Add OSSL_CMP_CTX_get0_validatedSrvCert(), correcting OSSL_CMP_validate_msg()

Also change ossl_cmp_ctx_set0_validatedSrvCert() to ossl_cmp_ctx_set1_validatedSrvCert(),
and add respective

Add OSSL_CMP_CTX_get0_validatedSrvCert(), correcting OSSL_CMP_validate_msg()

Also change ossl_cmp_ctx_set0_validatedSrvCert() to ossl_cmp_ctx_set1_validatedSrvCert(),
and add respective tests as well as the -srvcertout CLI option using the new function.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/18656)

show more ...

Update copyright year

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Release: yes

OSSL_CMP_CTX_new.pod: make references to private key consistent with OSSL_CMP_MSG_get0_header.pod

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>

OSSL_CMP_CTX_new.pod: make references to private key consistent with OSSL_CMP_MSG_get0_header.pod

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/17887)

show more ...

OSSL_CMP_CTX_setup_CRM(): Fix handling of defaults from CSR and refcert

Also update and complete related documentation.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by:

OSSL_CMP_CTX_setup_CRM(): Fix handling of defaults from CSR and refcert

Also update and complete related documentation.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/17726)

show more ...

CMP: add subject of any provided CSR as default message sender

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17723)

OSSL_CMP_CTX: rename get/set function for trustedStore

This makes the naming more consistent, in a backward-compatible way

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged fr

OSSL_CMP_CTX: rename get/set function for trustedStore

This makes the naming more consistent, in a backward-compatible way

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17277)

show more ...

HTTP: Implement persistent connections (keep-alive)

Both at API and at CLI level (for the CMP app only, so far)
there is a new parameter/option: keep_alive.
* 0 means HTTP connection

HTTP: Implement persistent connections (keep-alive)

Both at API and at CLI level (for the CMP app only, so far)
there is a new parameter/option: keep_alive.
* 0 means HTTP connections are not kept open after
receiving a response, which is the default behavior for HTTP 1.0.
* 1 means that persistent connections are requested.
* 2 means that persistent connections are required, i.e.,
in case the server does not grant them an error occurs.

For the CMP app the default value is 1, which means preferring to keep
the connection open. For all other internal uses of the HTTP client
(fetching an OCSP response, a cert, or a CRL) it does not matter
because these operations just take one round trip.

If the client application requested or required a persistent connection
and this was granted by the server, it can keep the OSSL_HTTP_REQ_CTX *
as long as it wants to send further requests and OSSL_HTTP_is_alive()
returns nonzero,
else it should call OSSL_HTTP_REQ_CTX_free() or OSSL_HTTP_close().
In case the client application keeps the OSSL_HTTP_REQ_CTX *
but the connection then dies for any reason at the server side, it will
notice this obtaining an I/O error when trying to send the next request.

This requires extending the HTTP header parsing and
rearranging the high-level HTTP client API. In particular:
* Split the monolithic OSSL_HTTP_transfer() into OSSL_HTTP_open(),
OSSL_HTTP_set_request(), a lean OSSL_HTTP_transfer(), and OSSL_HTTP_close().
* Split the timeout functionality accordingly and improve default behavior.
* Extract part of OSSL_HTTP_REQ_CTX_new() to OSSL_HTTP_REQ_CTX_set_expected().
* Extend struct ossl_http_req_ctx_st accordingly.

Use the new feature for the CMP client, which requires extending
related transaction management of CMP client and test server.

Update the documentation and extend the tests accordingly.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15053)

show more ...

Update copyright year

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13999)

Make the OSSL_CMP manual conform with man-pages(7)

Details from man-pages(7) that are used:

Formatting conventions for manual pages describing functions

...

Make the OSSL_CMP manual conform with man-pages(7)

Details from man-pages(7) that are used:

Formatting conventions for manual pages describing functions

...
Variable names should, like argument names, be specified in italics.
...

Formatting conventions (general)

...
Special macros, which are usually in uppercase, are in bold.
Exception: don't boldface NULL.
...

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13846)

show more ...

cmp_msg.c: Use issuer of reference cert as default issuer entry in certTemplate

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Mer

cmp_msg.c: Use issuer of reference cert as default issuer entry in certTemplate

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13357)

show more ...

Rename OPENSSL_CTX prefix to OSSL_LIB_CTX

Many of the new types introduced by OpenSSL 3.0 have an OSSL_ prefix,
e.g., OSSL_CALLBACK, OSSL_PARAM, OSSL_ALGORITHM, OSSL_SERIALIZER.

Rename OPENSSL_CTX prefix to OSSL_LIB_CTX

Many of the new types introduced by OpenSSL 3.0 have an OSSL_ prefix,
e.g., OSSL_CALLBACK, OSSL_PARAM, OSSL_ALGORITHM, OSSL_SERIALIZER.

The OPENSSL_CTX type stands out a little by using a different prefix.
For consistency reasons, this type is renamed to OSSL_LIB_CTX.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12621)

show more ...

