OSSL_STORE: Add reference docs for the built-in Windows store implementation

Fixes openssl/project#422

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24170)

doc/build.info

@@ -4701,6 +4701,10 @@ DEPEND[html/man7/OSSL_PROVIDER-null.html]=man7/OSSL_PROVIDER-null.pod
 GENERATE[html/man7/OSSL_PROVIDER-null.html]=man7/OSSL_PROVIDER-null.pod
 DEPEND[man/man7/OSSL_PROVIDER-null.7]=man7/OSSL_PROVIDER-null.pod
 GENERATE[man/man7/OSSL_PROVIDER-null.7]=man7/OSSL_PROVIDER-null.pod
+DEPEND[html/man7/OSSL_STORE-winstore.html]=man7/OSSL_STORE-winstore.pod
+GENERATE[html/man7/OSSL_STORE-winstore.html]=man7/OSSL_STORE-winstore.pod
+DEPEND[man/man7/OSSL_STORE-winstore.7]=man7/OSSL_STORE-winstore.pod
+GENERATE[man/man7/OSSL_STORE-winstore.7]=man7/OSSL_STORE-winstore.pod
 DEPEND[html/man7/RAND.html]=man7/RAND.pod
 GENERATE[html/man7/RAND.html]=man7/RAND.pod
 DEPEND[man/man7/RAND.7]=man7/RAND.pod
@@ -5023,6 +5027,7 @@ html/man7/OSSL_PROVIDER-base.html \
 html/man7/OSSL_PROVIDER-default.html \
 html/man7/OSSL_PROVIDER-legacy.html \
 html/man7/OSSL_PROVIDER-null.html \
+html/man7/OSSL_STORE-winstore.html \
 html/man7/RAND.html \
 html/man7/RSA-PSS.html \
 html/man7/X25519.html \
@@ -5166,6 +5171,7 @@ man/man7/OSSL_PROVIDER-base.7 \
 man/man7/OSSL_PROVIDER-default.7 \
 man/man7/OSSL_PROVIDER-legacy.7 \
 man/man7/OSSL_PROVIDER-null.7 \
+man/man7/OSSL_STORE-winstore.7 \
 man/man7/RAND.7 \
 man/man7/RSA-PSS.7 \
 man/man7/X25519.7 \

doc/man7/OSSL_PROVIDER-base.pod

@@ -140,7 +140,7 @@ combination with the FIPS provider.
 
 =item file
 
-=item org.openssl.winstore
+=item org.openssl.winstore, see L<OSSL_STORE-winstore(7)>
 
 =back
 
@@ -158,7 +158,7 @@ This functionality was added in OpenSSL 3.0.
 
 =head1 COPYRIGHT
 
-Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2020-2024 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy

doc/man7/OSSL_PROVIDER-default.pod

@@ -358,7 +358,7 @@ combination with the FIPS provider.
 
 =item file
 
-=item org.openssl.winstore
+=item org.openssl.winstore, see L<OSSL_STORE-winstore(7)>
 
 =back
 
@@ -378,7 +378,7 @@ All other functionality was added in OpenSSL 3.0.
 
 =head1 COPYRIGHT
 
-Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2020-2024 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy

doc/man7/OSSL_STORE-winstore.pod

@@ -0,0 +1,86 @@
+=pod
+
+=head1 NAME
+
+OSSL_STORE-winstore - OpenSSL built in OSSL_STORE for Windows
+
+=head1 DESCRIPTION
+
+The OSSL_STORE implementation for Windows provides access to Windows' system
+C<ROOT> certificate store through URIs, using the URI scheme
+C<org.openssl.winstore>.
+
+=head2 Supported URIs
+
+There is only one supported URI:
+
+  org.openssl.winstore:
+
+No authority (host, etc), no path, no query, no fragment.
+
+=head2 Supported OSSL_STORE_SEARCH operations
+
+=over 4
+
+=item L<OSSL_STORE_SEARCH_by_name(3)>
+
+As a matter of fact, this must be used.  It is not possible to enumerate all
+available certificates in the store.
+
+=back
+
+=head2 Windows certificate store features
+
+Apart from diverse constraints present in the certificates themselves, the
+Windows certificate store also has the ability to associate additional
+constraining properties alongside a certificate in the store. This includes
+both documented and undocumented capabilities:
+
+=over 4
+
+=item *
+
+The documented capability to override EKU
+
+=item *
+
+The undocumented capability to add name constraints
+
+=item *
+
+The undocumented capability to override the certificate expiry date
+
+=back
+
+I<Such constraints are not checked by this OSSL_STORE implementation, and
+thereby not honoured>.
+
+However, once extracted with L<OSSL_STORE_load(3)>, certificates that have
+constraints in their X.509 extensions will go through the usual constraint
+checks when used by OpenSSL, and are thereby honoured.
+
+=head1 SEE ALSO
+
+L<ossl_store(7)>, L<OSSL_STORE_open_ex(3)>, L<OSSL_STORE_SEARCH(3)>
+
+=head1 HISTORY
+
+The winstore (C<org.openssl.winstore>) implementation was added in OpenSSL
+3.2.0.
+
+=head1 NOTES
+
+OpenSSL uses L<OSSL_DECODER(3)> implementations under the hood.
+To influence what L<OSSL_DECODER(3)> implementations are used, it's advisable
+to use L<OSSL_STORE_open_ex(3)> and set the I<propq> argument.
+
+=head1 COPYRIGHT
+
+Copyright 2024 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
+
+=cut