summaryrefslogtreecommitdiff
path: root/deps/openssl/openssl/doc/crypto/PKCS7_verify.pod
diff options
context:
space:
mode:
Diffstat (limited to 'deps/openssl/openssl/doc/crypto/PKCS7_verify.pod')
-rw-r--r--deps/openssl/openssl/doc/crypto/PKCS7_verify.pod26
1 files changed, 18 insertions, 8 deletions
diff --git a/deps/openssl/openssl/doc/crypto/PKCS7_verify.pod b/deps/openssl/openssl/doc/crypto/PKCS7_verify.pod
index f083306b0d..c34808eced 100644
--- a/deps/openssl/openssl/doc/crypto/PKCS7_verify.pod
+++ b/deps/openssl/openssl/doc/crypto/PKCS7_verify.pod
@@ -16,7 +16,7 @@ PKCS7_verify, PKCS7_get0_signers - verify a PKCS#7 signedData structure
PKCS7_verify() verifies a PKCS#7 signedData structure. B<p7> is the PKCS7
structure to verify. B<certs> is a set of certificates in which to search for
-the signer's certificate. B<store> is a trusted certficate store (used for
+the signer's certificate. B<store> is a trusted certificate store (used for
chain verification). B<indata> is the signed data if the content is not
present in B<p7> (that is it is detached). The content is written to B<out>
if it is not NULL.
@@ -34,7 +34,12 @@ Normally the verify process proceeds as follows.
Initially some sanity checks are performed on B<p7>. The type of B<p7> must
be signedData. There must be at least one signature on the data and if
-the content is detached B<indata> cannot be B<NULL>.
+the content is detached B<indata> cannot be B<NULL>. If the content is
+not detached and B<indata> is not B<NULL>, then the structure has both
+embedded and external content. To treat this as an error, use the flag
+B<PKCS7_NO_DUAL_CONTENT>.
+The default behavior allows this, for compatibility with older
+versions of OpenSSL.
An attempt is made to locate all the signer's certificates, first looking in
the B<certs> parameter (if it is not B<NULL>) and then looking in any certificates
@@ -54,7 +59,7 @@ Any of the following flags (ored together) can be passed in the B<flags> paramet
to change the default verify behaviour. Only the flag B<PKCS7_NOINTERN> is
meaningful to PKCS7_get0_signers().
-If B<PKCS7_NOINTERN> is set the certificates in the message itself are not
+If B<PKCS7_NOINTERN> is set the certificates in the message itself are not
searched when locating the signer's certificate. This means that all the signers
certificates must be in the B<certs> parameter.
@@ -79,7 +84,7 @@ certificates supplied in B<certs> then the verify will fail because the
signer cannot be found.
Care should be taken when modifying the default verify behaviour, for example
-setting B<PKCS7_NOVERIFY|PKCS7_NOSIGS> will totally disable all verification
+setting B<PKCS7_NOVERIFY|PKCS7_NOSIGS> will totally disable all verification
and any signed message will be considered valid. This combination is however
useful if one merely wishes to write the content to B<out> and its validity
is not considered important.
@@ -96,7 +101,7 @@ if an error occurs.
PKCS7_get0_signers() returns all signers or B<NULL> if an error occurred.
-The error can be obtained from L<ERR_get_error(3)|ERR_get_error(3)>
+The error can be obtained from L<ERR_get_error(3)>
=head1 BUGS
@@ -109,10 +114,15 @@ mentioned in PKCS7_sign() also applies to PKCS7_verify().
=head1 SEE ALSO
-L<ERR_get_error(3)|ERR_get_error(3)>, L<PKCS7_sign(3)|PKCS7_sign(3)>
+L<ERR_get_error(3)>, L<PKCS7_sign(3)>
-=head1 HISTORY
+=head1 COPYRIGHT
-PKCS7_verify() was added to OpenSSL 0.9.5
+Copyright 2002-2016 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the OpenSSL license (the "License"). You may not use
+this file except in compliance with the License. You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
=cut
generated by cgit v1.2.3 (git 2.39.1) at 2024-05-10 03:19:38 +0000