mirror of
https://github.com/openssl/openssl.git
synced 2025-01-24 13:55:42 +08:00
8869ad4a39
Also includes CRMF (RFC 4211) and HTTP transfer (RFC 6712)
CMP and CRMF API is added to libcrypto, and the "cmp" app to the openssl CLI.
Adds extensive man pages and tests. Integration into build scripts.
Incremental pull request based on OpenSSL commit 1362190b1b
of 2018-09-26
3rd chunk: CMP ASN.1 structures (in crypto/cmp/cmp_asn.c) and related files
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8669)
590 lines
23 KiB
C
590 lines
23 KiB
C
/*
|
|
* Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved.
|
|
* Copyright Nokia 2007-2019
|
|
* Copyright Siemens AG 2015-2019
|
|
*
|
|
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
|
* this file except in compliance with the License. You can obtain a copy
|
|
* in the file LICENSE in the source distribution or at
|
|
* https://www.openssl.org/source/license.html
|
|
*
|
|
* CMP implementation by Martin Peylo, Miikka Viljanen, and David von Oheimb.
|
|
*/
|
|
|
|
#ifndef OSSL_HEADER_CMP_INT_H
|
|
# define OSSL_HEADER_CMP_INT_H
|
|
|
|
# include "internal/cryptlib.h"
|
|
|
|
# include <openssl/cmp.h>
|
|
# include <openssl/err.h>
|
|
|
|
/* explicit #includes not strictly needed since implied by the above: */
|
|
# include <openssl/crmf.h>
|
|
# include <openssl/ossl_typ.h>
|
|
# include <openssl/safestack.h>
|
|
# include <openssl/x509.h>
|
|
# include <openssl/x509v3.h>
|
|
|
|
/*
|
|
* ##########################################################################
|
|
* ASN.1 DECLARATIONS
|
|
* ##########################################################################
|
|
*/
|
|
|
|
/*-
|
|
* RevAnnContent ::= SEQUENCE {
|
|
* status PKIStatus,
|
|
* certId CertId,
|
|
* willBeRevokedAt GeneralizedTime,
|
|
* badSinceDate GeneralizedTime,
|
|
* crlDetails Extensions OPTIONAL
|
|
* -- extra CRL details (e.g., crl number, reason, location, etc.)
|
|
* }
|
|
*/
|
|
typedef struct OSSL_cmp_revanncontent_st {
|
|
ASN1_INTEGER *status;
|
|
OSSL_CRMF_CERTID *certId;
|
|
ASN1_GENERALIZEDTIME *willBeRevokedAt;
|
|
ASN1_GENERALIZEDTIME *badSinceDate;
|
|
X509_EXTENSIONS *crlDetails;
|
|
} OSSL_CMP_REVANNCONTENT;
|
|
DECLARE_ASN1_FUNCTIONS(OSSL_CMP_REVANNCONTENT)
|
|
|
|
/*-
|
|
* Challenge ::= SEQUENCE {
|
|
* owf AlgorithmIdentifier OPTIONAL,
|
|
*
|
|
* -- MUST be present in the first Challenge; MAY be omitted in
|
|
* -- any subsequent Challenge in POPODecKeyChallContent (if
|
|
* -- omitted, then the owf used in the immediately preceding
|
|
* -- Challenge is to be used).
|
|
*
|
|
* witness OCTET STRING,
|
|
* -- the result of applying the one-way function (owf) to a
|
|
* -- randomly-generated INTEGER, A. [Note that a different
|
|
* -- INTEGER MUST be used for each Challenge.]
|
|
* challenge OCTET STRING
|
|
* -- the encryption (under the public key for which the cert.
