From 970a464089066970886f0bce6d1c9dcfbcb2e8ea Mon Sep 17 00:00:00 2001 From: Jung-uk Kim Date: Tue, 8 Dec 2020 18:10:16 +0000 Subject: Import OpenSSL 1.1.1i. --- doc/man1/verify.pod | 12 ++++++++---- doc/man3/BN_set_bit.pod | 2 +- doc/man3/X509_STORE_set_verify_cb_func.pod | 4 +--- 3 files changed, 10 insertions(+), 8 deletions(-) (limited to 'doc') diff --git a/doc/man1/verify.pod b/doc/man1/verify.pod index 71288be40d4c..da2b7024821d 100644 --- a/doc/man1/verify.pod +++ b/doc/man1/verify.pod @@ -382,10 +382,14 @@ should be trusted for the supplied purpose. For compatibility with previous versions of OpenSSL, a certificate with no trust settings is considered to be valid for all purposes. -The final operation is to check the validity of the certificate chain. The validity -period is checked against the current system time and the notBefore and notAfter -dates in the certificate. The certificate signatures are also checked at this -point. +The final operation is to check the validity of the certificate chain. +For each element in the chain, including the root CA certificate, +the validity period as specified by the C and C fields +is checked against the current system time. +The B<-attime> flag may be used to use a reference time other than "now." +The certificate signature is checked as well +(except for the signature of the typically self-signed root CA certificate, +which is verified only if the B<-check_ss_sig> option is given). If all operations complete successfully then certificate is considered valid. If any operation fails then the certificate is not valid. diff --git a/doc/man3/BN_set_bit.pod b/doc/man3/BN_set_bit.pod index 67c2bac24102..6e0a11a24b89 100644 --- a/doc/man3/BN_set_bit.pod +++ b/doc/man3/BN_set_bit.pod @@ -33,7 +33,7 @@ error occurs if B is shorter than B bits. BN_is_bit_set() tests if bit B in B is set. BN_mask_bits() truncates B to an B bit number -(CEn)>). An error occurs if B already is +(CEn)>). An error occurs if B already is shorter than B bits. BN_lshift() shifts B left by B bits and places the result in diff --git a/doc/man3/X509_STORE_set_verify_cb_func.pod b/doc/man3/X509_STORE_set_verify_cb_func.pod index 526790938acd..6d7098250d18 100644 --- a/doc/man3/X509_STORE_set_verify_cb_func.pod +++ b/doc/man3/X509_STORE_set_verify_cb_func.pod @@ -137,9 +137,7 @@ I X509_STORE_set_check_issued() sets the function to check that a given -certificate B is issued by the issuer certificate B and -the issuer is not yet in the chain contained in , where the exceptional -case that B is self-issued and ctx->chain has just one element is allowed. +certificate B is issued by the issuer certificate B. This function must return 0 on failure (among others if B hasn't been issued with B) and 1 on success. I