[openssl-commits] [openssl] master update

Dr. Stephen Henson steve at openssl.org
Tue Sep 22 12:46:13 UTC 2015


The branch master has been updated
       via  035014cd22c502bca93c73e6475da73ee31f1078 (commit)
       via  dd332cea9f709721e72b72fd73eda959c6f5c4bd (commit)
       via  047dd81efe47b9185fef7f1d35d0a1006b0c2cb6 (commit)
       via  d8db9a0df5d742aa8f21d611e1df9072ecf0450e (commit)
       via  73a7e8de174f16eee869f39c26ad57462dd9bf61 (commit)
       via  94eae38011ce0ce53bce0aef41d25620713662ef (commit)
       via  e7fabc5ea5b9c93f664594e2ac7eed57ecf1384c (commit)
       via  5571ea886feed75365841ed45a261beb92e54e72 (commit)
       via  5f74a405407860f565748857d789c90ddf834043 (commit)
      from  7880e14318bda992e5f89077bce7f965f4840262 (commit)


- Log -----------------------------------------------------------------
commit 035014cd22c502bca93c73e6475da73ee31f1078
Author: Dr. Stephen Henson <steve at openssl.org>
Date:   Mon Sep 21 21:25:52 2015 +0100

    Update SEE ALSO sections.
    
    Reviewed-by: Matt Caswell <matt at openssl.org>

commit dd332cea9f709721e72b72fd73eda959c6f5c4bd
Author: Dr. Stephen Henson <steve at openssl.org>
Date:   Mon Sep 21 13:03:42 2015 +0100

    Document signature accessors.
    
    Reviewed-by: Matt Caswell <matt at openssl.org>

commit 047dd81efe47b9185fef7f1d35d0a1006b0c2cb6
Author: Dr. Stephen Henson <steve at openssl.org>
Date:   Fri Jul 4 23:03:17 2014 +0100

    Extension parsing and encoding docs.
    
    Reviewed-by: Matt Caswell <matt at openssl.org>

commit d8db9a0df5d742aa8f21d611e1df9072ecf0450e
Author: Dr. Stephen Henson <steve at openssl.org>
Date:   Fri Sep 18 20:51:02 2015 +0100

    Document i2d_re_X509_REQ_tbs() and i2d_re_X509_CRL_tbs().
    
    Reviewed-by: Matt Caswell <matt at openssl.org>

commit 73a7e8de174f16eee869f39c26ad57462dd9bf61
Author: Dr. Stephen Henson <steve at openssl.org>
Date:   Wed Sep 9 22:07:24 2015 +0100

    Document X509_REVOKED functions.
    
    Reviewed-by: Matt Caswell <matt at openssl.org>

commit 94eae38011ce0ce53bce0aef41d25620713662ef
Author: Dr. Stephen Henson <steve at openssl.org>
Date:   Mon Sep 7 14:27:58 2015 +0100

    Document X509 sign and verify functions.
    
    Reviewed-by: Matt Caswell <matt at openssl.org>

commit e7fabc5ea5b9c93f664594e2ac7eed57ecf1384c
Author: Dr. Stephen Henson <steve at openssl.org>
Date:   Mon Sep 7 13:41:20 2015 +0100

    Document X509 public key functions.
    
    Reviewed-by: Matt Caswell <matt at openssl.org>

commit 5571ea886feed75365841ed45a261beb92e54e72
Author: Dr. Stephen Henson <steve at openssl.org>
Date:   Sun Sep 6 13:43:23 2015 +0100

    Document X509 name get and set functions.
    
    Reviewed-by: Matt Caswell <matt at openssl.org>

commit 5f74a405407860f565748857d789c90ddf834043
Author: Dr. Stephen Henson <steve at openssl.org>
Date:   Sun Sep 6 12:48:22 2015 +0100

    Document X509 version functions.
    
    Reviewed-by: Matt Caswell <matt at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 doc/crypto/X509V3_get_d2i.pod          | 217 +++++++++++++++++++++++++++++++++
 doc/crypto/X509_CRL_get0_by_serial.pod | 103 ++++++++++++++++
 doc/crypto/X509_get0_signature.pod     |  81 ++++++++++++
 doc/crypto/X509_get_pubkey.pod         |  75 ++++++++++++
 doc/crypto/X509_get_subject_name.pod   |  81 ++++++++++++
 doc/crypto/X509_get_version.pod        |  78 ++++++++++++
 doc/crypto/X509_new.pod                |  17 ++-
 doc/crypto/X509_sign.pod               |  90 ++++++++++++++
 doc/crypto/d2i_X509.pod                |  15 +++
 doc/crypto/d2i_X509_CRL.pod            |   4 +-
 doc/crypto/d2i_X509_REQ.pod            |   5 +-
 11 files changed, 763 insertions(+), 3 deletions(-)
 create mode 100644 doc/crypto/X509V3_get_d2i.pod
 create mode 100644 doc/crypto/X509_CRL_get0_by_serial.pod
 create mode 100644 doc/crypto/X509_get0_signature.pod
 create mode 100644 doc/crypto/X509_get_pubkey.pod
 create mode 100644 doc/crypto/X509_get_subject_name.pod
 create mode 100644 doc/crypto/X509_get_version.pod
 create mode 100644 doc/crypto/X509_sign.pod

