This was a developer debugging feature and was never a useful public
interface.
Added all missing X509 error codes to the verify(1) manpage, but
many still need a description beyond the associated text string.
Sorted the errors in x509_txt.c by error number.
Reviewed-by: Stephen Henson <steve@openssl.org>
This includes basic constraints, key usages, issuer EKUs and auxiliary
trust OIDs (given a trust suitably related to the intended purpose).
Added tests and updated documentation.
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
It is sometimes useful (especially in automated tests) to supply
multiple trusted or untrusted certificates via separate files rather
than have to prepare a single file containing them all.
To that end, change verify(1) to accept these options zero or more
times. Also automatically set -no-CAfile and -no-CApath when
-trusted is specified.
Improve verify(1) documentation, which could still use some work.
Reviewed-by: Richard Levitte <levitte@openssl.org>
If something was "present in all versions" of SSLeay, or if it was
added to a version of SSLeay (and therefore predates OpenSSL),
remove mention of it. Documentation history now starts with OpenSSL.
Remove mention of all history before OpenSSL 0.9.8, inclusive.
Remove all AUTHOR sections.
Reviewed-by: Tim Hudson <tjh@openssl.org>
L<foo|foo> is sub-optimal If the xref is the same as the title,
which is what we do, then you only need L<foo>. This fixes all
1457 occurrences in 349 files. Approximately. (And pod used to
need both.)
Reviewed-by: Richard Levitte <levitte@openssl.org>
The -show_chain flag to the verify command line app shows information about
the chain that has been built. This commit adds the text "untrusted" against
those certificates that have been used from the untrusted list.
Reviewed-by: Rich Salz <rsalz@openssl.org>
The options related to policy used for verification, verification
of subject names in certificate and certificate chain handling
were missing in the verify(1) man page. This fixes this issue.
the verify app man page didn't describe the usage of attime option
even though it was listed as a valid option in the -help message.
This patch fixes this omission.
Ignore self issued certificates when checking path length constraints.
Duplicate OIDs in policy tree in case they are allocated.
Use anyPolicy from certificate cache and not current tree level.
