xref: /openbsd-src/lib/libtls/man/tls_load_file.3 (revision 3b4a007bdb2ad00919fb76bf87c086d43573123d) 
1.\" $OpenBSD: tls_load_file.3,v 1.14 2022/01/01 02:18:28 jsg Exp $
2.\"
3.\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org>
4.\" Copyright (c) 2015 Reyk Floeter <reyk@openbsd.org>
5.\" Copyright (c) 2015 Bob Beck <beck@openbsd.org>
6.\" Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org>
7.\"
8.\" Permission to use, copy, modify, and distribute this software for any
9.\" purpose with or without fee is hereby granted, provided that the above
10.\" copyright notice and this permission notice appear in all copies.
11.\"
12.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
13.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
14.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
15.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
16.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
17.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
18.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
19.\"
20.Dd $Mdocdate: January 1 2022 $
21.Dt TLS_LOAD_FILE 3
22.Os
23.Sh NAME
24.Nm tls_load_file ,
25.Nm tls_unload_file ,
26.Nm tls_config_set_ca_file ,
27.Nm tls_config_set_ca_path ,
28.Nm tls_config_set_ca_mem ,
29.Nm tls_config_set_cert_file ,
30.Nm tls_config_set_cert_mem ,
31.Nm tls_config_set_crl_file ,
32.Nm tls_config_set_crl_mem ,
33.Nm tls_config_set_key_file ,
34.Nm tls_config_set_key_mem ,
35.Nm tls_config_set_ocsp_staple_mem ,
36.Nm tls_config_set_ocsp_staple_file ,
37.Nm tls_config_set_keypair_file ,
38.Nm tls_config_set_keypair_mem ,
39.Nm tls_config_set_keypair_ocsp_file ,
40.Nm tls_config_set_keypair_ocsp_mem ,
41.Nm tls_config_add_keypair_file ,
42.Nm tls_config_add_keypair_ocsp_mem ,
43.Nm tls_config_add_keypair_ocsp_file ,
44.Nm tls_config_add_keypair_mem ,
45.Nm tls_config_clear_keys ,
46.Nm tls_config_set_verify_depth ,
47.Nm tls_config_verify_client ,
48.Nm tls_config_verify_client_optional ,
49.Nm tls_default_ca_cert_file
50.Nd TLS certificate and key configuration
51.Sh SYNOPSIS
52.In tls.h
53.Ft uint8_t *
54.Fo tls_load_file
55.Fa "const char *file"
56.Fa "size_t *len"
57.Fa "char *password"
58.Fc
59.Ft void
60.Fo tls_unload_file
61.Fa "uint8_t *buf"
62.Fa "size_t len"
63.Fc
64.Ft int
65.Fo tls_config_set_ca_file
66.Fa "struct tls_config *config"
67.Fa "const char *ca_file"
68.Fc
69.Ft int
70.Fo tls_config_set_ca_path
71.Fa "struct tls_config *config"
72.Fa "const char *ca_path"
73.Fc
74.Ft int
75.Fo tls_config_set_ca_mem
76.Fa "struct tls_config *config"
77.Fa "const uint8_t *cert"
78.Fa "size_t len"
79.Fc
80.Ft int
81.Fo tls_config_set_cert_file
82.Fa "struct tls_config *config"
83.Fa "const char *cert_file"
84.Fc
85.Ft int
86.Fo tls_config_set_cert_mem
87.Fa "struct tls_config *config"
88.Fa "const uint8_t *cert"
89.Fa "size_t len"
90.Fc
91.Ft int
92.Fo tls_config_set_crl_file
93.Fa "struct tls_config *config"
94.Fa "const char *crl_file"
95.Fc
96.Ft int
97.Fo tls_config_set_crl_mem
98.Fa "struct tls_config *config"
99.Fa "const uint8_t *crl"
100.Fa "size_t len"
101.Fc
102.Ft int
103.Fo tls_config_set_key_file
104.Fa "struct tls_config *config"
105.Fa "const char *key_file"
106.Fc
107.Ft int
108.Fo tls_config_set_key_mem
109.Fa "struct tls_config *config"
110.Fa "const uint8_t *key"
111.Fa "size_t len"
112.Fc
113.Ft int
114.Fo tls_config_set_ocsp_staple_mem
115.Fa "struct tls_config *config"
116.Fa "const uint8_t *staple"
117.Fa "size_t len"