diff --git a/doc/crypto/X509V3_get_d2i.pod b/doc/crypto/X509V3_get_d2i.pod
new file mode 100644
index 0000000..8e78488
--- /dev/null
+++ b/doc/crypto/X509V3_get_d2i.pod
@@ -0,0 +1,217 @@
+=pod
+
+=head1 NAME
+
+X509V3_get_d2i, X509V3_add1_i2d, X509V3_EXT_d2i, X509V3_EXT_i2d,
+X509_get_ext_d2i, X509_add1_ext_i2d, X509_CRL_get_ext_d2i,
+X509_CRL_add1_ext_i2d, X509_REVOKED_get_ext_d2i,
+X509_REVOKED_add1_ext_i2d - X509 extension decode and encode functions
+
+=head1 SYNOPSIS
+
+ #include <openssl/x509v3.h>
+
+ void *X509V3_get_d2i(STACK_OF(X509_EXTENSION) *x, int nid, int *crit,
+                      int *idx);
+ int X509V3_add1_i2d(STACK_OF(X509_EXTENSION) **x, int nid, void *value,
+                     int crit, unsigned long flags);
+
+ void *X509V3_EXT_d2i(X509_EXTENSION *ext);
+ X509_EXTENSION *X509V3_EXT_i2d(int ext_nid, int crit, void *ext);
+
+ void *X509_get_ext_d2i(X509 *x, int nid, int *crit, int *idx);
+ int X509_add1_ext_i2d(X509 *x, int nid, void *value, int crit,
+                       unsigned long flags);
+
+ void *X509_CRL_get_ext_d2i(X509_CRL *crl, int nid, int *crit, int *idx);
+ int X509_CRL_add1_ext_i2d(X509_CRL *crl, int nid, void *value, int crit,
+                           unsigned long flags);
+
+ void *X509_REVOKED_get_ext_d2i(X509_REVOKED *r, int nid, int *crit, int *idx);
+ int X509_REVOKED_add1_ext_i2d(X509_REVOKED *r, int nid, void *value, int crit,
+                               unsigned long flags);
+
+=head1 DESCRIPTION
+
+X509V3_get_ext_d2i() looks for an extension with OID B<nid> in the extensions
+B<x> and, if found, decodes it. If B<idx> is B<NULL> then only one
+occurrence of an extension is permissible otherwise the first extension after
+index B<*idx> is returned and B<*idx> updated to the location of the extension.
+If B<crit> is not B<NULL> then B<*crit> is set to a status value: -2 if the
+extension occurs multiple times (this is only returned if B<idx> is B<NULL>),
+-1 if the extension could not be found, 0 if the extension is found and is
+not critical and 1 if critical. A pointer to an extension specific structure
+or B<NULL> is returned.
+
+X509V3_add1_i2d() adds extension B<value> to STACK B<*x> (allocating a new
+STACK if necessary) using OID B<nid> and criticality B<crit> according
+to B<flags>.
+
+X509V3_EXT_d2i() attempts to decode the ASN.1 data contained in extension
+B<ext> and returns a pointer to an extension specific structure or B<NULL>
+if the extension could not be decoded (invalid syntax or not supported).
+
+X509V3_EXT_i2d() encodes the extension specific structure B<ext>
+with OID B<ext_nid> and criticality B<crit>.
+
+X509_get_ext_d2i() and X509_add1_ext_i2d() operate on the extensions of
+certificate B<x>, they are otherwise identical to X509V3_get_d2i() and
+X509V3_add_i2d().
+
+X509_CRL_get_ext_d2i() and X509_CRL_add1_ext_i2d() operate on the extensions
+of CRL B<crl>, they are otherwise identical to X509V3_get_d2i() and
+X509V3_add_i2d().
+
+X509_REVOKED_get_ext_d2i() and X509_REVOKED_add1_ext_i2d() operate on the
+extensions of B<X509_REVOKED> structure B<r> (i.e for CRL entry extensions),
+they are otherwise identical to X509V3_get_d2i() and X509V3_add_i2d().
+
+=head1 NOTES
+
+In almost all cases an extension can occur at most once and multiple
+occurences is an error. Therefore the B<idx> parameter is usually B<NULL>.
+
+The B<flags> parameter may be one of the following values.
+
+B<X509V3_ADD_DEFAULT> appends a new extension only if the extension does
+not already exist. An error is returned if the extension does already
+exist.
+
+B<X509V3_ADD_APPEND> appends a new extension, ignoring whether the extension
+already exists.
+
+B<X509V3_ADD_REPLACE> replaces an extension if it exists otherwise apppends
+a new extension.
+
+B<X509V3_ADD_REPLACE_EXISTING> replaces an existing extension if it exists
+otherwise returns an error.
+
+B<X509V3_ADD_KEEP_EXISTING> appends a new extension only if the extension does
+not already exist. An error B<is not> returned if the extension does already
+exist.
+
+B<X509V3_ADD_DELETE> extension B<nid> is deleted: no new extenion is added.
+
+If B<X509V3_ADD_SILENT> is ored with B<flags>: any error returned will not
+be added to the error queue.
+
+The function X509V3_get_d2i() will return B<NULL> if the extension is not
+found, occurs multiple times or cannot be decoded. It is possible to
+determine the precise reason by checking the value of B<*crit>.
+
+=head1 SUPPORTED EXTENSIONS
+
+The following sections contain a list of all supported extensions
+including their name and NID.
+
+=head2 PKIX CERTIFICATE EXTENSIONS
+
