Dev news

Commit 3bd54e7b2c for openssl.org

commit 3bd54e7b2cc1a8d92b26b395e21a126f37ad6d6f
Author: Neil Horman <nhorman@openssl.org>
Date:   Tue Feb 24 09:29:47 2026 -0500

    Document PKCS7_dataVerify

    Its older, and generally replaced by PKCS7_verify, but its not
    deprecated, so we should document it.

    Reviewed-by: Tim Hudson <tjh@openssl.org>
    Reviewed-by: Norbert Pocs <norbertp@openssl.org>
    MergeDate: Sun Mar  1 14:18:17 2026
    (Merged from https://github.com/openssl/openssl/pull/30158)

diff --git a/doc/man3/PKCS7_verify.pod b/doc/man3/PKCS7_verify.pod
index 3f0a484e62..732d9e4dbe 100644
--- a/doc/man3/PKCS7_verify.pod
+++ b/doc/man3/PKCS7_verify.pod
@@ -2,7 +2,7 @@

 =head1 NAME

-PKCS7_verify, PKCS7_get0_signers - verify a PKCS#7 signedData structure
+PKCS7_verify, PKCS7_dataVerify, PKCS7_get0_signers - verify a PKCS#7 signedData structure

 =head1 SYNOPSIS

@@ -11,6 +11,9 @@ PKCS7_verify, PKCS7_get0_signers - verify a PKCS#7 signedData structure
  int PKCS7_verify(PKCS7 *p7, const STACK_OF(X509) *certs, X509_STORE *store,
                   BIO *indata, BIO *out, int flags);

+ int PKCS7_dataVerify(X509_STORE *cert_store, X509_STORE_CTX *ctx,
+                  BIO *bio, PKCS7 *p7, PKCS7_SIGNER_INFO *si);
+
  STACK_OF(X509) *PKCS7_get0_signers(PKCS7 *p7, const STACK_OF(X509) *certs,
                                     int flags);

@@ -35,6 +38,23 @@ PKCS7_get0_signers() retrieves the signer certificates from I<p7>, it does
 B<not> check their validity or whether any signatures are valid. The I<certs>
 and I<flags> parameters have the same meanings as in PKCS7_verify().

+PKCS7_dataVerify() operates in a similar fashion to PKCS7_verify, with a few
+notable exceptions:
+
+=over 4
+
+=item PKCS7_dataVerify does not support the passing of the I<flags> parameter.
+
+=item PKCS7_dataVerify obtains its signer info from the passed in signer data
+via the I<si> parameter, rather than parsing the signers from the PKCS7 object
+directly.
+
+=back
+
+PKCS7_dataVerify() is available for backwards compatibility with older versions
+of OpenSSL, but it is generally recommended that users use the PKCS7_verify()
+API instead, as it offers greater flexibility in the verification process.
+
 =head1 VERIFY PROCESS

 Normally the verify process proceeds as follows.
@@ -112,7 +132,8 @@ timestamp).

 =head1 RETURN VALUES

-PKCS7_verify() returns 1 for a successful verification and 0 if an error occurs.
+PKCS7_verify() and PKCS7_dataVerify() return 1 for a successful verification
+and 0 if an error occurs.

 PKCS7_get0_signers() returns all signers or NULL if an error occurred.

diff --git a/util/missingcrypto.txt b/util/missingcrypto.txt
index 94f5c5d038..6a021ace14 100644
--- a/util/missingcrypto.txt
+++ b/util/missingcrypto.txt
@@ -780,7 +780,6 @@ PKCS7_ctrl(3)
 PKCS7_dataDecode(3)
 PKCS7_dataFinal(3)
 PKCS7_dataInit(3)
-PKCS7_dataVerify(3)
 PKCS7_digest_from_attributes(3)
 PKCS7_final(3)
 PKCS7_get_attribute(3)