSSL. -X509_verify_ex() and X509_REQ_verify_ex() +X509_verify_ex(), X509_REQ_verify_ex(), and X509_self_signed() were added in OpenSSL 3.0. =head1 COPYRIGHT |