|
|
* -- request is being made) of Rand, where Rand is specified as
|
|
* -- Rand ::= SEQUENCE {
|
|
* -- int INTEGER,
|
|
* -- - the randomly-generated INTEGER A (above)
|
|
* -- sender GeneralName
|
|
* -- - the sender's name (as included in PKIHeader)
|
|
* -- }
|
|
* }
|
|
*/
|
|
typedef struct OSSL_cmp_challenge_st {
|
|
X509_ALGOR *owf;
|
|
ASN1_OCTET_STRING *witness;
|
|
ASN1_OCTET_STRING *challenge;
|
|
} OSSL_CMP_CHALLENGE;
|
|
DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CHALLENGE)
|
|
|
|
/*-
|
|
* CAKeyUpdAnnContent ::= SEQUENCE {
|
|
* oldWithNew Certificate,
|
|
* newWithOld Certificate,
|
|
* newWithNew Certificate
|
|
* }
|
|
*/
|
|
typedef struct OSSL_cmp_cakeyupdanncontent_st {
|
|
X509 *oldWithNew;
|
|
X509 *newWithOld;
|
|
X509 *newWithNew;
|
|
} OSSL_CMP_CAKEYUPDANNCONTENT;
|
|
DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CAKEYUPDANNCONTENT)
|
|
|
|
/*-
|
|
* declared already here as it will be used in OSSL_CMP_MSG (nested) and
|
|
* infoType and infoValue
|
|
*/
|
|
typedef STACK_OF(OSSL_CMP_MSG) OSSL_CMP_MSGS;
|
|
DECLARE_ASN1_FUNCTIONS(OSSL_CMP_MSGS)
|
|
|
|
/*-
|
|
* InfoTypeAndValue ::= SEQUENCE {
|
|
* infoType OBJECT IDENTIFIER,
|
|
* infoValue ANY DEFINED BY infoType OPTIONAL
|
|
* }
|
|
*/
|
|
struct OSSL_cmp_itav_st {
|
|
ASN1_OBJECT *infoType;
|
|
union {
|
|
char *ptr;
|
|
/* NID_id_it_caProtEncCert - CA Protocol Encryption Certificate */
|
|
X509 *caProtEncCert;
|
|
/* NID_id_it_signKeyPairTypes - Signing Key Pair Types */
|
|
STACK_OF(X509_ALGOR) *signKeyPairTypes;
|
|
/* NID_id_it_encKeyPairTypes - Encryption/Key Agreement Key Pair Types */
|
|
STACK_OF(X509_ALGOR) *encKeyPairTypes;
|
|
/* NID_id_it_preferredSymmAlg - Preferred Symmetric Algorithm */
|
|
X509_ALGOR *preferredSymmAlg;
|
|
/* NID_id_it_caKeyUpdateInfo - Updated CA Key Pair */
|
|
OSSL_CMP_CAKEYUPDANNCONTENT *caKeyUpdateInfo;
|
|
/* NID_id_it_currentCRL - CRL */
|
|
X509_CRL *currentCRL;
|
|
/* NID_id_it_unsupportedOIDs - Unsupported Object Identifiers */
|
|
STACK_OF(ASN1_OBJECT) *unsupportedOIDs;
|
|
/* NID_id_it_keyPairParamReq - Key Pair Parameters Request */
|
|
ASN1_OBJECT *keyPairParamReq;
|
|
/* NID_id_it_keyPairParamRep - Key Pair Parameters Response */
|
|
X509_ALGOR *keyPairParamRep;
|
|
/* NID_id_it_revPassphrase - Revocation Passphrase */
|
|
OSSL_CRMF_ENCRYPTEDVALUE *revPassphrase;
|
|
/* NID_id_it_implicitConfirm - ImplicitConfirm */
|
|
ASN1_NULL *implicitConfirm;
|
|
/* NID_id_it_confirmWaitTime - ConfirmWaitTime */
|
|
ASN1_GENERALIZEDTIME *confirmWaitTime;
|
|
/* NID_id_it_origPKIMessage - origPKIMessage */
|
|
OSSL_CMP_MSGS *origPKIMessage;
|
|
/* NID_id_it_suppLangTags - Supported Language Tags */
|
|
STACK_OF(ASN1_UTF8STRING) *suppLangTagsValue;
|
|
/* this is to be used for so far undeclared objects */
