X509_dup.pod: add caveat that extra data is not copied and hints, e.g., to use X509_u...

author Dr. David von Oheimb <dev@ddvo.net>

Thu, 14 Dec 2023 11:48:33 +0000 (12:48 +0100)

committer Dr. David von Oheimb <dev@ddvo.net>

Thu, 18 Jan 2024 13:18:18 +0000 (14:18 +0100)
author Dr. David von Oheimb <dev@ddvo.net>
Thu, 14 Dec 2023 11:48:33 +0000 (12:48 +0100)
committer Dr. David von Oheimb <dev@ddvo.net>
Thu, 18 Jan 2024 13:18:18 +0000 (14:18 +0100)
diff --git a/doc/man3/X509_dup.pod b/doc/man3/X509_dup.pod

index bc80caa51c6376157fba5f93da5373ebab0086e6..f6b2e3eb01514a3cc247d4c125220eb5dcafc127 100644 (file)
--- a/doc/man3/X509_dup.pod
+++ b/doc/man3/X509_dup.pod
@@ -356,6 +356,15 @@ algorithms from providers. This created object can then be used when loading
  binary data using B<d2i_I<TYPE>>().
  
  B<I<TYPE>_dup>() copies an existing object, leaving it untouched.
+Note, however, that the internal representation of the object
+may contain (besides the ASN.1 structure) further data, which is not copied.
+For instance, an B<X509> object usually is augmented by cached information
+on X.509v3 extensions, etc., and losing it can lead to wrong validation results.
+To avoid such situations, better use B<I<TYPE>_up_ref>() if available.
+For the case of B<X509> objects, an alternative to using L<X509_up_ref(3)>
+may be to still call B<I<TYPE>_dup>(), e.g., I<copied_cert = X509_dup(cert)>,
+followed by I<X509_check_purpose(copied_cert, -1, 0)>,
+which re-builds the cached data.
  
  B<I<TYPE>_free>() releases the object and all pointers and sub-objects
  within it.
@@ -373,6 +382,10 @@ the object or NULL on failure.
  
  B<I<TYPE>_print_ctx>() returns 1 on success or zero on failure.
  
+=head1 SEE ALSO
+
+L<X509_up_ref(3)>
+
  =head1 HISTORY
  
  The functions X509_REQ_new_ex(), X509_CRL_new_ex(), PKCS7_new_ex() and
author	Dr. David von Oheimb <dev@ddvo.net>
	Thu, 14 Dec 2023 11:48:33 +0000 (12:48 +0100)
committer	Dr. David von Oheimb <dev@ddvo.net>
	Thu, 18 Jan 2024 13:18:18 +0000 (14:18 +0100)