.\" $OpenBSD: X509v3_addr_validate_path.3,v 1.5 2023/09/30 19:07:38 tb Exp $ .\" .\" Copyright (c) 2023 Theo Buehler .\" .\" Permission to use, copy, modify, and distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above .\" copyright notice and this permission notice appear in all copies. .\" .\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES .\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF .\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR .\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES .\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" .Dd $Mdocdate: September 30 2023 $ .Dt X509V3_ADDR_VALIDATE_PATH 3 .Os .Sh NAME .Nm X509v3_addr_validate_path , .Nm X509v3_addr_validate_resource_set , .Nm X509v3_asid_validate_path , .Nm X509v3_asid_validate_resource_set .Nd RFC 3779 path validation for IP address and AS number delegation .Sh SYNOPSIS .In openssl/x509v3.h .Ft int .Fn X509v3_addr_validate_path "X509_STORE_CTX *ctx" .Ft int .Fo X509v3_addr_validate_resource_set .Fa "STACK_OF(X509) *chain" .Fa "IPAddrBlocks *addrblocks" .Fa "int allow_inherit" .Fc .Ft int .Fn X509v3_asid_validate_path "X509_STORE_CTX *ctx" .Ft int .Fo X509v3_asid_validate_resource_set .Fa "STACK_OF(X509) *chain" .Fa "ASIdentifiers *asid" .Fa "int allow_inherit" .Fc .Sh DESCRIPTION Both RFC 3779 extensions require additional checking in the certification path validation. .Bl -enum .It The initial set of allowed IP address and AS number resources is defined in the trust anchor, where inheritance is not allowed. .It An issuer may only delegate subsets of resources present in its RFC 3779 extensions or subsets of resources inherited from its issuer. .It If an RFC 3779 extension is present in a certificate, the same type of extension must also be present in its issuer. .It All RFC 3779 extensions appearing in the validation path must be in canonical form according to .Xr X509v3_addr_is_canonical 3 and .Xr X509v3_asid_is_canonical 3 . .El .Pp .Fn X509v3_addr_validate_path and .Fn X509v3_asid_validate_path are called from .Xr X509_verify_cert 3 as part of the verification chain building. On encountering an error or a violation of the above rules, .Fa error , .Fa error_depth , and .Fa current_cert are set on .Fa ctx and the verify callback is called with .Fa ok set to 0. .Dv X509_V_ERR_INVALID_EXTENSION indicates a non-canonical resource, .Dv X509_V_ERR_UNNESTED_RESOURCE indicates a violation of the other rules above. In rare circumstances, the error can be .Dv X509_V_ERR_UNSPECIFIED and for IP address resources .Dv X509_V_ERR_OUT_OF_MEM is also possible. .Pp .Fn X509v3_addr_validate_resource_set validates the resources in .Fa addrblocks against a specific certificate .Fa chain . After checking that .Fa addrblocks is canonical, its IP addresses are checked to be covered in the certificate at depth 0, then the chain is walked all the way to the trust anchor until an error or a violation of the above rules is encountered. .Fa addrblocks is allowed to use inheritance according to .Xr X509v3_addr_inherits 3 if and only if .Fa allow_inherit is non-zero. .Pp .Fn X509v3_asid_validate_resource_set performs similar checks as .Fn X509v3_addr_validate_resource_set for .Fa asid . .Sh RETURN VALUES All these functions return 1 on successful validation and 0 otherwise. .Pp For .Fn X509v3_addr_validate_path and .Fn X509v3_asid_validate_path a non-empty .Fa chain and a .Fa verify_cb must be present on .Fa ctx , otherwise they fail and set the .Fa error on .Fa ctx to .Dv X509_V_ERR_UNSPECIFIED . The .Fa verify_cb is called with the error codes described above on most errors encountered during validation. Some malformed extensions can lead to an error that cannot be intercepted by the callback. With the exception of an allocation error, no error codes are set on the error stack. .Pp .Fn X509v3_addr_validate_resource_set accepts a .Dv NULL .Fa addrblocks and .Fn X509v3_asid_validate_resource_set accepts a .Dv NULL .Fa asid as valid. They fail if .Fa chain is .Dv NULL or empty. If .Fa allow_inherit is 0, .Fa addrblocks or .Fa asid is checked for inheritance with .Xr X509v3_addr_inherits 3 or .Xr X509v3_asid_inherits 3 . The remaining failure cases are the same as for .Fn X509v3_addr_validate_path and .Fn X509v3_asid_validate_path . They cannot and do not attempt to communicate the cause of the error to the caller. .Sh SEE ALSO .Xr ASIdentifiers_new 3 , .Xr crypto 3 , .Xr IPAddressRange_new 3 , .Xr X509_new 3 , .Xr X509_STORE_CTX_get_error 3 , .Xr X509_verify_cert 3 , .Xr X509v3_addr_add_inherit 3 , .Xr X509v3_addr_inherits 3 , .Xr X509v3_asid_add_id_or_range 3 .Sh STANDARDS RFC 3779: X.509 Extensions for IP Addresses and AS Identifiers: .Bl -dash -compact .It section 2.3: IP Address Delegation Extension Certification Path Validation .It section 3.3: Autonomous System Identifier Delegation Extension Certification Path Validation .El .Pp RFC 5280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile .Bl -dash -compact .It section 6: Certification Path Validation .El .Sh HISTORY These functions first appeared in OpenSSL 0.9.8e and have been available since .Ox 7.1 .