|
|
ASN1_TYPE *other;
|
|
} infoValue;
|
|
} /* OSSL_CMP_ITAV */;
|
|
DECLARE_ASN1_FUNCTIONS(OSSL_CMP_ITAV)
|
|
DECLARE_ASN1_DUP_FUNCTION(OSSL_CMP_ITAV)
|
|
|
|
|
|
typedef struct OSSL_cmp_certorenccert_st {
|
|
int type;
|
|
union {
|
|
X509 *certificate;
|
|
OSSL_CRMF_ENCRYPTEDVALUE *encryptedCert;
|
|
} value;
|
|
} OSSL_CMP_CERTORENCCERT;
|
|
DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CERTORENCCERT)
|
|
|
|
/*-
|
|
* CertifiedKeyPair ::= SEQUENCE {
|
|
* certOrEncCert CertOrEncCert,
|
|
* privateKey [0] EncryptedValue OPTIONAL,
|
|
* -- see [CRMF] for comment on encoding
|
|
* publicationInfo [1] PKIPublicationInfo OPTIONAL
|
|
* }
|
|
*/
|
|
typedef struct OSSL_cmp_certifiedkeypair_st {
|
|
OSSL_CMP_CERTORENCCERT *certOrEncCert;
|
|
OSSL_CRMF_ENCRYPTEDVALUE *privateKey;
|
|
OSSL_CRMF_PKIPUBLICATIONINFO *publicationInfo;
|
|
} OSSL_CMP_CERTIFIEDKEYPAIR;
|
|
DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CERTIFIEDKEYPAIR)
|
|
|
|
/*-
|
|
* PKIStatusInfo ::= SEQUENCE {
|
|
* status PKIStatus,
|
|
* statusString PKIFreeText OPTIONAL,
|
|
* failInfo PKIFailureInfo OPTIONAL
|
|
* }
|
|
*/
|
|
struct OSSL_cmp_pkisi_st {
|
|
OSSL_CMP_PKISTATUS *status;
|
|
OSSL_CMP_PKIFREETEXT *statusString;
|
|
OSSL_CMP_PKIFAILUREINFO *failInfo;
|
|
} /* OSSL_CMP_PKISI */;
|
|
DECLARE_ASN1_FUNCTIONS(OSSL_CMP_PKISI)
|
|
DECLARE_ASN1_DUP_FUNCTION(OSSL_CMP_PKISI)
|
|
|
|
/*-
|
|
* RevReqContent ::= SEQUENCE OF RevDetails
|
|
*
|
|
* RevDetails ::= SEQUENCE {
|
|
* certDetails CertTemplate,
|
|
* crlEntryDetails Extensions OPTIONAL
|
|
* }
|
|
*/
|
|
typedef struct OSSL_cmp_revdetails_st {
|
|
OSSL_CRMF_CERTTEMPLATE *certDetails;
|
|
X509_EXTENSIONS *crlEntryDetails;
|
|
} OSSL_CMP_REVDETAILS;
|
|
DECLARE_ASN1_FUNCTIONS(OSSL_CMP_REVDETAILS)
|
|
DEFINE_STACK_OF(OSSL_CMP_REVDETAILS)
|
|
|
|
/*-
|
|
* RevRepContent ::= SEQUENCE {
|
|
* status SEQUENCE SIZE (1..MAX) OF PKIStatusInfo,
|
|
* -- in same order as was sent in RevReqContent
|
|
* revCerts [0] SEQUENCE SIZE (1..MAX) OF CertId
|
|
* OPTIONAL,
|
|
* -- IDs for which revocation was requested
|
|
* -- (same order as status)
|
|
* crls [1] SEQUENCE SIZE (1..MAX) OF CertificateList
|
|
* OPTIONAL
|
|
* -- the resulting CRLs (there may be more than one)
|
|
* }
|
|
*/
|
|
struct OSSL_cmp_revrepcontent_st {
|
|
STACK_OF(OSSL_CMP_PKISI) *status;
|
|
STACK_OF(OSSL_CRMF_CERTID) *revCerts;
|
|
STACK_OF(X509_CRL) *crls;
|
|
} /* OSSL_CMP_REVREPCONTENT */;
|
|
DECLARE_ASN1_FUNCTIONS(OSSL_CMP_REVREPCONTENT)
|
|
|
|
/*-
|
|
* KeyRecRepContent ::= SEQUENCE {
|
|
* status PKIStatusInfo,
|
|
* newSigCert [0] Certificate OPTIONAL,
|
|
* caCerts [1] SEQUENCE SIZE (1..MAX) OF
|
|
* Certificate OPTIONAL,
|
|
* keyPairHist [2] SEQUENCE SIZE (1..MAX) OF
|
|
* CertifiedKeyPair OPTIONAL
|
|
* }
|
|
*/
|
|
