diff options
Diffstat (limited to 'doc/man3/X509_verify.pod')
-rw-r--r-- | doc/man3/X509_verify.pod | 14 |
1 files changed, 12 insertions, 2 deletions
diff --git a/doc/man3/X509_verify.pod b/doc/man3/X509_verify.pod index a1ed4d32fe..e0028473a2 100644 --- a/doc/man3/X509_verify.pod +++ b/doc/man3/X509_verify.pod @@ -2,7 +2,7 @@ =head1 NAME -X509_verify_ex, X509_verify, +X509_verify_ex, X509_verify, X509_self_signed, X509_REQ_verify_ex, X509_REQ_verify, X509_CRL_verify - verify certificate, certificate request, or CRL signature @@ -14,6 +14,7 @@ verify certificate, certificate request, or CRL signature int X509_verify_ex(X509 *x, EVP_PKEY *pkey, OPENSSL_CTX *libctx, const char *propq); int X509_verify(X509 *x, EVP_PKEY *pkey); + int X509_self_signed(X509 *cert, int verify_signature); int X509_REQ_verify_ex(X509_REQ *a, EVP_PKEY *pkey, OPENSSL_CTX *libctx, const char *propq); @@ -31,6 +32,12 @@ no other checks (such as certificate chain validity) are performed. X509_verify() is the same as X509_verify_ex() except that the default library context and property query string are used. +X509_self_signed() checks whether a certificate is self-signed. +For success the issuer and subject names must match, the components of the +authority key identifier (if present) must match the subject key identifier etc. +The signature itself is actually verified only if B<verify_signature> is 1, as +for explicitly trusted certificates this verification is not worth the effort. + X509_REQ_verify_ex(), X509_REQ_verify() and X509_CRL_verify() verify the signatures of certificate requests and CRLs, respectively. @@ -42,6 +49,9 @@ return 1 if the signature is valid and 0 if the signature check fails. If the signature could not be checked at all because it was ill-formed or some other error occurred then -1 is returned. +X509_self_signed() returns the same values but also returns 1 +if all respective fields match and B<verify_signature> is 0. + =head1 SEE ALSO L<d2i_X509(3)>, @@ -65,7 +75,7 @@ L<OPENSSL_CTX(3)> The X509_verify(), X509_REQ_verify(), and X509_CRL_verify() functions are available in all versions of OpenSSL. -X509_verify_ex() and X509_REQ_verify_ex() +X509_verify_ex(), X509_REQ_verify_ex(), and X509_self_signed() were added in OpenSSL 3.0. =head1 COPYRIGHT |