+The following certificate extensions are defined in PKIX standards such as
+RFC5280.
+
+ Basic Constraints                  NID_basic_constraints
+ Key Usage                          NID_key_usage
+ Extended Key Usage                 NID_ext_key_usage
+
+ Subject Key Identifier             NID_subject_key_identifier
+ Authority Key Identifier           NID_authority_key_identifier
+
+ Private Key Usage Period           NID_private_key_usage_period
+
+ Subject Alternative Name           NID_subject_alt_name
+ Issuer Alternative Name            NID_issuer_alt_name
+
+ Authority Information Access       NID_info_access
+ Subject Information Access         NID_sinfo_access
+
+ Name Constraints                   NID_name_constraints
+
+ Certificate Policies               NID_certificate_policies
+ Policy Mappings                    NID_policy_mappings
+ Policy Constraints                 NID_policy_constraints
+ Inhibit Any Policy                 NID_inhibit_any_policy
+
+=head2 NETSCAPE CERTIFICATE EXTENSIONS
+
+The following are (largely obsolete) Netscape certificate extensions.
+
+ Netscape Cert Type                 NID_netscape_cert_type
+ Netscape Base Url                  NID_netscape_base_url
+ Netscape Revocation Url            NID_netscape_revocation_url
+ Netscape CA Revocation Url         NID_netscape_ca_revocation_url
+ Netscape Renewal Url               NID_netscape_renewal_url
+ Netscape CA Policy Url             NID_netscape_ca_policy_url
+ Netscape SSL Server Name           NID_netscape_ssl_server_name
+ Netscape Comment                   NID_netscape_comment
+
+=head2 MISCELLANEOUS CERTIFICATE EXTENSIONS
+
+ Strong Extranet ID                 NID_sxnet
+ Proxy Certificate Information      NID_proxyCertInfo
+
+=head2 PKIX CRL EXTENSIONS
+
+The following are CRL extensions from PKIX standards such as RFC5280.
+
+ CRL Number                         NID_crl_number
+ CRL Distribution Points            NID_crl_distribution_points
+ Delta CRL Indicator                NID_delta_crl
+ Freshest CRL                       NID_freshest_crl
+ Invalidity Date                    NID_invalidity_date
+ Issuing Distrubution Point         NID_issuing_distribution_point
+
+The following are CRL entry extensions from PKIX standards such as RFC5280.
+
+ CRL Reason Code                    NID_crl_reason
+ Certificate Issuer                 NID_certificate_issuer
+
+=head2 OCSP EXTENSIONS
+
+ OCSP Nonce                         NID_id_pkix_OCSP_Nonce
+ OCSP CRL ID                        NID_id_pkix_OCSP_CrlID
+ Acceptable OCSP Responses          NID_id_pkix_OCSP_acceptableResponses
+ OCSP No Check                      NID_id_pkix_OCSP_noCheck
+ OCSP Archive Cutoff                NID_id_pkix_OCSP_archiveCutoff
+ OCSP Service Locator               NID_id_pkix_OCSP_serviceLocator
+ Hold Instruction Code              NID_hold_instruction_code
+
+=head2 CERTIFICATE TRANSPARENCY EXTENSIONS
+
+The following extensions are used by certificate transparency, RFC6962
+
+ CT Precertificate SCTs             NID_ct_precert_scts
+ CT Certificate SCTs                NID_ct_cert_scts
+
+=head1 RETURN VALUES
+
+X509V3_EXT_d2i() and *X509V3_get_d2i() return a pointer to an extension
+specific structure of B<NULL> if an error occurs.
+
+X509V3_EXT_i2d() returns a pointer to an B<X509_EXTENSION> structure
+or B<NULL> if an error occurs.
+
+X509V3_add1_i2d() returns 1 if the operation is successful and 0 if it
+fails due to a non-fatal error (extension not found, already exists,
+cannot be encoded) or -1 due to a fatal error such as a memory allocation
+failure.
+
+=head1 SEE ALSO
+
+L<d2i_X509(3)>,
+L<ERR_get_error(3)|ERR_get_error(3)>,
+L<X509_CRL_get0_by_serial(3)>,
+L<X509_get0_signature(3)>,
+L<X509_get_ext_d2i(3)>,
+L<X509_get_extension_flags(3)>,
+L<X509_get_pubkey(3)>,
+L<X509_get_subject_name(3)>,
+L<X509_get_version(3)>,
+L<X509_NAME_add_entry_by_txt(3)>,
+L<X509_NAME_ENTRY_get_object(3)>,
+L<X509_NAME_get_index_by_NID(3)>,
+L<X509_NAME_print_ex(3)>,
+L<X509_new(3)>,
+L<X509_sign(3)>,
+L<X509_verify_cert(3)>
+
+=cut
diff --git a/doc/crypto/X509_CRL_get0_by_serial.pod b/doc/crypto/X509_CRL_get0_by_serial.pod
new file mode 100644
index 0000000..d00dab9
--- /dev/null
+++ b/doc/crypto/X509_CRL_get0_by_serial.pod
@@ -0,0 +1,103 @@
+=pod
+
+=head1 NAME
+
+X509_CRL_get0_by_serial, X509_CRL_get0_by_cert, X509_CRL_get_REVOKED,
+X509_REVOKED_get0_serialNumber, X509_REVOKED_get0_revocationDate,
+X509_REVOKED_set_serialNumber, X509_REVOKED_set_revocationDate,
+X509_CRL_add0_revoked, X509_CRL_sort - CRL revoked entry utility
+functions.
+
+=head1 SYNOPSIS
+
+ #include <openssl/x509.h>