typedef struct OSSL_cmp_keyrecrepcontent_st {
|
|
OSSL_CMP_PKISI *status;
|
|
X509 *newSigCert;
|
|
STACK_OF(X509) *caCerts;
|
|
STACK_OF(OSSL_CMP_CERTIFIEDKEYPAIR) *keyPairHist;
|
|
} OSSL_CMP_KEYRECREPCONTENT;
|
|
DECLARE_ASN1_FUNCTIONS(OSSL_CMP_KEYRECREPCONTENT)
|
|
|
|
/*-
|
|
* ErrorMsgContent ::= SEQUENCE {
|
|
* pKIStatusInfo PKIStatusInfo,
|
|
* errorCode INTEGER OPTIONAL,
|
|
* -- implementation-specific error codes
|
|
* errorDetails PKIFreeText OPTIONAL
|
|
* -- implementation-specific error details
|
|
* }
|
|
*/
|
|
typedef struct OSSL_cmp_errormsgcontent_st {
|
|
OSSL_CMP_PKISI *pKIStatusInfo;
|
|
ASN1_INTEGER *errorCode;
|
|
OSSL_CMP_PKIFREETEXT *errorDetails;
|
|
} OSSL_CMP_ERRORMSGCONTENT;
|
|
DECLARE_ASN1_FUNCTIONS(OSSL_CMP_ERRORMSGCONTENT)
|
|
|
|
/*-
|
|
* CertConfirmContent ::= SEQUENCE OF CertStatus
|
|
*
|
|
* CertStatus ::= SEQUENCE {
|
|
* certHash OCTET STRING,
|
|
* -- the hash of the certificate, using the same hash algorithm
|
|
* -- as is used to create and verify the certificate signature
|
|
* certReqId INTEGER,
|
|
* -- to match this confirmation with the corresponding req/rep
|
|
* statusInfo PKIStatusInfo OPTIONAL
|
|
* }
|
|
*/
|
|
struct OSSL_cmp_certstatus_st {
|
|
ASN1_OCTET_STRING *certHash;
|
|
ASN1_INTEGER *certReqId;
|
|
OSSL_CMP_PKISI *statusInfo;
|
|
} /* OSSL_CMP_CERTSTATUS */;
|
|
DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CERTSTATUS)
|
|
|
|
typedef STACK_OF(OSSL_CMP_CERTSTATUS) OSSL_CMP_CERTCONFIRMCONTENT;
|
|
DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CERTCONFIRMCONTENT)
|
|
|
|
/*-
|
|
* CertResponse ::= SEQUENCE {
|
|
* certReqId INTEGER,
|
|
* -- to match this response with corresponding request (a value
|
|
* -- of -1 is to be used if certReqId is not specified in the
|
|
* -- corresponding request)
|
|
* status PKIStatusInfo,
|
|
* certifiedKeyPair CertifiedKeyPair OPTIONAL,
|
|
* rspInfo OCTET STRING OPTIONAL
|
|
* -- analogous to the id-regInfo-utf8Pairs string defined
|
|
* -- for regInfo in CertReqMsg [CRMF]
|
|
* }
|
|
*/
|
|
struct OSSL_cmp_certresponse_st {
|
|
ASN1_INTEGER *certReqId;
|
|
OSSL_CMP_PKISI *status;
|
|
OSSL_CMP_CERTIFIEDKEYPAIR *certifiedKeyPair;
|
|
ASN1_OCTET_STRING *rspInfo;
|
|
} /* OSSL_CMP_CERTRESPONSE */;
|
|
DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CERTRESPONSE)
|
|
|
|
/*-
|
|
* CertRepMessage ::= SEQUENCE {
|
|
* caPubs [1] SEQUENCE SIZE (1..MAX) OF CMPCertificate
|
|
* OPTIONAL,
|
|
* response SEQUENCE OF CertResponse
|
|
* }
|
|
*/
|
|
struct OSSL_cmp_certrepmessage_st {
|
|
STACK_OF(X509) *caPubs;
|
|
STACK_OF(OSSL_CMP_CERTRESPONSE) *response;
|
|
} /* OSSL_CMP_CERTREPMESSAGE */;
|
|
DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CERTREPMESSAGE)
|
|
|
|
/*-
|
|
* PollReqContent ::= SEQUENCE OF SEQUENCE {
|
|
* certReqId INTEGER
