{CMS,PKCS7}_verify.pod: add hint how to override the default 'smime_s…

…ign' purpose
siemens · Oct 5, 2023 · 5190d10 · 5190d10
1 parent 38f4c9e
commit 5190d10
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 5 deletions.
diff --git a/doc/man3/CMS_verify.pod b/doc/man3/CMS_verify.pod
@@ -63,8 +63,9 @@ the I<certs> parameter (if it is not NULL). Then they are looked up in any
 certificates contained in the I<cms> structure unless B<CMS_NOINTERN> is set.
 If any signing certificate cannot be located the operation fails.
 
-Each signing certificate is chain verified using the I<smimesign> purpose and
-using the trusted certificate store I<store> if supplied.
+Each signing certificate is chain verified using by default the I<smime_sign>
+purpose and using the trusted certificate store I<store> if supplied.
+The default purpose may be overridden using L<X509_STORE_set_purpose(3)>.
 Any internal certificates in the message, which may have been added using
 L<CMS_add1_cert(3)>, are used as untrusted CAs.
 If CRL checking is enabled in I<store> and B<CMS_NOCRL> is not set,
@@ -151,7 +152,7 @@ be held in memory if it is not detached.
 =head1 SEE ALSO
 
 L<PKCS7_verify(3)>, L<CMS_add1_cert(3)>, L<CMS_add1_crl(3)>,
-L<OSSL_ESS_check_signing_certs(3)>,
+L<OSSL_ESS_check_signing_certs(3)>, L<X509_STORE_set_purpose(3)>,
 L<ERR_get_error(3)>, L<CMS_sign(3)>
 
 =head1 HISTORY

diff --git a/doc/man3/PKCS7_verify.pod b/doc/man3/PKCS7_verify.pod
@@ -50,8 +50,9 @@ the I<certs> parameter (if it is not NULL). Then they are looked up in any
 certificates contained in the I<p7> structure unless B<PKCS7_NOINTERN> is set.
 If any signer's certificates cannot be located the operation fails.
 
-Each signer's certificate is chain verified using the B<smimesign> purpose and
-using the trusted certificate store I<store> if supplied.
+Each signer certificate is chain verified using by default the C<smime_sign>
+purpose and using the trusted certificate store I<store> if supplied.
+The default purpose may be overridden using L<X509_STORE_set_purpose(3)>.
 Any internal certificates in the message, which may have been added using
 L<PKCS7_add_certificate(3)>, are used as untrusted CAs unless B<PKCS7_NOCHAIN>
 is set.
@@ -126,6 +127,7 @@ be held in memory if it is not detached.
 =head1 SEE ALSO
 
 L<CMS_verify(3)>, L<PKCS7_add_certificate(3)>, L<PKCS7_add_crl(3)>,
+L<X509_STORE_set_purpose(3)>,
 L<ERR_get_error(3)>, L<PKCS7_sign(3)>
 
 =head1 COPYRIGHT