[openssl] master update

Dr. Paul Dale pauli at openssl.org
Thu Jul 15 00:24:02 UTC 2021 

The branch master has been updated
       via  54c0480dac6c25f262d537048503a660aaa4b568 (commit)
      from  e77be2e20175f5ae3f96952f5b9fce557bc00fb1 (commit)


- Log -----------------------------------------------------------------
commit 54c0480dac6c25f262d537048503a660aaa4b568
Author: Tomas Mraz <tomas at openssl.org>
Date:   Tue Jul 13 17:59:37 2021 +0200

    doc: Document that incomplete certificates return error
    
    Fixes #16065
    
    Reviewed-by: Paul Dale <pauli at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/16070)

-----------------------------------------------------------------------

Summary of changes:
 doc/man3/X509_check_ca.pod      | 3 ++-
 doc/man3/X509_check_issued.pod  | 3 ++-
 doc/man3/X509_check_purpose.pod | 3 ++-
 doc/man3/X509_verify.pod        | 7 ++++---
 4 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/doc/man3/X509_check_ca.pod b/doc/man3/X509_check_ca.pod
index e070fb403a..6cf122ddfc 100644
--- a/doc/man3/X509_check_ca.pod
+++ b/doc/man3/X509_check_ca.pod
@@ -13,7 +13,8 @@ X509_check_ca - check if given certificate is CA certificate
 =head1 DESCRIPTION
 
 This function checks if given certificate is CA certificate (can be used
-to sign other certificates).
+to sign other certificates). The certificate must be a complete certificate
+otherwise an error is returned.
 
 =head1 RETURN VALUES
 
diff --git a/doc/man3/X509_check_issued.pod b/doc/man3/X509_check_issued.pod
index fe37cd4858..c8d627ebba 100644
--- a/doc/man3/X509_check_issued.pod
+++ b/doc/man3/X509_check_issued.pod
@@ -21,7 +21,8 @@ but also compares all sub-fields of the B<authorityKeyIdentifier> extension of
 I<subject>, as far as present, with the respective B<subjectKeyIdentifier>,
 serial number, and issuer fields of I<issuer>, as far as present. It also checks
 if the B<keyUsage> field (if present) of I<issuer> allows certificate signing.
-It does not actually check the certificate signature.
+It does not actually check the certificate signature. An error is returned
+if the I<issuer> or the I<subject> are incomplete certificates.
 
 =head1 RETURN VALUES
 
diff --git a/doc/man3/X509_check_purpose.pod b/doc/man3/X509_check_purpose.pod
index 619ed7831a..d1447c3c87 100644
--- a/doc/man3/X509_check_purpose.pod
+++ b/doc/man3/X509_check_purpose.pod
@@ -15,7 +15,8 @@ X509_check_purpose - Check the purpose of a certificate
 This function checks if certificate I<x> was created with the purpose
 represented by I<id>. If I<ca> is nonzero, then certificate I<x> is
 checked to determine if it's a possible CA with various levels of certainty
-possibly returned.
+possibly returned. The certificate I<x> must be a complete certificate
+otherwise the function returns an error.
 
 Below are the potential ID's that can be checked:
 
diff --git a/doc/man3/X509_verify.pod b/doc/man3/X509_verify.pod
index 65e41977bd..6033804b8d 100644
--- a/doc/man3/X509_verify.pod
+++ b/doc/man3/X509_verify.pod
@@ -25,7 +25,7 @@ X509_verify() verifies the signature of certificate I<x> using public key
 I<pkey>. Only the signature is checked: no other checks (such as certificate
 chain validity) are performed.
 
-X509_self_signed() checks whether a certificate is self-signed.
+X509_self_signed() checks whether certificate I<cert> is self-signed.
 For success the issuer and subject names must match, the components of the
 authority key identifier (if present) must match the subject key identifier etc.
 The signature itself is actually verified only if B<verify_signature> is 1, as
@@ -39,8 +39,9 @@ verify the signatures of certificate requests and CRLs, respectively.
 X509_verify(),
 X509_REQ_verify_ex(), X509_REQ_verify() and X509_CRL_verify()
 return 1 if the signature is valid and 0 if the signature check fails.
-If the signature could not be checked at all because it was ill-formed
-or some other error occurred then -1 is returned.
+If the signature could not be checked at all because it was ill-formed,
+the certificate or the request was not complete or some other error occurred
+then -1 is returned.
 
 X509_self_signed() returns the same values but also returns 1
 if all respective fields match and B<verify_signature> is 0.

More information about the openssl-commits mailing list