mirror of
https://github.com/openssl/openssl.git
synced 2024-12-27 06:21:43 +08:00
7960dbec68
Also includes CRMF (RFC 4211) and HTTP transfer (RFC 6712)
CMP and CRMF API is added to libcrypto, and the "cmp" app to the openssl CLI.
Adds extensive man pages and tests. Integration into build scripts.
Incremental pull request based on OpenSSL commit 8869ad4a39
of 2019-04-02
4th chunk: CMP context/parameters and utilities
in crypto/cmp/cmp_ctx.c, crypto/cmp/cmp_util.c, and related files
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9107)
109 lines
3.6 KiB
Plaintext
109 lines
3.6 KiB
Plaintext
=pod
|
|
|
|
=head1 NAME
|
|
|
|
OSSL_CRMF_MSG_set_validity,
|
|
OSSL_CRMF_MSG_set_certReqId,
|
|
OSSL_CRMF_CERTTEMPLATE_fill,
|
|
OSSL_CRMF_MSG_set0_extensions,
|
|
OSSL_CRMF_MSG_push0_extension,
|
|
OSSL_CRMF_MSG_create_popo,
|
|
OSSL_CRMF_MSGS_verify_popo
|
|
- functions populating and verifying CRMF CertReqMsg structures
|
|
|
|
=head1 SYNOPSIS
|
|
|
|
#include <openssl/crmf.h>
|
|
|
|
int OSSL_CRMF_MSG_set_validity(OSSL_CRMF_MSG *crm, time_t from, time_t to);
|
|
|
|
int OSSL_CRMF_MSG_set_certReqId(OSSL_CRMF_MSG *crm, int rid);
|
|
|
|
int OSSL_CRMF_CERTTEMPLATE_fill(OSSL_CRMF_CERTTEMPLATE *tmpl,
|
|
EVP_PKEY *pubkey,
|
|
const X509_NAME *subject,
|
|
const X509_NAME *issuer,
|
|
const ASN1_INTEGER *serial);
|
|
|
|
int OSSL_CRMF_MSG_set0_extensions(OSSL_CRMF_MSG *crm, X509_EXTENSIONS *exts);
|
|
|
|
int OSSL_CRMF_MSG_push0_extension(OSSL_CRMF_MSG *crm, X509_EXTENSION *ext);
|
|
|
|
int OSSL_CRMF_MSG_create_popo(OSSL_CRMF_MSG *crm, EVP_PKEY *pkey,
|
|
int dgst, int ppmtd);
|
|
|
|
int OSSL_CRMF_MSGS_verify_popo(const OSSL_CRMF_MSGS *reqs,
|
|
int rid, int acceptRAVerified);
|
|
|
|
=head1 DESCRIPTION
|
|
|
|
OSSL_CRMF_MSG_set_validity() sets B<from> as notBefore and B<to> as notAfter
|
|
as the validity in the certTemplate of B<crm>.
|
|
|
|
OSSL_CRMF_MSG_set_certReqId() sets B<rid> as the certReqId of B<crm>.
|
|
|
|
OSSL_CRMF_CERTTEMPLATE_fill() sets those fields of the certTemplate B<tmpl>
|
|
for which non-NULL values are provided: B<pubkey>, B<subject>, B<issuer>,
|
|
and/or B<serial>.
|
|
On success the reference counter of the B<pubkey> (if given) is incremented,
|
|
while the B<subject>, B<issuer>, and B<serial> structures (if given) are copied.
|
|
|
|
OSSL_CRMF_MSG_set0_extensions() sets B<exts> as the extensions in the
|
|
certTemplate of B<crm>. Frees any pre-existing ones and consumes B<exts>.
|
|
|
|
OSSL_CRMF_MSG_push0_extension() pushes the X509 extension B<ext> to the
|
|
extensions in the certTemplate of B<crm>. Consumes B<ext>.
|
|
|
|
OSSL_CRMF_MSG_create_popo() creates and sets the Proof-of-Possession (POPO)
|
|
according to the method B<ppmtd> in B<crm>.
|
|
In case the method is OSSL_CRMF_POPO_SIGNATURE the POPO is calculated
|
|
using the private B<pkey> and the digest algorithm NID B<dgst>.
|
|
|
|
B<ppmtd> can be one of the following:
|
|
|
|
=over 8
|
|
|
|
=item * OSSL_CRMF_POPO_NONE - RFC 4211, section 4, POP field omitted.
|
|
CA/RA uses out-of-band method to verify POP. Note that servers may fail in this
|
|
case, resulting for instance in HTTP error code 500 (Internal error).
|
|
|
|
=item * OSSL_CRMF_POPO_RAVERIFIED - RFC 4211, section 4, explicit indication
|
|
that the RA has already verified the POP.
|
|
|
|
=item * OSSL_CRMF_POPO_SIGNATURE - RFC 4211, section 4.1, only case 3 supported
|
|
so far.
|
|
|
|
=item * OSSL_CRMF_POPO_KEYENC - RFC 4211, section 4.2, only indirect method
|
|
(subsequentMessage/enccert) supported,
|
|
challenge-response exchange (challengeResp) not yet supported.
|
|
|
|
=item * OSSL_CRMF_POPO_KEYAGREE - RFC 4211, section 4.3, not yet supported.
|
|
|
|
=back
|
|
|
|
OSSL_CRMF_MSGS_verify_popo verifies the Proof-of-Possession of the request with
|
|
the given B<rid> in the list of B<reqs>. Optionally accepts RAVerified.
|
|
|
|
=head1 RETURN VALUES
|
|
|
|
All functions return 1 on success, 0 on error.
|
|
|
|
=head1 SEE ALSO
|
|
|
|
RFC 4211
|
|
|
|
=head1 HISTORY
|
|
|
|
The OpenSSL CRMF support was added in OpenSSL 3.0.
|
|
|
|
=head1 COPYRIGHT
|
|
|
|
Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved.
|
|
|
|
Licensed under the Apache License 2.0 (the "License"). You may not use
|
|
this file except in compliance with the License. You can obtain a copy
|
|
in the file LICENSE in the source distribution or at
|
|
L<https://www.openssl.org/source/license.html>.
|
|
|
|
=cut
|