118.Fc
119.Ft int
120.Fo tls_config_set_ocsp_staple_file
121.Fa "struct tls_config *config"
122.Fa "const char *staple_file"
123.Fc
124.Ft int
125.Fo tls_config_set_keypair_file
126.Fa "struct tls_config *config"
127.Fa "const char *cert_file"
128.Fa "const char *key_file"
129.Fc
130.Ft int
131.Fo tls_config_set_keypair_mem
132.Fa "struct tls_config *config"
133.Fa "const uint8_t *cert"
134.Fa "size_t cert_len"
135.Fa "const uint8_t *key"
136.Fa "size_t key_len"
137.Fc
138.Ft int
139.Fo tls_config_set_keypair_ocsp_file
140.Fa "struct tls_config *config"
141.Fa "const char *cert_file"
142.Fa "const char *key_file"
143.Fa "const char *staple_file"
144.Fc
145.Ft int
146.Fo tls_config_set_keypair_ocsp_mem
147.Fa "struct tls_config *config"
148.Fa "const uint8_t *cert"
149.Fa "size_t cert_len"
150.Fa "const uint8_t *key"
151.Fa "size_t key_len"
152.Fa "const uint8_t *staple"
153.Fa "size_t staple_len"
154.Fc
155.Ft int
156.Fo tls_config_add_keypair_file
157.Fa "struct tls_config *config"
158.Fa "const char *cert_file"
159.Fa "const char *key_file"
160.Fc
161.Ft int
162.Fo tls_config_add_keypair_mem
163.Fa "struct tls_config *config"
164.Fa "const uint8_t *cert"
165.Fa "size_t cert_len"
166.Fa "const uint8_t *key"
167.Fa "size_t key_len"
168.Fc
169.Ft int
170.Fo tls_config_add_keypair_ocsp_file
171.Fa "struct tls_config *config"
172.Fa "const char *cert_file"
173.Fa "const char *key_file"
174.Fa "const char *staple_file"
175.Fc
176.Ft int
177.Fo tls_config_add_keypair_ocsp_mem
178.Fa "struct tls_config *config"
179.Fa "const uint8_t *cert"
180.Fa "size_t cert_len"
181.Fa "const uint8_t *key"
182.Fa "size_t key_len"
183.Fa "const uint8_t *staple"
184.Fa "size_t staple_len"
185.Fc
186.Ft void
187.Fn tls_config_clear_keys "struct tls_config *config"
188.Ft int
189.Fo tls_config_set_verify_depth
190.Fa "struct tls_config *config"
191.Fa "int verify_depth"
192.Fc
193.Ft void
194.Fn tls_config_verify_client "struct tls_config *config"
195.Ft void
196.Fn tls_config_verify_client_optional "struct tls_config *config"
197.Ft const char *
198.Fn tls_default_ca_cert_file "void"
199.Sh DESCRIPTION
200.Fn tls_load_file
201loads a certificate or key from disk into memory to be used with
202.Fn tls_config_set_ca_mem ,
203.Fn tls_config_set_cert_mem ,
204.Fn tls_config_set_crl_mem
205or
206.Fn tls_config_set_key_mem .
207A private key will be decrypted if the optional
208.Ar password
209argument is specified.
210.Pp
211.Fn tls_unload_file
212unloads the memory that was returned from an earlier
213.Fn tls_load_file
214call, ensuring that the memory contents is discarded.
215.Pp
216.Fn tls_default_ca_cert_file
217returns the path of the file that contains the default root certificates.
218.Pp
219.Fn tls_config_set_ca_file
220loads a file containing the root certificates.
221.Pp
222.Fn tls_config_set_ca_path
223sets the path (directory) which should be searched for root
224certificates.
225.Pp
226.Fn tls_config_set_ca_mem
227sets the root certificates directly from memory.
228.Pp
229.Fn tls_config_set_cert_file
230loads a file containing the public certificate.
231.Pp
232.Fn tls_config_set_cert_mem
233sets the public certificate directly from memory.
234.Pp
235.Fn tls_config_set_crl_file
236loads a file containing the Certificate Revocation List (CRL).
237.Pp
238.Fn tls_config_set_crl_mem
239sets the CRL directly from memory.
240.Pp
241.Fn tls_config_set_key_file
242loads a file containing the private key.