+
+ int X509_CRL_get0_by_serial(X509_CRL *crl,
+                             X509_REVOKED **ret, ASN1_INTEGER *serial);
+ int X509_CRL_get0_by_cert(X509_CRL *crl, X509_REVOKED **ret, X509 *x);
+
+ STACK_OF(X509_REVOKED) *X509_CRL_get_REVOKED(X509_CRL *crl);
+
+ ASN1_INTEGER *X509_REVOKED_get0_serialNumber(X509_REVOKED *r);
+ ASN1_TIME *X509_REVOKED_get0_revocationDate(X509_REVOKED *r);
+
+ int X509_REVOKED_set_serialNumber(X509_REVOKED *r, ASN1_INTEGER *serial);
+ int X509_REVOKED_set_revocationDate(X509_REVOKED *r, ASN1_TIME *tm);
+
+ int X509_CRL_add0_revoked(X509_CRL *crl, X509_REVOKED *rev);
+
+ int X509_CRL_sort(X509_CRL *crl);
+
+=head1 DESCRIPTION
+
+X509_CRL_get0_by_serial() attempts to find a revoked entry in B<crl> for
+serial number B<serial>. If it is successful it sets B<*ret> to the internal
+pointer of the matching entry, as a result B<*ret> must not be freed up
+after the call.
+
+X509_CRL_get0_by_cert() is similar to X509_get0_by_serial() except it
+looks for a revoked entry using the serial number of certificate B<x>.
+
+X509_CRL_get_REVOKED() returns an internal pointer to a stack of all
+revoked entries for B<crl>.
+
+X509_REVOKED_get0_serialNumber() returns an internal pointer to the
+serial number of B<r>.
+
+X509_REVOKED_get0_revocationDate() returns an internal pointer to the
+revocation date of B<r>.
+
+X509_REVOKED_set_serialNumber() sets the serial number of B<r> to B<serial>.
+The supplied B<serial> pointer is not used internally so it should be
+freed up after use.
+
+X509_REVOKED_set_revocationDate() sets the revocation date of B<r> to
+B<tm>. The supplied B<tm> pointer is not used internally so it should be
+freed up after use.
+
+X509_CRL_add0_revoked() appends revoked entry B<rev> to CRL B<crl>. The
+pointer B<rev> is used internally so it must not be freed up after the call:
+it is freed when the parent CRL is freed.
+
+X509_CRL_sort() sorts the revoked entries of B<crl> into ascending serial
+number order.
+
+=head1 NOTES
+
+Applications can determine the number of revoked entries returned by
+X509_CRL_get_revoked() using sk_X509_REVOKED_num() and examine each one
+in turn using sk_X509_REVOKED_value().
+
+=head1 RETURN VALUES
+
+X509_CRL_get0_by_serial(), X509_CRL_get0_by_cert(),
+X509_REVOKED_set_serialNumber(), X509_REVOKED_set_revocationDate(),
+X509_CRL_add0_revoked() and X509_CRL_sort() return 1 for success and 0 for
+failure.
+
+X509_REVOKED_get0_serialNumber() returns an B<ASN1_INTEGER> pointer.
+
+X509_REVOKED_get0_revocationDate() returns an B<ASN1_TIME> value.
+
+X509_CRL_get_REVOKED() returns a STACK of revoked entries.
+
+=head1 SEE ALSO
+
+L<d2i_X509(3)>,
+L<ERR_get_error(3)>,
+L<X509_get0_signature(3)>,
+L<X509_get_ext_d2i(3)>,
+L<X509_get_extension_flags(3)>,
+L<X509_get_pubkey(3)>,
+L<X509_get_subject_name(3)>,
+L<X509_get_version(3)>,
+L<X509_NAME_add_entry_by_txt(3)>,
+L<X509_NAME_ENTRY_get_object(3)>,
+L<X509_NAME_get_index_by_NID(3)>,
+L<X509_NAME_print_ex(3)>,
+L<X509_new(3)>,
+L<X509_sign(3)>,
+L<X509V3_get_d2i(3)>,
+L<X509_verify_cert(3)>
+
+=cut
diff --git a/doc/crypto/X509_get0_signature.pod b/doc/crypto/X509_get0_signature.pod
new file mode 100644
index 0000000..102c0c6
--- /dev/null
+++ b/doc/crypto/X509_get0_signature.pod
@@ -0,0 +1,81 @@
+=pod
+
+=head1 NAME
+
+X509_get0_signature, X509_get_signature_nid, X509_REQ_get0_signature,
+X509_REQ_get_signature_nid, X509_CRL_get0_signature,
+X509_CRL_get_signature_nid - signature information.
+
+=head1 SYNOPSIS
+
+ #include <openssl/x509.h>
+
+ void X509_get0_signature(ASN1_BIT_STRING **psig, X509_ALGOR **palg,
+                          const X509 *x);
+ int X509_get_signature_nid(const X509 *x);
+
+ void X509_REQ_get0_signature(ASN1_BIT_STRING **psig, X509_ALGOR **palg,
+                              const X509_REQ *crl);
+ int X509_REQ_get_signature_nid(const X509_REQ *crl);
+
+ void X509_CRL_get0_signature(ASN1_BIT_STRING **psig, X509_ALGOR **palg,
+                              const X509_CRL *crl);
+ int X509_CRL_get_signature_nid(const X509_CRL *crl);
+
+=head1 DESCRIPTION
+
+X509_get0_signature() sets B<*psig> to the signature of B<x> and B<*palg>
+to the signature algorithm of B<x>. The values returned are internal
+pointers which B<MUST NOT> be freed up after the call.
+
+X509_get_signature_nid() returns the NID corresponding to the signature
+algorithm of B<x>.
+
+X509_REQ_get0_signature(), X509_REQ_get_signature_nid()
+X509_CRL_get0_signature() and X509_CRL_get_signature_nid() perform the
+same function for certificate requests and CRLs.
+
+=head1 NOTES
+
+These functions provide lower level access to signatures in certificates
