1 files changed, 71 insertions, 16 deletions

diff --git a/doc/man3/X509_STORE_add_cert.pod b/doc/man3/X509_STORE_add_cert.pod
index d840bd6d69bf..dc76704207eb 100644
--- a/doc/man3/X509_STORE_add_cert.pod
+++ b/doc/man3/X509_STORE_add_cert.pod
@@ -6,8 +6,10 @@ X509_STORE,
 X509_STORE_add_cert, X509_STORE_add_crl, X509_STORE_set_depth,
 X509_STORE_set_flags, X509_STORE_set_purpose, X509_STORE_set_trust,
 X509_STORE_add_lookup,
-X509_STORE_load_locations,
-X509_STORE_set_default_paths
+X509_STORE_load_file_ex, X509_STORE_load_file, X509_STORE_load_path,
+X509_STORE_load_store_ex, X509_STORE_load_store,
+X509_STORE_set_default_paths_ex, X509_STORE_set_default_paths,
+X509_STORE_load_locations_ex, X509_STORE_load_locations
 - X509_STORE manipulation
 
 =head1 SYNOPSIS
@@ -26,9 +28,21 @@ X509_STORE_set_default_paths
  X509_LOOKUP *X509_STORE_add_lookup(X509_STORE *store,
                                     X509_LOOKUP_METHOD *meth);
 
+ int X509_STORE_set_default_paths_ex(X509_STORE *ctx, OSSL_LIB_CTX *libctx,
+                                     const char *propq);
+ int X509_STORE_set_default_paths(X509_STORE *ctx);
+ int X509_STORE_load_file_ex(X509_STORE *ctx, const char *file,
+                             OSSL_LIB_CTX *libctx, const char *propq);
+ int X509_STORE_load_file(X509_STORE *ctx, const char *file);
+ int X509_STORE_load_path(X509_STORE *ctx, const char *dir);
+ int X509_STORE_load_store_ex(X509_STORE *ctx, const char *uri,
+                              OSSL_LIB_CTX *libctx, const char *propq);
+ int X509_STORE_load_store(X509_STORE *ctx, const char *uri);
+ int X509_STORE_load_locations_ex(X509_STORE *ctx, const char *file,
+                                  const char *dir, OSSL_LIB_CTX *libctx,
+                                  const char *propq);
  int X509_STORE_load_locations(X509_STORE *ctx,
                                const char *file, const char *dir);
- int X509_STORE_set_default_paths(X509_STORE *ctx);
 
 =head1 DESCRIPTION
 
@@ -39,6 +53,10 @@ It admits multiple lookup mechanisms and efficient scaling performance
 with large numbers of certificates, and a great deal of flexibility in
 how validation and policy checks are performed.
 
+Details of the chain building and checking process are described in
+L<openssl-verification-options(1)/Certification Path Building> and
+L<openssl-verification-options(1)/Certification Path Validation>.
+
 L<X509_STORE_new(3)> creates an empty B<X509_STORE> structure, which contains
 no information about trusted certificates or where such certificates
 are located on disk, and is generally not usable.  Normally, trusted
@@ -77,23 +95,54 @@ L<X509_LOOKUP_METHOD(3)> I<meth> and adds it to the B<X509_STORE>
 I<store>.  This also associates the B<X509_STORE> with the lookup, so
 B<X509_LOOKUP> functions can look up objects in that store.
 
-X509_STORE_load_locations() loads trusted certificate(s) into an
-B<X509_STORE> from a given file and/or directory path.  It is permitted
-to specify just a file, just a directory, or both paths.  The certificates
-in the directory must be in hashed form, as documented in
-L<X509_LOOKUP_hash_dir(3)>.
+X509_STORE_load_file_ex() loads trusted certificate(s) into an
+B<X509_STORE> from a given file. The library context I<libctx> and property
+query I<propq> are used when fetching algorithms from providers.
 
-X509_STORE_set_default_paths() is somewhat misnamed, in that it does not
-set what default paths should be used for loading certificates.  Instead,
-it loads certificates into the B<X509_STORE> from the hardcoded default
+X509_STORE_load_file() is similar to X509_STORE_load_file_ex() but
+uses NULL for the library context I<libctx> and property query I<propq>.
+
+X509_STORE_load_path() loads trusted certificate(s) into an
+B<X509_STORE> from a given directory path.
+The certificates in the directory must be in hashed form, as
+documented in L<X509_LOOKUP_hash_dir(3)>.
+
+X509_STORE_load_store_ex() loads trusted certificate(s) into an
+B<X509_STORE> from a store at a given URI. The library context I<libctx> and
+property query I<propq> are used when fetching algorithms from providers.
+
+X509_STORE_load_store() is similar to X509_STORE_load_store_ex() but
+uses NULL for the library context I<libctx> and property query I<propq>.
+
+X509_STORE_load_locations_ex() combines
+X509_STORE_load_file_ex() and X509_STORE_load_path() for a given file
+and/or directory path.
+It is permitted to specify just a file, just a directory, or both
 paths.
 
+X509_STORE_load_locations() is similar to X509_STORE_load_locations_ex()
+but uses NULL for the library context I<libctx> and property query I<propq>.
+
+X509_STORE_set_default_paths_ex() is somewhat misnamed, in that it does
+not set what default paths should be used for loading certificates.  Instead,
+it loads certificates into the B<X509_STORE> from the hardcoded default
+paths. The library context I<libctx> and property query I<propq> are used when
+fetching algorithms from providers.
+
+X509_STORE_set_default_paths() is similar to
+X509_STORE_set_default_paths_ex() but uses NULL for the library
+context I<libctx> and property query I<propq>.
+
 =head1 RETURN VALUES
 
 X509_STORE_add_cert(), X509_STORE_add_crl(), X509_STORE_set_depth(),
-X509_STORE_set_flags(), X509_STORE_set_purpose(),
-X509_STORE_set_trust(), X509_STORE_load_locations(), and
-X509_STORE_set_default_paths() return 1 on success or 0 on failure.
+X509_STORE_set_flags(), X509_STORE_set_purpose(), X509_STORE_set_trust(),
+X509_STORE_load_file_ex(), X509_STORE_load_file(),
+X509_STORE_load_path(),
+X509_STORE_load_store_ex(), X509_STORE_load_store(),
+X509_STORE_load_locations_ex(), X509_STORE_load_locations(),
+X509_STORE_set_default_paths_ex() and X509_STORE_set_default_paths()
+return 1 on success or 0 on failure.
 
 X509_STORE_add_lookup() returns the found or created
 L<X509_LOOKUP(3)>, or NULL on error.
@@ -105,11 +154,17 @@ L<X509_VERIFY_PARAM_set_depth(3)>.
 L<X509_STORE_new(3)>,
 L<X509_STORE_get0_param(3)>
 
+=head1 HISTORY
+
+The functions X509_STORE_set_default_paths_ex(),
+X509_STORE_load_file_ex(), X509_STORE_load_store_ex() and
+X509_STORE_load_locations_ex() were added in OpenSSL 3.0.
+
 =head1 COPYRIGHT
 
-Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved.
 
-Licensed under the OpenSSL license (the "License").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
 in the file LICENSE in the source distribution or at
 L<https://www.openssl.org/source/license.html>.