In 1995, Eric A. Young chose a confusing name for the "lastUpdate" field
of the X509_CRL_INFO object. It should have been called "thisUpdate"
like in RFC 5280 section 5.1 (and in its precursor RFC 2

In 1995, Eric A. Young chose a confusing name for the "lastUpdate" field
of the X509_CRL_INFO object. It should have been called "thisUpdate"
like in RFC 5280 section 5.1 (and in its precursor RFC 2459). Then again,
RFC 2459 was only published in 1999, so maybe the terminology wasn't
firmly established yet when Young wrote his code several years earlier -
just guessing, neither we nor the OpenSSL folks appear to know the real
reasons...

Anyway, we have been stuck with the "lastUpdate" names in the API for
more than two decades now, so clarify in the documentation what they
refer to and what they really mean.

Requested by and OK tb@.

show more ...

The policy tree is no more

Mop up documentation mentioning it or any of its numerous accessors that
almost nothing ever used.

Uncomment and document X.509 verifier error codes

These are in actual use, so their meaning should be documented.
The remaining commented codes are unused outside of x509_txt.c
except for X509_V_ERR

Uncomment and document X.509 verifier error codes

These are in actual use, so their meaning should be documented.
The remaining commented codes are unused outside of x509_txt.c
except for X509_V_ERR_INVALID_NON_CA which looks used at first
glance, but it is actually in an unreachable path of the legacy
verifier.

show more ...

Add missing markup to comments and to RFC 3779 error

First pass at updating verifier error docs

X509_verify_cert_error_string() is now thread safe as it no longer returns
a static buffer. Document X509_V_ERR_UNSPECIFIED. Stop asserting that the
X509

First pass at updating verifier error docs

X509_verify_cert_error_string() is now thread safe as it no longer returns
a static buffer. Document X509_V_ERR_UNSPECIFIED. Stop asserting that the
X509_V_ERR_CERT_CHAIN_TOO_LONG code is unused, the new verifier can set it.
Add commented versions of various missing error codes in the proper spots
and move X509_V_ERR_UNNESTED_RESOURCE where it belongs.

prompted by claudio

show more ...

Add missing space between No macro and "authority".

Fix copy-paste error: X509_V_ERR_CRL_SIGNATURE_FAILURE means that the
CRL's signature is invalid, not the certificate's.

Document X509_V_ERR_UNNESTED_RESOURCE. Previous version looked good
to claudio

In x509_vfy.h rev. 1.37 and x509_vfy.c rev. 1.91, tb@ provided
X509_STORE_CTX_set_verify(3) and X509_STORE_CTX_get_verify(3).
Document them.

In the next bump, tb@ will also provide X509_STORE_CTX_ve

In x509_vfy.h rev. 1.37 and x509_vfy.c rev. 1.91, tb@ provided
X509_STORE_CTX_set_verify(3) and X509_STORE_CTX_get_verify(3).
Document them.

In the next bump, tb@ will also provide X509_STORE_CTX_verify_fn(3)
and X509_STORE_set_verify(3) and restore X509_STORE_set_verify_func(3)
to working order. For efficiency of documentation work, already
document those three, too, but keep the text temporariy .if'ed out
until they become available.

Delete X509_STORE_set_verify_func(3) from X509_STORE_set_verify_cb_func(3)
because it was misplaced in that page: it is not related to the
verification callback.

tb@ agrees with the general direction.

show more ...

Recently, tb@ provided the following functions:
X509_STORE_CTX_set_error_depth x509_vfy.h 1.37 x509_vfy.c 1.91
X509_STORE_CTX_set_current_cert x509_vfy.h 1.37 x509_vfy.c 1.91
X509_STORE_

Recently, tb@ provided the following functions:
X509_STORE_CTX_set_error_depth x509_vfy.h 1.37 x509_vfy.c 1.91
X509_STORE_CTX_set_current_cert x509_vfy.h 1.37 x509_vfy.c 1.91
X509_STORE_CTX_get_num_untrusted x509_vfy.h 1.36 x509_vfy.c 1.90
X509_STORE_CTX_set0_verified_chain x509_vfy.h 1.37 x509_vfy.c 1.91

Merge the documentation from the OpenSSL 1.1.1 branch,
which is still under a free license; tweaked by me.

show more ...

document X509_STORE_CTX_get0_parent_ctx(3)

document X509_STORE_CTX_get0_policy_tree(3)
and X509_STORE_CTX_get_explicit_policy(3)

document X509_STORE_CTX_get0_current_issuer(3)
and X509_STORE_CTX_get0_current_crl(3)

Move X509_STORE_CTX_get0_cert(3) to the X509_STORE_CTX_new(3) manual.