+where an application wishes to analyse or generate a signature in a form
+where X509_sign() et al is not appropriate (for example a non standard
+or unsupported format).
+
+=head1 RETURN VALUES
+
+X509_get_signature_nid(), X509_REQ_get_signature_nid() and
+X509_CRL_get_signature_nid() return a NID.
+
+X509_get0_signature(), X509_REQ_get0_signature() and
+X509_CRL_get0_signature() do not return values.
+
+=head1 SEE ALSO
+
+L<d2i_X509(3)>,
+L<ERR_get_error(3)>,
+L<X509_CRL_get0_by_serial(3)>,
+L<X509_get_ext_d2i(3)>,
+L<X509_get_extension_flags(3)>,
+L<X509_get_pubkey(3)>,
+L<X509_get_subject_name(3)>,
+L<X509_get_version(3)>,
+L<X509_NAME_add_entry_by_txt(3)>,
+L<X509_NAME_ENTRY_get_object(3)>,
+L<X509_NAME_get_index_by_NID(3)>,
+L<X509_NAME_print_ex(3)>,
+L<X509_new(3)>,
+L<X509_sign(3)>,
+L<X509V3_get_d2i(3)>,
+L<X509_verify_cert(3)>
+
+=head1 HISTORY
+
+X509_get0_signature() and X509_get_signature_nid() were first added to
+OpenSSL 1.0.2.
+
+X509_REQ_get0_signature(), X509_REQ_get_signature_nid(),
+X509_CRL_get0_signature() and X509_CRL_get_signature_nid() were first added
+to OpenSSL 1.1.0.
+
+=cut
diff --git a/doc/crypto/X509_get_pubkey.pod b/doc/crypto/X509_get_pubkey.pod
new file mode 100644
index 0000000..c59ce2a
--- /dev/null
+++ b/doc/crypto/X509_get_pubkey.pod
@@ -0,0 +1,75 @@
+=pod
+
+=head1 NAME
+
+X509_get_pubkey, X509_set_pubkey, X509_get_X509_PUBKEY,
+X509_REQ_get_pubkey, X509_REQ_set_pubkey, X509_REQ_get_X509_PUBKEY - get or
+set certificate or certificate request public key.
+
+=head1 SYNOPSIS
+
+ #include <openssl/x509.h>
+
+ EVP_PKEY *X509_get_pubkey(X509 *x);
+ int X509_set_pubkey(X509 *x, EVP_PKEY *pkey);
+ X509_PUBKEY *X509_get_X509_PUBKEY(X509 *x);
+
+ EVP_PKEY *X509_REQ_get_pubkey(X509_REQ *req);
+ int X509_REQ_set_pubkey(X509_REQ *x, EVP_PKEY *pkey);
+ X509_PUBKEY *X509_REQ_get_X509_PUBKEY(X509_REQ *x);
+
+=head1 DESCRIPTION
+
+X509_get_pubkey() attempts to decode the public key for certificate B<x>. If
+successful it returns the public key as an B<EVP_PKEY> pointer with its
+reference count incremented: this means the returned key must be freed up
+after use.
+
+X509_get_X509_PUBKEY() returns an internal pointer to the B<X509_PUBKEY>
+structure which encodes the certificate of B<x>. The returned value
+must not be freed up after use.
+
+X509_set_pubkey() attempts to set the public key for certificate B<x> to
+B<pkey>. The key B<pkey> should be freed up after use.
+
+X509_REQ_get_pubkey(), X509_REQ_set_pubkey() and X509_REQ_get_X509_PUBKEY()
+are similar but operate on certificate request B<req>.
+
+=head1 NOTES
+
+The first time a public key is decoded the B<EVP_PKEY> structure is
+cached in the certificate or certificate request itself. Subsequent calls
+return the cached structure with its reference count incremented to
+improve performance.
+
+=head1 RETURN VALUES
+
+X509_get_pubkey(), X509_get_X509_PUBKEY(), X509_REQ_get_pubkey() and
+X509_REQ_get_X509_PUBKEY() return a public key or B<NULL> if an error
+occurred.
+
+X509_set_pubkey() and X509_REQ_set_pubkey() rerturn 1 for success and 0
+for failure.
+
+=head1 SEE ALSO
+
+L<d2i_X509(3)>,
+L<ERR_get_error(3)>,
+L<X509_CRL_get0_by_serial(3)>,
+L<X509_get0_signature(3)>,
+L<X509_get_ext_d2i(3)>,
+L<X509_get_extension_flags(3)>,
+L<X509_get_subject_name(3)>,
+L<X509_get_version(3)>,
+L<X509_NAME_add_entry_by_txt(3)>,
+L<X509_NAME_ENTRY_get_object(3)>,
+L<X509_NAME_get_index_by_NID(3)>,
+L<X509_NAME_print_ex(3)>,
+L<X509_new(3)>,
+L<X509_sign(3)>,
+L<X509V3_get_d2i(3)>,
+L<X509_verify_cert(3)>
+
+=head1 HISTORY
+
+=cut
diff --git a/doc/crypto/X509_get_subject_name.pod b/doc/crypto/X509_get_subject_name.pod
new file mode 100644
index 0000000..12b3dfe
--- /dev/null
+++ b/doc/crypto/X509_get_subject_name.pod
@@ -0,0 +1,81 @@
+=pod
+
+=head1 NAME
+
+X509_get_subject_name, X509_set_subject_name, X509_get_issuer_name,
+X509_set_issuer_name, X509_REQ_get_subject_name, X509_REQ_set_subject_name,
+X509_CRL_get_issuer, X509_CRL_set_issuer_name - get and set issuer or
+subject names.
+
+=head1 SYNOPSIS
+
+ #include <openssl/x509.h>
+
+ X509_NAME *X509_get_subject_name(X509 *x);
+ int X509_set_subject_name(X509 *x, X509_NAME *name);
+
+ X509_NAME *X509_get_issuer_name(X509 *x);
+ int X509_set_issuer_name(X509 *x, X509_NAME *name);
+
+ X509_NAME *X509_REQ_get_subject_name(X509_REQ *req);
+ int X509_REQ_set_subject_name(X509_REQ *req, X509_NAME *name);
+
+ X509_NAME *X509_CRL_get_issuer(X509_CRL *crl);
+ int X509_CRL_set_issuer_name(X509_CRL *x, X509_NAME *name);
+
+=head1 DESCRIPTION
+
+X509_get_subject_name() returns the subject name of certificate B<x>. The