243.Pp
244.Fn tls_config_set_key_mem
245directly sets the private key from memory.
246.Pp
247.Fn tls_config_set_ocsp_staple_file
248loads a file containing a DER-encoded OCSP response to be stapled
249during the TLS handshake.
250.Pp
251.Fn tls_config_set_ocsp_staple_mem
252sets a DER-encoded OCSP response to be stapled during the TLS handshake from
253memory.
254.Pp
255.Fn tls_config_set_keypair_file
256loads two files from which the public certificate and private key will be read.
257.Pp
258.Fn tls_config_set_keypair_mem
259directly sets the public certificate and private key from memory.
260.Pp
261.Fn tls_config_set_keypair_ocsp_file
262loads three files containing the public certificate, private key,
263and DER-encoded OCSP staple.
264.Pp
265.Fn tls_config_set_keypair_ocsp_mem
266directly sets the public certificate, private key, and DER-encoded OCSP staple
267from memory.
268.Pp
269.Fn tls_config_add_keypair_file
270adds an additional public certificate and private key from the specified files,
271used as an alternative certificate for Server Name Indication (server only).
272.Pp
273.Fn tls_config_add_keypair_mem
274adds an additional public certificate and private key from memory, used as an
275alternative certificate for Server Name Indication (server only).
276.Pp
277.Fn tls_config_add_keypair_ocsp_file
278adds an additional public certificate, private key, and DER-encoded OCSP staple
279from the specified files, used as an alternative certificate for Server Name
280Indication (server only).
281.Pp
282.Fn tls_config_add_keypair_ocsp_mem
283adds an additional public certificate, private key, and DER-encoded OCSP staple
284from memory, used as an alternative certificate for Server Name Indication
285(server only).
286.Pp
287.Fn tls_config_clear_keys
288clears any secret keys from memory.
289.Pp
290.Fn tls_config_set_verify_depth
291limits the number of intermediate certificates that will be followed during
292certificate validation.
293.Pp
294.Fn tls_config_verify_client
295enables client certificate verification, requiring the client to send
296a certificate (server only).
297.Pp
298.Fn tls_config_verify_client_optional
299enables client certificate verification, without requiring the client
300to send a certificate (server only).
301.Sh RETURN VALUES
302.Fn tls_load_file
303returns
304.Dv NULL
305on error or an out of memory condition.
306.Pp
307The other functions return 0 on success or -1 on error.
308.Sh SEE ALSO
309.Xr tls_config_ocsp_require_stapling 3 ,
310.Xr tls_config_set_protocols 3 ,
311.Xr tls_config_set_session_id 3 ,
312.Xr tls_configure 3 ,
313.Xr tls_init 3
314.Sh HISTORY
315.Fn tls_config_set_ca_file ,
316.Fn tls_config_set_ca_path ,
317.Fn tls_config_set_cert_file ,
318.Fn tls_config_set_cert_mem ,
319.Fn tls_config_set_key_file ,
320.Fn tls_config_set_key_mem ,
321and
322.Fn tls_config_set_verify_depth
323appeared in
324.Ox 5.6
325and got their final names in
326.Ox 5.7 .
327.Pp
328.Fn tls_load_file ,
329.Fn tls_config_set_ca_mem ,
330and
331.Fn tls_config_clear_keys
332appeared in
333.Ox 5.7 .
334.Pp
335.Fn tls_config_verify_client
336and
337.Fn tls_config_verify_client_optional
338appeared in
339.Ox 5.9 .
340.Pp
341.Fn tls_config_set_keypair_file
342and
343.Fn tls_config_set_keypair_mem
344appeared in
345.Ox 6.0 ,
346and
347.Fn tls_config_add_keypair_file
348and
349.Fn tls_config_add_keypair_mem
350in
351.Ox 6.1 .
352.Pp
353.Fn tls_config_set_crl_file
354and
355.Fn tls_config_set_crl_mem
356appeared in
357.Ox 6.2 .
358.Sh AUTHORS
359.An Joel Sing Aq Mt jsing@openbsd.org
360with contributions from
361.An Ted Unangst Aq Mt tedu@openbsd.org
362and
363.An Bob Beck Aq Mt beck@openbsd.org .
364.Pp
365.Fn tls_load_file
366and
367.Fn tls_config_set_ca_mem
368were written by
369.An Reyk Floeter Aq Mt reyk@openbsd.org .
370