OpenSSL documents it in X509_STORE_CTX_get_error(3), but it is
misplaced there. It has nothing to do with accessing status or
e

Move X509_STORE_CTX_get0_cert(3) to the X509_STORE_CTX_new(3) manual.

OpenSSL documents it in X509_STORE_CTX_get_error(3), but it is
misplaced there. It has nothing to do with accessing status or
error information but merely retrieves a pointer to the certificate
that the users wants to validate. It is a companion function to
X509_STORE_CTX_init(3), X509_STORE_CTX_set_cert(3),
X509_STORE_CTX_get0_store(3), and X509_STORE_CTX_get0_untrusted(3).

While here:
1. Clarify how the new, init, verify, cleanup, and free calls interact,
and who owns the memory involved, because this is all really confusing
from the user perspective.
2. Clarify how X509_STORE_CTX_init(3), X509_STORE_CTX_set_cert(3), and
X509_STORE_CTX_set_chain(3) partially override each other.
3. Move X509_STORE_CTX_set0_untrusted(3) to the proper place because
it is the same as X509_STORE_CTX_set_chain(3).
4. Add a few missing words and improve some wordings.

show more ...

Document X509_STORE_CTX_get_chain(3).

It is deprecated, but it is still called by various application programs,
so let's better mention it.

fix reversed meaning of error codes;
from Martin Ukrop <mukrop at mail dot muni dot cz>
via OpenSSL commit bb00b040 Aug 5 14:14:54 2019 +0200

.In openssl/x509_vfy.h
for consistency with all the other X509_STORE_*(3) manual pages

found a complete archive of SSLeay-0.4 to SSLeay-0.8.1b tarballs
on the web, so fix up SSLeay HISTORY accordingly

finish crypto HISTORY; mostly 1.1.0/6.3, but also various other fixes

crypto HISTORY up to 0.9.5; researched from OpenSSL git

x509.h HISTORY up to SSLeay 0.8.1b; researched from OpenSSL git

In x509_vfy.h rev. 1.21 2018/02/22 17:11:30, jsing@ provided
X509_STORE_CTX_get0_chain(3). Adapt the documentation.

It is absurd that OpenSSL documents the two almost identical functions
X509_STORE

In x509_vfy.h rev. 1.21 2018/02/22 17:11:30, jsing@ provided
X509_STORE_CTX_get0_chain(3). Adapt the documentation.

It is absurd that OpenSSL documents the two almost identical functions
X509_STORE_CTX_get0_chain(3) and X509_STORE_CTX_get1_chain(3) in
two different manual pages, with quite different wordings, and without
even referencing each other. It is very obvious that they have
lost their way in their own mire of functions.

show more ...

In x509_vfy.h rev. 1.20 2018/02/14 17:06:34, jsing@ provided
X509_STORE_CTX_set0_untrusted(3), X509_STORE_CTX_set0_trusted_stack(3),
X509_STORE_CTX_get0_untrusted(3), and X509_STORE_CTX_get0_cert(3).

In x509_vfy.h rev. 1.20 2018/02/14 17:06:34, jsing@ provided
X509_STORE_CTX_set0_untrusted(3), X509_STORE_CTX_set0_trusted_stack(3),
X509_STORE_CTX_get0_untrusted(3), and X509_STORE_CTX_get0_cert(3).
Merge the related documentation from OpenSSL.

show more ...

Consistently mark up various ASN.1 type names defined in standards
related to X.509 with .Vt such that they can be searched for.

Copyright and license.
Never include <openssl/x509_vfy.h> directly; from OpenSSL.
Merge a typo fix from OpenSSL.