+returned value is an internal pointer which B<MUST NOT> be freed.
+
+X509_set_subject_name() sets the issuer name of certificate B<x> to
+B<name>. The B<name> parameter is copied internally and should be freed
+up when it is no longer needed.
+
+X509_get_issuer_name() and X509_set_issuer_name() are identical to
+X509_get_subject_name() and X509_set_subject_name() except the get and
+set the isssuer name of B<x>.
+
+Similarly X509_REQ_get_subject_name(), X509_REQ_set_subject_name(),
+ X509_CRL_get_issuer() and X509_CRL_set_issuer_name() get or set the subject
+or issuer names of certifcate requests of CRLs respectively.
+
+=head1 RETURN VALUES
+
+X509_get_subject_name(), X509_get_issuer_name(), X509_REQ_get_subject_name()
+and X509_CRL_get_issuer() return an B<X509_NAME> pointer.
+
+X509_set_subject_name(), X509_set_issuer_name(), X509_REQ_set_subject_name()
+and X509_CRL_set_issuer_name() return 1 for success and 0 for failure.
+
+=head1 HISTORY
+
+X509_get_subject_name(), X509_set_subject_name() and X509_get_issuer_name(),
+X509_set_issuer_name(), X509_REQ_set_subject_name() and
+X509_CRL_set_issuer_name() are avaiable in all versions of OpenSSL.
+
+X509_REQ_get_subject_name() is a function in OpenSSL 1.1.0 and a macro in
+earlier versions.
+
+X509_CRL_get_issuer() is a function in OpenSSL 1.1.0. It was first added
+to OpenSSL 1.0.0 as a macro.
+
+=head1 SEE ALSO
+
+L<d2i_X509(3)>,
+L<ERR_get_error(3)>, L<d2i_X509(3)>
+L<X509_CRL_get0_by_serial(3)>,
+L<X509_get0_signature(3)>,
+L<X509_get_ext_d2i(3)>,
+L<X509_get_extension_flags(3)>,
+L<X509_get_pubkey(3)>,
+L<X509_NAME_add_entry_by_txt(3)>,
+L<X509_NAME_ENTRY_get_object(3)>,
+L<X509_NAME_get_index_by_NID(3)>,
+L<X509_NAME_print_ex(3)>,
+L<X509_new(3)>,
+L<X509_sign(3)>,
+L<X509V3_get_d2i(3)>,
+L<X509_verify_cert(3)>
+
+=cut
diff --git a/doc/crypto/X509_get_version.pod b/doc/crypto/X509_get_version.pod
new file mode 100644
index 0000000..49b99bf
--- /dev/null
+++ b/doc/crypto/X509_get_version.pod
@@ -0,0 +1,78 @@
+=pod
+
+=head1 NAME
+
+X509_get_version, X509_set_version, X509_REQ_get_version, X509_REQ_set_version,
+X509_CRL_get_version, X509_CRL_set_version - get or set certificate,
+certificate request or CRL version.
+
+=head1 SYNOPSIS
+
+ #include <openssl/x509.h>
+
+ long X509_get_version(X509 *x);
+ int X509_set_version(X509 *x, long version);
+
+ long X509_REQ_get_version(X509_REQ *req);
+ int X509_REQ_set_version(X509_REQ *x, long version);
+
+ long X509_CRL_get_version(X509_CRL *crl);
+ int X509_CRL_set_version(X509_CRL *x, long version);
+
+=head1 DESCRIPTION
+
+X509_get_version() returns the numerical value of the version field of
+certificate B<x>. Note: this is defined by standards (X.509 et al) to be one
+less than the certificate version. So a verson 3 certificate will return 2 and
+a version 1 certificate will return 0.
+
+X509_set_version() sets the numerical value of the version field of certificate
+B<x> to B<version>.
+
+Similarly X509_REQ_get_version(), X509_REQ_set_version(),
+X509_CRL_get_version() and X509_CRL_set_version() get and set the version
+number of certificate requests and CRLs.
+
+=head1 NOTES
+
+The version field of certificates, certificate requests and CRLs has a
+DEFAULT value of B<v1(0)> meaning the field should be omitted for version
+1. This is handled transparently by these functions.
+
+=head1 RETURN VALUES
+
+X509_get_version(), X509_REQ_get_version() and X509_CRL_get_version()
+return the numerical value of the version field.
+
+X509_set_version(), X509_REQ_set_version() and X509_CRL_set_version()
+return 1 for success and 0 for failure.
+
+=head1 SEE ALSO
+
+L<d2i_X509(3)>,
+L<ERR_get_error(3)>,
+L<X509_CRL_get0_by_serial(3)>,
+L<X509_get0_signature(3)>,
+L<X509_get_ext_d2i(3)>,
+L<X509_get_extension_flags(3)>,
+L<X509_get_pubkey(3)>,
+L<X509_get_subject_name(3)>,
+L<X509_NAME_add_entry_by_txt(3)>,
+L<X509_NAME_ENTRY_get_object(3)>,
+L<X509_NAME_get_index_by_NID(3)>,
+L<X509_NAME_print_ex(3)>,
+L<X509_new(3)>,
+L<X509_sign(3)>,
+L<X509V3_get_d2i(3)>,
+L<X509_verify_cert(3)>
+
+=head1 HISTORY
+
+X509_get_version(), X509_set_version() X509_REQ_get_version(),
+X509_REQ_set_version(), X509_REQ_get_version() and X509_REQ_set_version()
+are available in all versions of OpenSSL.
+
+X509_get_version(), X509_REQ_get_version() and X509_CRL_get_version() are
+functions in OpenSSL 1.1.0, in previous versions they were macros.
+
+=cut
diff --git a/doc/crypto/X509_new.pod b/doc/crypto/X509_new.pod
index 2e49a6e..2b20af5 100644
--- a/doc/crypto/X509_new.pod
+++ b/doc/crypto/X509_new.pod
@@ -31,7 +31,22 @@ X509_free() returns no value.
 