OSSL_CMP_CTX_new.pod: improve doc of OSSL_CMP_CTX_get1_{extraCertsIn,caPubs}

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged f

OSSL_CMP_CTX_new.pod: improve doc of OSSL_CMP_CTX_get1_{extraCertsIn,caPubs}

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12825)

show more ...

bugfix in apps/cmp.c and cmp_client.c: inconsistencies on retrieving extraCerts in code and doc

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/

bugfix in apps/cmp.c and cmp_client.c: inconsistencies on retrieving extraCerts in code and doc

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12822)

show more ...

Replace all wrong usages of 'B<...>' (typically by 'I<...>') in OSSL_CMP_CTX_new.pod

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pul

Replace all wrong usages of 'B<...>' (typically by 'I<...>') in OSSL_CMP_CTX_new.pod

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12741)

show more ...

Clean up CMP chain building for CMP signer, TLS client, and newly enrolled certs

* Use strenghtened cert chain building, verifying chain using optional trust store
while making sure th

Clean up CMP chain building for CMP signer, TLS client, and newly enrolled certs

* Use strenghtened cert chain building, verifying chain using optional trust store
while making sure that no certificate status (e.g., CRL) checks are done
* Use OSSL_CMP_certConf_cb() by default and move its doc to OSSL_CMP_CTX_new.pod
* Simplify certificate and cert store loading in apps/cmp.c

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12741)

show more ...

OSSL_CMP_CTX: rename field and its getter/setter from 'untrusted_certs' to 'untrusted

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12

OSSL_CMP_CTX: rename field and its getter/setter from 'untrusted_certs' to 'untrusted

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12788)

show more ...

Strengthen chain building for CMP

* Add -own_trusted option to CMP app
* Add OSSL_CMP_CTX_build_cert_chain()
* Add optional trust store arg to ossl_cmp_build_cert_chain()
* Exten

Strengthen chain building for CMP

* Add -own_trusted option to CMP app
* Add OSSL_CMP_CTX_build_cert_chain()
* Add optional trust store arg to ossl_cmp_build_cert_chain()
* Extend the tests in cmp_protect_test.c and the documentation accordingly

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12791)

show more ...

Add OSSL_CMP_CTX_get1_newChain() and related CLI option -chainout

Also simplify certificate saving in apps/cmp.c

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https:

Add OSSL_CMP_CTX_get1_newChain() and related CLI option -chainout

Also simplify certificate saving in apps/cmp.c

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12790)

show more ...

Add libctx and propq parameters to OSSL_CMP_{SRV_},CTX_new() and ossl_cmp_mock_srv_new()

Also remove not really to-the-point error message if call fails in apps/cmp.c

Reviewed-by: S

Add libctx and propq parameters to OSSL_CMP_{SRV_},CTX_new() and ossl_cmp_mock_srv_new()

Also remove not really to-the-point error message if call fails in apps/cmp.c

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11808)

show more ...

Streamline the CMP request session API, adding the generalized OSSL_CMP_exec_certreq()

Fixes #12395

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/

Streamline the CMP request session API, adding the generalized OSSL_CMP_exec_certreq()

Fixes #12395

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12431)

show more ...

Align documentation with recommendations of Linux Documentation Project

This change applies the recommendation of the Linux Documentation Project
to the documentation files of OpenSSL. A

Align documentation with recommendations of Linux Documentation Project

This change applies the recommendation of the Linux Documentation Project
to the documentation files of OpenSSL. Additionally, util/find-doc-nits
was updated accordingly.

The change follows a suggestion of mspncp on https://github.com/openssl/openssl/pull/12370
and incoporates the requested changes on the pull request

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/12460)

show more ...

Improve BIO_socket_wait(), BIO_wait(), BIO_connect_retry(), and their docs

Add/extend range check for 'fd' argument of BIO_socket_wait() and bio_wait()
Correct nap time calculations in b

Improve BIO_socket_wait(), BIO_wait(), BIO_connect_retry(), and their docs

Add/extend range check for 'fd' argument of BIO_socket_wait() and bio_wait()
Correct nap time calculations in bio_wait(), thus correcting also BIO_wait()
Update a type cast from 'unsigned long' to 'unsigned int'
Extend the comments and documentation of BIO_wait()

Rename BIO_connect_retry() to BIO_do_connect_retry()
Make its 'timeout' argument < 0 lead to BIO_do_connect() tried only once
Add optional 'nap_milliseconds' parameter determining the polling granularity
Correct and generalize the retry case checking
Extend the comments and documentation of BIO_do_connect_retry()

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11986)

show more ...

Move part of OSSL_CMP_validate_msg() to ossl_cmp_msg_check_update()

as checking expected_sender and adding caPubs is not part of msg validation.
Also constify a couple of internal and pu

Move part of OSSL_CMP_validate_msg() to ossl_cmp_msg_check_update()

as checking expected_sender and adding caPubs is not part of msg validation.
Also constify a couple of internal and public functions related to cmp_vfy.c

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11998)

show more ...

Improve description of CMP untrusted certs and msg 'sender' field

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11998)

Allow subject of CMP -oldcert as sender unless protection cert is given

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11998)