|
|
* }
|
|
*/
|
|
typedef struct OSSL_cmp_pollreq_st {
|
|
ASN1_INTEGER *certReqId;
|
|
} OSSL_CMP_POLLREQ;
|
|
DECLARE_ASN1_FUNCTIONS(OSSL_CMP_POLLREQ)
|
|
DEFINE_STACK_OF(OSSL_CMP_POLLREQ)
|
|
typedef STACK_OF(OSSL_CMP_POLLREQ) OSSL_CMP_POLLREQCONTENT;
|
|
DECLARE_ASN1_FUNCTIONS(OSSL_CMP_POLLREQCONTENT)
|
|
|
|
/*-
|
|
* PollRepContent ::= SEQUENCE OF SEQUENCE {
|
|
* certReqId INTEGER,
|
|
* checkAfter INTEGER, -- time in seconds
|
|
* reason PKIFreeText OPTIONAL
|
|
* }
|
|
*/
|
|
struct OSSL_cmp_pollrep_st {
|
|
ASN1_INTEGER *certReqId;
|
|
ASN1_INTEGER *checkAfter;
|
|
OSSL_CMP_PKIFREETEXT *reason;
|
|
} /* OSSL_CMP_POLLREP */;
|
|
DECLARE_ASN1_FUNCTIONS(OSSL_CMP_POLLREP)
|
|
DEFINE_STACK_OF(OSSL_CMP_POLLREP)
|
|
DECLARE_ASN1_FUNCTIONS(OSSL_CMP_POLLREPCONTENT)
|
|
|
|
/*-
|
|
* PKIHeader ::= SEQUENCE {
|
|
* pvno INTEGER { cmp1999(1), cmp2000(2) },
|
|
* sender GeneralName,
|
|
* -- identifies the sender
|
|
* recipient GeneralName,
|
|
* -- identifies the intended recipient
|
|
* messageTime [0] GeneralizedTime OPTIONAL,
|
|
* -- time of production of this message (used when sender
|
|
* -- believes that the transport will be "suitable"; i.e.,
|
|
* -- that the time will still be meaningful upon receipt)
|
|
* protectionAlg [1] AlgorithmIdentifier OPTIONAL,
|
|
* -- algorithm used for calculation of protection bits
|
|
* senderKID [2] KeyIdentifier OPTIONAL,
|
|
* recipKID [3] KeyIdentifier OPTIONAL,
|
|
* -- to identify specific keys used for protection
|
|
* transactionID [4] OCTET STRING OPTIONAL,
|
|
* -- identifies the transaction; i.e., this will be the same in
|
|
* -- corresponding request, response, certConf, and PKIConf
|
|
* -- messages
|
|
* senderNonce [5] OCTET STRING OPTIONAL,
|
|
* recipNonce [6] OCTET STRING OPTIONAL,
|
|
* -- nonces used to provide replay protection, senderNonce
|
|
* -- is inserted by the creator of this message; recipNonce
|
|
* -- is a nonce previously inserted in a related message by
|
|
* -- the intended recipient of this message
|
|
* freeText [7] PKIFreeText OPTIONAL,
|
|
* -- this may be used to indicate context-specific instructions
|
|
* -- (this field is intended for human consumption)
|
|
* generalInfo [8] SEQUENCE SIZE (1..MAX) OF
|
|
* InfoTypeAndValue OPTIONAL
|
|
* -- this may be used to convey context-specific information
|
|
* -- (this field not primarily intended for human consumption)
|
|
* }
|
|
*/
|
|
struct OSSL_cmp_pkiheader_st {
|
|
ASN1_INTEGER *pvno;
|
|
GENERAL_NAME *sender;
|
|
GENERAL_NAME *recipient;
|
|
ASN1_GENERALIZEDTIME *messageTime; /* 0 */
|
|
X509_ALGOR *protectionAlg; /* 1 */
|
|
ASN1_OCTET_STRING *senderKID; /* 2 */
|
|
ASN1_OCTET_STRING *recipKID; /* 3 */
|
|
ASN1_OCTET_STRING *transactionID; /* 4 */
|
|
ASN1_OCTET_STRING *senderNonce; /* 5 */
|
|