 =head1 SEE ALSO
 
-L<ERR_get_error(3)>, L<d2i_X509(3)>
+L<d2i_X509(3)>,
+L<ERR_get_error(3)>,
+L<X509_CRL_get0_by_serial(3)>,
+L<X509_get0_signature(3)>,
+L<X509_get_ext_d2i(3)>,
+L<X509_get_extension_flags(3)>,
+L<X509_get_pubkey(3)>,
+L<X509_get_subject_name(3)>,
+L<X509_get_version(3)>,
+L<X509_NAME_add_entry_by_txt(3)>,
+L<X509_NAME_ENTRY_get_object(3)>,
+L<X509_NAME_get_index_by_NID(3)>,
+L<X509_NAME_print_ex(3)>,
+L<X509_sign(3)>,
+L<X509V3_get_d2i(3)>,
+L<X509_verify_cert(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/X509_sign.pod b/doc/crypto/X509_sign.pod
new file mode 100644
index 0000000..55cfd13
--- /dev/null
+++ b/doc/crypto/X509_sign.pod
@@ -0,0 +1,90 @@
+=pod
+
+=head1 NAME
+
+X509_sign, X509_sign_ctx, X509_verify, X509_REQ_sign, X509_REQ_sign_ctx,
+X509_REQ_verify, X509_CRL_sign, X509_CRL_sign_ctx, X509_CRL_verify -
+sign or verify certificate, certificate request or CRL signature.
+
+=head1 SYNOPSIS
+
+ #include <openssl/x509.h>
+
+ int X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md);
+ int X509_sign_ctx(X509 *x, EVP_MD_CTX *ctx);
+ int X509_verify(X509 *a, EVP_PKEY *r);
+
+ int X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md);
+ int X509_REQ_sign_ctx(X509_REQ *x, EVP_MD_CTX *ctx);
+ int X509_REQ_verify(X509_REQ *a, EVP_PKEY *r);
+
+ int X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md);
+ int X509_CRL_sign_ctx(X509_CRL *x, EVP_MD_CTX *ctx);
+ int X509_CRL_verify(X509_CRL *a, EVP_PKEY *r);
+
+=head1 DESCRIPTION
+
+X509_sign() signs certificate B<x> using private key B<pkey> and message
+digest B<md> and sets the signature in B<x>. X509_sign_ctx() also signs
+certificate B<x> but uses the parameters contained in digest context B<ctx>.
+
+X509_verify() verifies the signature of certificate B<x> using public key
+B<pkey>. Only the signature is checked: no other checks (such as certificate
+chain validity) are perfored.
+
+X509_REQ_sign(), X509_REQ_sign_ctx(), X509_REQ_verify(),
+X509_CRL_sign(), X509_CRL_sign_ctx() and X509_CRL_verify() sign and verify
+certificate requests and CRLs respectively.
+
+=head1 NOTES
+
+X509_sign_ctx() is used where the default parameters for the corresponding
+public key and digest are not suitable. It can be used to sign keys using
+RSA-PSS for example.
+
+For efficiency reasons and to work around ASN.1 encoding issues the encoding
+of the signed portion of a certificate, certificate request and CRL is cached
+internally. If the signed portion of the structure is modified the encoding
+is not always updated meaning a stale version is sometimes used. This is not
+normally a problem because modifying the signed portion will invalidate the
+signature and signing will always update the encoding.
+
+=head1 RETURN VALUES
+
+X509_sign(), X509_sign_ctx(), X509_REQ_sign(), X509_REQ_sign_ctx(),
+X509_CRL_sign() and X509_CRL_sign_ctx() return 1 for success and 0
+for failure.
+
+X509_verify(), X509_REQ_verify() and X509_CRL_verify() return 1 if the
+signature is valid and 0 if the signature check fails. If the signature
+could not be checked at all because it was invalid or some other error
+occurred then -1 is returned.
+
+=head1 SEE ALSO
+
+L<d2i_X509(3)>,
+L<ERR_get_error(3)>,
+L<X509_CRL_get0_by_serial(3)>,
+L<X509_get0_signature(3)>,
+L<X509_get_ext_d2i(3)>,
+L<X509_get_extension_flags(3)>,
+L<X509_get_pubkey(3)>,
+L<X509_get_subject_name(3)>,
+L<X509_get_version(3)>,
+L<X509_NAME_add_entry_by_txt(3)>,
+L<X509_NAME_ENTRY_get_object(3)>,
+L<X509_NAME_get_index_by_NID(3)>,
+L<X509_NAME_print_ex(3)>,
+L<X509_new(3)>,
+L<X509V3_get_d2i(3)>,
+L<X509_verify_cert(3)>
+
+=head1 HISTORY
+
+X509_sign(), X509_REQ_sign() and X509_CRL_sign() are available in all
+versions of OpenSSL.
+
+X509_sign_ctx(), X509_REQ_sign_ctx() and X509_CRL_sign_ctx() were first added
+to OpenSSL 1.0.1.
+
+=cut
diff --git a/doc/crypto/d2i_X509.pod b/doc/crypto/d2i_X509.pod
index 8a5a9c9..af29829 100644
--- a/doc/crypto/d2i_X509.pod
+++ b/doc/crypto/d2i_X509.pod
@@ -251,6 +251,21 @@ occurs The error code can be obtained by L<ERR_get_error(3)>.
 =head1 SEE ALSO
 
