diff options
Diffstat (limited to 'secure/lib/libcrypto/man/man3/PKCS7_verify.3')
| -rw-r--r-- | secure/lib/libcrypto/man/man3/PKCS7_verify.3 | 29 |
1 files changed, 16 insertions, 13 deletions
diff --git a/secure/lib/libcrypto/man/man3/PKCS7_verify.3 b/secure/lib/libcrypto/man/man3/PKCS7_verify.3 index 2da0b2ff911e..15e1dd1c0570 100644 --- a/secure/lib/libcrypto/man/man3/PKCS7_verify.3 +++ b/secure/lib/libcrypto/man/man3/PKCS7_verify.3 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "PKCS7_VERIFY 3ossl" -.TH PKCS7_VERIFY 3ossl 2025-09-30 3.5.4 OpenSSL +.TH PKCS7_VERIFY 3ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -77,7 +80,7 @@ PKCS7_verify, PKCS7_get0_signers \- verify a PKCS#7 signedData structure \&\fBPKCS7_verify()\fR is very similar to \fBCMS_verify\fR\|(3). It verifies a PKCS#7 signedData structure given in \fIp7\fR. The optional \fIcerts\fR parameter refers to a set of certificates -in which to search for signer's certificates. +in which to search for signer\*(Aqs certificates. It is also used as a source of untrusted intermediate CA certificates for chain building. \&\fIp7\fR may contain extra untrusted CA certificates that may be used for @@ -89,7 +92,7 @@ Otherwise \fIindata\fR should be NULL, and then the signed data must be in \fIp7 The content is written to the BIO \fIout\fR unless it is NULL. \&\fIflags\fR is an optional set of flags, which can be used to modify the operation. .PP -\&\fBPKCS7_get0_signers()\fR retrieves the signer's certificates from \fIp7\fR, it does +\&\fBPKCS7_get0_signers()\fR retrieves the signer\*(Aqs certificates from \fIp7\fR, it does \&\fBnot\fR check their validity or whether any signatures are valid. The \fIcerts\fR and \fIflags\fR parameters have the same meanings as in \fBPKCS7_verify()\fR. .SH "VERIFY PROCESS" @@ -105,12 +108,12 @@ embedded and external content. To treat this as an error, use the flag The default behavior allows this, for compatibility with older versions of OpenSSL. .PP -An attempt is made to locate all the signer's certificates, first looking in +An attempt is made to locate all the signer\*(Aqs certificates, first looking in the \fIcerts\fR parameter (if it is not NULL). Then they are looked up in any certificates contained in the \fIp7\fR structure unless \fBPKCS7_NOINTERN\fR is set. -If any signer's certificates cannot be located the operation fails. +If any signer\*(Aqs certificates cannot be located the operation fails. .PP -Each signer's certificate is chain verified using the \fBsmimesign\fR purpose and +Each signer\*(Aqs certificate is chain verified using the \fBsmimesign\fR purpose and using the trusted certificate store \fIstore\fR if supplied. Any internal certificates in the message, which may have been added using \&\fBPKCS7_add_certificate\fR\|(3), are used as untrusted CAs unless \fBPKCS7_NOCHAIN\fR @@ -130,8 +133,8 @@ parameter to change the default verify behaviour. Only the flag \fBPKCS7_NOINTERN\fR is meaningful to \fBPKCS7_get0_signers()\fR. .PP If \fBPKCS7_NOINTERN\fR is set the certificates in the message itself are not -searched when locating the signer's certificates. -This means that all the signer's certificates must be in the \fIcerts\fR parameter. +searched when locating the signer\*(Aqs certificates. +This means that all the signer\*(Aqs certificates must be in the \fIcerts\fR parameter. .PP If \fBPKCS7_NOCRL\fR is set and CRL checking is enabled in \fIstore\fR then any CRLs in the message itself are ignored. @@ -140,18 +143,18 @@ If the \fBPKCS7_TEXT\fR flag is set MIME headers for type \f(CW\*(C`text/plain\* from the content. If the content is not of type \f(CW\*(C`text/plain\*(C'\fR then an error is returned. .PP -If \fBPKCS7_NOVERIFY\fR is set the signer's certificates are not chain verified. +If \fBPKCS7_NOVERIFY\fR is set the signer\*(Aqs certificates are not chain verified. .PP If \fBPKCS7_NOCHAIN\fR is set then the certificates contained in the message are not used as untrusted CAs. This means that the whole verify chain (apart from -the signer's certificates) must be contained in the trusted store. +the signer\*(Aqs certificates) must be contained in the trusted store. .PP If \fBPKCS7_NOSIGS\fR is set then the signatures on the data are not checked. .SH NOTES .IX Header "NOTES" One application of \fBPKCS7_NOINTERN\fR is to only accept messages signed by a small number of certificates. The acceptable certificates would be passed -in the \fIcerts\fR parameter. In this case if the signer's certificate is not one +in the \fIcerts\fR parameter. In this case if the signer\*(Aqs certificate is not one of the certificates supplied in \fIcerts\fR then the verify will fail because the signer cannot be found. .PP @@ -174,7 +177,7 @@ timestamp). The error can be obtained from \fBERR_get_error\fR\|(3). .SH BUGS .IX Header "BUGS" -The trusted certificate store is not searched for the signer's certificates. +The trusted certificate store is not searched for the signer\*(Aqs certificates. This is primarily due to the inadequacies of the current \fBX509_STORE\fR functionality. .PP |