ASN1_OCTET_STRING *recipNonce; /* 6 */
|
|
OSSL_CMP_PKIFREETEXT *freeText; /* 7 */
|
|
STACK_OF(OSSL_CMP_ITAV) *generalInfo; /* 8 */
|
|
} /* OSSL_CMP_PKIHEADER */;
|
|
|
|
typedef STACK_OF(OSSL_CMP_CHALLENGE) OSSL_CMP_POPODECKEYCHALLCONTENT;
|
|
DECLARE_ASN1_FUNCTIONS(OSSL_CMP_POPODECKEYCHALLCONTENT)
|
|
typedef STACK_OF(ASN1_INTEGER) OSSL_CMP_POPODECKEYRESPCONTENT;
|
|
DECLARE_ASN1_FUNCTIONS(OSSL_CMP_POPODECKEYRESPCONTENT)
|
|
typedef STACK_OF(OSSL_CMP_REVDETAILS) OSSL_CMP_REVREQCONTENT;
|
|
DECLARE_ASN1_FUNCTIONS(OSSL_CMP_REVREQCONTENT)
|
|
typedef STACK_OF(X509_CRL) OSSL_CMP_CRLANNCONTENT;
|
|
DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CRLANNCONTENT)
|
|
typedef STACK_OF(OSSL_CMP_ITAV) OSSL_CMP_GENMSGCONTENT;
|
|
DECLARE_ASN1_FUNCTIONS(OSSL_CMP_GENMSGCONTENT)
|
|
typedef STACK_OF(OSSL_CMP_ITAV) OSSL_CMP_GENREPCONTENT;
|
|
DECLARE_ASN1_FUNCTIONS(OSSL_CMP_GENREPCONTENT)
|
|
|
|
/*-
|
|
* PKIBody ::= CHOICE { -- message-specific body elements
|
|
* ir [0] CertReqMessages, --Initialization Request
|
|
* ip [1] CertRepMessage, --Initialization Response
|
|
* cr [2] CertReqMessages, --Certification Request
|
|
* cp [3] CertRepMessage, --Certification Response
|
|
* p10cr [4] CertificationRequest, --imported from [PKCS10]
|
|
* popdecc [5] POPODecKeyChallContent, --pop Challenge
|
|
* popdecr [6] POPODecKeyRespContent, --pop Response
|
|
* kur [7] CertReqMessages, --Key Update Request
|
|
* kup [8] CertRepMessage, --Key Update Response
|
|
* krr [9] CertReqMessages, --Key Recovery Request
|
|
* krp [10] KeyRecRepContent, --Key Recovery Response
|
|
* rr [11] RevReqContent, --Revocation Request
|
|
* rp [12] RevRepContent, --Revocation Response
|
|
* ccr [13] CertReqMessages, --Cross-Cert. Request
|
|
* ccp [14] CertRepMessage, --Cross-Cert. Response
|
|
* ckuann [15] CAKeyUpdAnnContent, --CA Key Update Ann.
|
|
* cann [16] CertAnnContent, --Certificate Ann.
|
|
* rann [17] RevAnnContent, --Revocation Ann.
|
|
* crlann [18] CRLAnnContent, --CRL Announcement
|
|
* pkiconf [19] PKIConfirmContent, --Confirmation
|
|
* nested [20] NestedMessageContent, --Nested Message
|
|
* genm [21] GenMsgContent, --General Message
|
|
* genp [22] GenRepContent, --General Response
|
|
* error [23] ErrorMsgContent, --Error Message
|
|
* certConf [24] CertConfirmContent, --Certificate confirm
|
|
* pollReq [25] PollReqContent, --Polling request
|
|
* pollRep [26] PollRepContent --Polling response
|
|
*/
|
|
typedef struct OSSL_cmp_pkibody_st {
|
|
int type;
|
|
union {
|
|
OSSL_CRMF_MSGS *ir; /* 0 */
|
|
OSSL_CMP_CERTREPMESSAGE *ip; /* 1 */
|
|
OSSL_CRMF_MSGS *cr; /* 2 */
|
|
OSSL_CMP_CERTREPMESSAGE *cp; /* 3 */
|
|
/* p10cr [4] CertificationRequest, --imported from [PKCS10] */
|
|
/*
|
|
* PKCS10_CERTIFICATIONREQUEST is effectively X509_REQ
|
|