 L<ERR_get_error(3)>
+L<X509_CRL_get0_by_serial(3)>,
+L<X509_get0_signature(3)>,
+L<X509_get_ext_d2i(3)>,
+L<X509_get_extension_flags(3)>,
+L<X509_get_pubkey(3)>,
+L<X509_get_subject_name(3)>,
+L<X509_get_version(3)>,
+L<X509_NAME_add_entry_by_txt(3)>,
+L<X509_NAME_ENTRY_get_object(3)>,
+L<X509_NAME_get_index_by_NID(3)>,
+L<X509_NAME_print_ex(3)>,
+L<X509_new(3)>,
+L<X509_sign(3)>,
+L<X509V3_get_d2i(3)>,
+L<X509_verify_cert(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/d2i_X509_CRL.pod b/doc/crypto/d2i_X509_CRL.pod
index dfa3334..96f5a4d 100644
--- a/doc/crypto/d2i_X509_CRL.pod
+++ b/doc/crypto/d2i_X509_CRL.pod
@@ -3,7 +3,7 @@
 =head1 NAME
 
 d2i_X509_CRL, i2d_X509_CRL, d2i_X509_CRL_bio, d2i_X509_CRL_fp,
-i2d_X509_CRL_bio, i2d_X509_CRL_fp - PKCS#10 certificate request functions.
+i2d_X509_CRL_bio, i2d_X509_CRL_fp, i2d_re_X509_CRL_tbs - CRL functions.
 
 =head1 SYNOPSIS
 
@@ -18,6 +18,8 @@ i2d_X509_CRL_bio, i2d_X509_CRL_fp - PKCS#10 certificate request functions.
  int i2d_X509_CRL_bio(BIO *bp, X509_CRL *x);
  int i2d_X509_CRL_fp(FILE *fp, X509_CRL *x);
 
+ int i2d_re_X509_CRL_tbs(X509_CRL *x, unsigned char **out);
+
 =head1 DESCRIPTION
 
 These functions decode and encode an X509 CRL (certificate revocation
diff --git a/doc/crypto/d2i_X509_REQ.pod b/doc/crypto/d2i_X509_REQ.pod
index 1b2a588..0d66da7 100644
--- a/doc/crypto/d2i_X509_REQ.pod
+++ b/doc/crypto/d2i_X509_REQ.pod
@@ -3,7 +3,8 @@
 =head1 NAME
 
 d2i_X509_REQ, i2d_X509_REQ, d2i_X509_REQ_bio, d2i_X509_REQ_fp,
-i2d_X509_REQ_bio, i2d_X509_REQ_fp - PKCS#10 certificate request functions.
+i2d_X509_REQ_bio, i2d_X509_REQ_fp, i2d_re_X509_REQ_tbs - PKCS#10 certificate
+request functions.
 
 =head1 SYNOPSIS
 
@@ -18,6 +19,8 @@ i2d_X509_REQ_bio, i2d_X509_REQ_fp - PKCS#10 certificate request functions.
  int i2d_X509_REQ_bio(BIO *bp, X509_REQ *x);
  int i2d_X509_REQ_fp(FILE *fp, X509_REQ *x);
 
+ int i2d_re_X509_REQ_tbs(X509_REQ *x, unsigned char **out);
+
 =head1 DESCRIPTION
 
 These functions decode and encode a PKCS#10 certificate request.


More information about the openssl-commits mailing list