diff options
Diffstat (limited to 'deps/openssl/openssl/doc/crypto/PKCS7_verify.pod')
-rw-r--r-- | deps/openssl/openssl/doc/crypto/PKCS7_verify.pod | 26 |
1 files changed, 18 insertions, 8 deletions
diff --git a/deps/openssl/openssl/doc/crypto/PKCS7_verify.pod b/deps/openssl/openssl/doc/crypto/PKCS7_verify.pod index f083306b0d..c34808eced 100644 --- a/deps/openssl/openssl/doc/crypto/PKCS7_verify.pod +++ b/deps/openssl/openssl/doc/crypto/PKCS7_verify.pod @@ -16,7 +16,7 @@ PKCS7_verify, PKCS7_get0_signers - verify a PKCS#7 signedData structure PKCS7_verify() verifies a PKCS#7 signedData structure. B<p7> is the PKCS7 structure to verify. B<certs> is a set of certificates in which to search for -the signer's certificate. B<store> is a trusted certficate store (used for +the signer's certificate. B<store> is a trusted certificate store (used for chain verification). B<indata> is the signed data if the content is not present in B<p7> (that is it is detached). The content is written to B<out> if it is not NULL. @@ -34,7 +34,12 @@ Normally the verify process proceeds as follows. Initially some sanity checks are performed on B<p7>. The type of B<p7> must be signedData. There must be at least one signature on the data and if -the content is detached B<indata> cannot be B<NULL>. +the content is detached B<indata> cannot be B<NULL>. If the content is +not detached and B<indata> is not B<NULL>, then the structure has both +embedded and external content. To treat this as an error, use the flag +B<PKCS7_NO_DUAL_CONTENT>. +The default behavior allows this, for compatibility with older +versions of OpenSSL. An attempt is made to locate all the signer's certificates, first looking in the B<certs> parameter (if it is not B<NULL>) and then looking in any certificates @@ -54,7 +59,7 @@ Any of the following flags (ored together) can be passed in the B<flags> paramet to change the default verify behaviour. Only the flag B<PKCS7_NOINTERN> is meaningful to PKCS7_get0_signers(). -If B<PKCS7_NOINTERN> is set the certificates in the message itself are not +If B<PKCS7_NOINTERN> is set the certificates in the message itself are not searched when locating the signer's certificate. This means that all the signers certificates must be in the B<certs> parameter. @@ -79,7 +84,7 @@ certificates supplied in B<certs> then the verify will fail because the signer cannot be found. Care should be taken when modifying the default verify behaviour, for example -setting B<PKCS7_NOVERIFY|PKCS7_NOSIGS> will totally disable all verification +setting B<PKCS7_NOVERIFY|PKCS7_NOSIGS> will totally disable all verification and any signed message will be considered valid. This combination is however useful if one merely wishes to write the content to B<out> and its validity is not considered important. @@ -96,7 +101,7 @@ if an error occurs. PKCS7_get0_signers() returns all signers or B<NULL> if an error occurred. -The error can be obtained from L<ERR_get_error(3)|ERR_get_error(3)> +The error can be obtained from L<ERR_get_error(3)> =head1 BUGS @@ -109,10 +114,15 @@ mentioned in PKCS7_sign() also applies to PKCS7_verify(). =head1 SEE ALSO -L<ERR_get_error(3)|ERR_get_error(3)>, L<PKCS7_sign(3)|PKCS7_sign(3)> +L<ERR_get_error(3)>, L<PKCS7_sign(3)> -=head1 HISTORY +=head1 COPYRIGHT -PKCS7_verify() was added to OpenSSL 0.9.5 +Copyright 2002-2016 The OpenSSL Project Authors. All Rights Reserved. + +Licensed under the OpenSSL license (the "License"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file LICENSE in the source distribution or at +L<https://www.openssl.org/source/license.html>. =cut |