* so it is used directly
|
|
*/
|
|
X509_REQ *p10cr; /* 4 */
|
|
/* popdecc [5] POPODecKeyChallContent, --pop Challenge */
|
|
/* POPODecKeyChallContent ::= SEQUENCE OF Challenge */
|
|
OSSL_CMP_POPODECKEYCHALLCONTENT *popdecc; /* 5 */
|
|
/* popdecr [6] POPODecKeyRespContent, --pop Response */
|
|
/* POPODecKeyRespContent ::= SEQUENCE OF INTEGER */
|
|
OSSL_CMP_POPODECKEYRESPCONTENT *popdecr; /* 6 */
|
|
OSSL_CRMF_MSGS *kur; /* 7 */
|
|
OSSL_CMP_CERTREPMESSAGE *kup; /* 8 */
|
|
OSSL_CRMF_MSGS *krr; /* 9 */
|
|
|
|
/* krp [10] KeyRecRepContent, --Key Recovery Response */
|
|
OSSL_CMP_KEYRECREPCONTENT *krp; /* 10 */
|
|
/* rr [11] RevReqContent, --Revocation Request */
|
|
OSSL_CMP_REVREQCONTENT *rr; /* 11 */
|
|
/* rp [12] RevRepContent, --Revocation Response */
|
|
OSSL_CMP_REVREPCONTENT *rp; /* 12 */
|
|
/* ccr [13] CertReqMessages, --Cross-Cert. Request */
|
|
OSSL_CRMF_MSGS *ccr; /* 13 */
|
|
/* ccp [14] CertRepMessage, --Cross-Cert. Response */
|
|
OSSL_CMP_CERTREPMESSAGE *ccp; /* 14 */
|
|
/* ckuann [15] CAKeyUpdAnnContent, --CA Key Update Ann. */
|
|
OSSL_CMP_CAKEYUPDANNCONTENT *ckuann; /* 15 */
|
|
/* cann [16] CertAnnContent, --Certificate Ann. */
|
|
/* OSSL_CMP_CMPCERTIFICATE is effectively X509 so it is used directly */
|
|
X509 *cann; /* 16 */
|
|
/* rann [17] RevAnnContent, --Revocation Ann. */
|
|
OSSL_CMP_REVANNCONTENT *rann; /* 17 */
|
|
/* crlann [18] CRLAnnContent, --CRL Announcement */
|
|
/* CRLAnnContent ::= SEQUENCE OF CertificateList */
|
|
OSSL_CMP_CRLANNCONTENT *crlann;
|
|
/* PKIConfirmContent ::= NULL */
|
|
/* pkiconf [19] PKIConfirmContent, --Confirmation */
|
|
/* OSSL_CMP_PKICONFIRMCONTENT would be only a typedef of ASN1_NULL */
|
|
/* OSSL_CMP_CONFIRMCONTENT *pkiconf; */
|
|
/*
|
|
* NOTE: this should ASN1_NULL according to the RFC
|
|
* but there might be a struct in it when sent from faulty servers...
|
|
*/
|
|
ASN1_TYPE *pkiconf; /* 19 */
|
|
/* nested [20] NestedMessageContent, --Nested Message */
|
|
/* NestedMessageContent ::= PKIMessages */
|
|
OSSL_CMP_MSGS *nested; /* 20 */
|
|
/* genm [21] GenMsgContent, --General Message */
|
|
/* GenMsgContent ::= SEQUENCE OF InfoTypeAndValue */
|
|
OSSL_CMP_GENMSGCONTENT *genm; /* 21 */
|
|
/* genp [22] GenRepContent, --General Response */
|
|
/* GenRepContent ::= SEQUENCE OF InfoTypeAndValue */
|
|
OSSL_CMP_GENREPCONTENT *genp; /* 22 */
|
|
/* error [23] ErrorMsgContent, --Error Message */
|
|
OSSL_CMP_ERRORMSGCONTENT *error; /* 23 */
|
|
/* certConf [24] CertConfirmContent, --Certificate confirm */
|
|
OSSL_CMP_CERTCONFIRMCONTENT *certConf; /* 24 */
|
|
/* pollReq [25] PollReqContent, --Polling request */
|
|
OSSL_CMP_POLLREQCONTENT *pollReq;
|
|
/* pollRep [26] PollRepContent --Polling response */
|
|
OSSL_CMP_POLLREPCONTENT *pollRep;
|
|
} value;
|
|
} OSSL_CMP_PKIBODY;
