From: Matt Caswell Date: Thu, 13 Jan 2022 15:16:39 +0000 (+0000) Subject: Document purpose and trust setting functions X-Git-Tag: openssl-3.2.0-alpha1~3014 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7b75b973fbd9087714daa19e07bb92b2101eba28;p=thirdparty%2Fopenssl.git Document purpose and trust setting functions In particular: X509_STORE_CTX_set_purpose() X509_STORE_CTX_set_trust(); X509_STORE_CTX_purpose_inherit(); Reviewed-by: Ben Kaduk (Merged from https://github.com/openssl/openssl/pull/17382) --- diff --git a/doc/man3/X509_STORE_CTX_new.pod b/doc/man3/X509_STORE_CTX_new.pod index 56a36bfecdc..3bf964e802f 100644 --- a/doc/man3/X509_STORE_CTX_new.pod +++ b/doc/man3/X509_STORE_CTX_new.pod @@ -11,7 +11,10 @@ X509_STORE_CTX_get_num_untrusted, X509_STORE_CTX_get0_chain, X509_STORE_CTX_set0_verified_chain, X509_STORE_CTX_set_default, X509_STORE_CTX_set_verify, -X509_STORE_CTX_verify_fn +X509_STORE_CTX_verify_fn, +X509_STORE_CTX_set_purpose, +X509_STORE_CTX_set_trust, +X509_STORE_CTX_purpose_inherit - X509_STORE_CTX initialisation =head1 SYNOPSIS @@ -45,6 +48,11 @@ X509_STORE_CTX_verify_fn typedef int (*X509_STORE_CTX_verify_fn)(X509_STORE_CTX *); void X509_STORE_CTX_set_verify(X509_STORE_CTX *ctx, X509_STORE_CTX_verify_fn verify); + int X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose); + int X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust); + int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose, + int purpose, int trust); + =head1 DESCRIPTION These functions initialise an B structure for subsequent use @@ -155,6 +163,65 @@ following signature: This function should receive the current X509_STORE_CTX as a parameter and return 1 on success or 0 on failure. +X509 certificates may contain information about what purposes keys contained +within them can be used for. For example "TLS WWW Server Authentication" or +"Email Protection". This "key usage" information is held internally to the +certificate itself. In addition the trust store containing trusted certificates +can declare what purposes we trust different certificates for. This "trust" +information is not held within the certificate itself but is "meta" information +held alongside it. This "meta" information is associated with the certificate +after it is issued and could be determined by a system administrator. For +example a certificate might declare that it is suitable for use for both +"TLS WWW Server Authentication" and "TLS Client Authentication", but a system +administrator might only trust it for the former. An X.509 certificate extension +exists that can record extended key usage information to supplement the purpose +information described above. This extended mechanism is arbitrarily extensible +and not well suited for a generic library API; applications that need to +validate extended key usage information in certifiates will need to define a +custom "purpose" (see below) or supply a nondefault verification callback +(L). + +X509_STORE_CTX_set_purpose() sets the purpose for the target certificate being +verified in the I. Built-in available values for the I argument +are B, B, +B, B, +B, B, B, +B and B. It is also +possible to create a custom purpose value. Setting a purpose will ensure that +the key usage declared within certificates in the chain being verified is +consistent with that purpose as well as, potentially, other checks. Every +purpose also has an associated default trust value which will also be set at the +same time. During verification this trust setting will be verified to check it +is consistent with the trust set by the system administrator for certificates in +the chain. + +X509_STORE_CTX_set_trust() sets the trust value for the target certificate +being verified in the I. Built-in available values for the I +argument are B, B, +B, B, B, +B, B and B. It is +also possible to create a custom trust value. Since X509_STORE_CTX_set_purpose() +also sets the trust value it is normally sufficient to only call that function. +If both are called then X509_STORE_CTX_set_trust() should be called after +X509_STORE_CTX_set_purpose() since the trust setting of the last call will be +used. + +It should not normally be necessary for end user applications to call +X509_STORE_CTX_purpose_inherit() directly. Typically applications should call +X509_STORE_CTX_set_purpose() or X509_STORE_CTX_set_trust() instead. Using this +function it is possible to set the purpose and trust values for the I at +the same time. The I and I arguments can have the same +purpose values as described for X509_STORE_CTX_set_purpose() above. The I +argument can have the same trust values as described in +X509_STORE_CTX_set_trust() above. Any of the I, I or +I values may also have the value 0 to indicate that the supplied +parameter should be ignored. After calling this function the purpose to be used +for verification is set from the I argument, and the trust is set from +the I argument. If I is 0 then the trust value will be set from +the default trust value for I. If the default trust value for the +purpose is I and I is 0 then the default trust value +associated with the I value is used for the trust setting instead. + =head1 NOTES The certificates and CRLs in a store are used internally and should B diff --git a/util/missingcrypto.txt b/util/missingcrypto.txt index f883219f6c1..b61bdeb8805 100644 --- a/util/missingcrypto.txt +++ b/util/missingcrypto.txt @@ -1277,13 +1277,10 @@ X509_STORE_CTX_get1_crls(3) X509_STORE_CTX_get_by_subject(3) X509_STORE_CTX_get_explicit_policy(3) X509_STORE_CTX_get_obj_by_subject(3) -X509_STORE_CTX_purpose_inherit(3) X509_STORE_CTX_set0_dane(3) X509_STORE_CTX_set_depth(3) X509_STORE_CTX_set_flags(3) -X509_STORE_CTX_set_purpose(3) X509_STORE_CTX_set_time(3) -X509_STORE_CTX_set_trust(3) X509_STORE_get_verify(3) X509_TRUST_add(3) X509_TRUST_cleanup(3)