summaryrefslogtreecommitdiffstats
path: root/doc/man3/X509_verify.pod
diff options
context:
space:
mode:
Diffstat (limited to 'doc/man3/X509_verify.pod')
-rw-r--r--doc/man3/X509_verify.pod14
1 files changed, 12 insertions, 2 deletions
diff --git a/doc/man3/X509_verify.pod b/doc/man3/X509_verify.pod
index a1ed4d32fe..e0028473a2 100644
--- a/doc/man3/X509_verify.pod
+++ b/doc/man3/X509_verify.pod
@@ -2,7 +2,7 @@
=head1 NAME
-X509_verify_ex, X509_verify,
+X509_verify_ex, X509_verify, X509_self_signed,
X509_REQ_verify_ex, X509_REQ_verify,
X509_CRL_verify -
verify certificate, certificate request, or CRL signature
@@ -14,6 +14,7 @@ verify certificate, certificate request, or CRL signature
int X509_verify_ex(X509 *x, EVP_PKEY *pkey,
OPENSSL_CTX *libctx, const char *propq);
int X509_verify(X509 *x, EVP_PKEY *pkey);
+ int X509_self_signed(X509 *cert, int verify_signature);
int X509_REQ_verify_ex(X509_REQ *a, EVP_PKEY *pkey,
OPENSSL_CTX *libctx, const char *propq);
@@ -31,6 +32,12 @@ no other checks (such as certificate chain validity) are performed.
X509_verify() is the same as X509_verify_ex() except that the default library
context and property query string are used.
+X509_self_signed() checks whether a certificate is self-signed.
+For success the issuer and subject names must match, the components of the
+authority key identifier (if present) must match the subject key identifier etc.
+The signature itself is actually verified only if B<verify_signature> is 1, as
+for explicitly trusted certificates this verification is not worth the effort.
+
X509_REQ_verify_ex(), X509_REQ_verify() and X509_CRL_verify()
verify the signatures of certificate requests and CRLs, respectively.
@@ -42,6 +49,9 @@ return 1 if the signature is valid and 0 if the signature check fails.
If the signature could not be checked at all because it was ill-formed
or some other error occurred then -1 is returned.
+X509_self_signed() returns the same values but also returns 1
+if all respective fields match and B<verify_signature> is 0.
+
=head1 SEE ALSO
L<d2i_X509(3)>,
@@ -65,7 +75,7 @@ L<OPENSSL_CTX(3)>
The X509_verify(), X509_REQ_verify(), and X509_CRL_verify()
functions are available in all versions of OpenSSL.
-X509_verify_ex() and X509_REQ_verify_ex()
+X509_verify_ex(), X509_REQ_verify_ex(), and X509_self_signed()
were added in OpenSSL 3.0.
=head1 COPYRIGHT
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-23 14:55:25 +0000