|
|
DECLARE_ASN1_FUNCTIONS(OSSL_CMP_PKIBODY)
|
|
|
|
/*-
|
|
* PKIProtection ::= BIT STRING
|
|
*
|
|
* PKIMessages ::= SEQUENCE SIZE (1..MAX) OF PKIMessage
|
|
*
|
|
* PKIMessage ::= SEQUENCE {
|
|
* header PKIHeader,
|
|
* body PKIBody,
|
|
* protection [0] PKIProtection OPTIONAL,
|
|
* extraCerts [1] SEQUENCE SIZE (1..MAX) OF CMPCertificate
|
|
* OPTIONAL
|
|
* }
|
|
*/
|
|
struct OSSL_cmp_msg_st {
|
|
OSSL_CMP_PKIHEADER *header;
|
|
OSSL_CMP_PKIBODY *body;
|
|
ASN1_BIT_STRING *protection; /* 0 */
|
|
/* OSSL_CMP_CMPCERTIFICATE is effectively X509 so it is used directly */
|
|
STACK_OF(X509) *extraCerts; /* 1 */
|
|
} /* OSSL_CMP_MSG */;
|
|
DECLARE_ASN1_FUNCTIONS(OSSL_CMP_MSG)
|
|
|
|
/*-
|
|
* ProtectedPart ::= SEQUENCE {
|
|
* header PKIHeader,
|
|
* body PKIBody
|
|
* }
|
|
*/
|
|
typedef struct cmp_protectedpart_st {
|
|
OSSL_CMP_PKIHEADER *header;
|
|
OSSL_CMP_PKIBODY *body;
|
|
} CMP_PROTECTEDPART;
|
|
DECLARE_ASN1_FUNCTIONS(CMP_PROTECTEDPART)
|
|
|
|
/*-
|
|
* this is not defined here as it is already in CRMF:
|
|
* id-PasswordBasedMac OBJECT IDENTIFIER ::= {1 2 840 113533 7 66 13}
|
|
* PBMParameter ::= SEQUENCE {
|
|
* salt OCTET STRING,
|
|
* -- note: implementations MAY wish to limit acceptable sizes
|
|
* -- of this string to values appropriate for their environment
|
|
* -- in order to reduce the risk of denial-of-service attacks
|
|
* owf AlgorithmIdentifier,
|
|
* -- AlgId for a One-Way Function (SHA-1 recommended)
|
|
* iterationCount INTEGER,
|
|
* -- number of times the OWF is applied
|
|
* -- note: implementations MAY wish to limit acceptable sizes
|
|
* -- of this integer to values appropriate for their environment
|
|
* -- in order to reduce the risk of denial-of-service attacks
|
|
* mac AlgorithmIdentifier
|
|
* -- the MAC AlgId (e.g., DES-MAC, Triple-DES-MAC [PKCS11],
|
|
* } -- or HMAC [RFC2104, RFC2202])
|
|
*/
|
|
/*-
|
|
* TODO: this is not yet defined here - but DH is anyway not used yet
|
|
*
|
|
* id-DHBasedMac OBJECT IDENTIFIER ::= {1 2 840 113533 7 66 30}
|
|
* DHBMParameter ::= SEQUENCE {
|
|
* owf AlgorithmIdentifier,
|
|
* -- AlgId for a One-Way Function (SHA-1 recommended)
|
|
* mac AlgorithmIdentifier
|
|
* -- the MAC AlgId (e.g., DES-MAC, Triple-DES-MAC [PKCS11],
|
|
* } -- or HMAC [RFC2104, RFC2202])
|
|
*/
|
|
/*-
|
|
* The following is not cared for, because it is described in section 5.2.5
|
|
* that this is beyond the scope of CMP
|
|
* OOBCert ::= CMPCertificate
|
|
*
|
|
* OOBCertHash ::= SEQUENCE {
|
|
* hashAlg [0] AlgorithmIdentifier OPTIONAL,
|
|
* certId [1] CertId OPTIONAL,
|
|
* hashVal BIT STRING
|
|
* -- hashVal is calculated over the DER encoding of the
|
|
* -- self-signed certificate with the identifier certID.
|
|
* }
|
|
*/
|
|
|
|
#endif /* !defined OSSL_HEADER_CMP_INT_H */
|