1 /* 2 * Copyright 2007-2024 The OpenSSL Project Authors. All Rights Reserved. 3 * Copyright Nokia 2007-2019 4 * Copyright Siemens AG 2015-2019 5 * 6 * Licensed under the Apache License 2.0 (the "License"). You may not use 7 * this file except in compliance with the License. You can obtain a copy 8 * in the file LICENSE in the source distribution or at 9 * https://www.openssl.org/source/license.html 10 */ 11 12 #ifndef OSSL_CRYPTO_CMP_LOCAL_H 13 # define OSSL_CRYPTO_CMP_LOCAL_H 14 15 # include "internal/cryptlib.h" 16 17 # include <openssl/cmp.h> 18 # include <openssl/err.h> 19 20 /* explicit #includes not strictly needed since implied by the above: */ 21 # include <openssl/crmf.h> 22 # include <openssl/types.h> 23 # include <openssl/safestack.h> 24 # include <openssl/x509.h> 25 # include <openssl/x509v3.h> 26 # include "crypto/x509.h" 27 28 # define IS_NULL_DN(name) (X509_NAME_get_entry(name, 0) == NULL) 29 30 /* 31 * this structure is used to store the context for CMP sessions 32 */ 33 struct ossl_cmp_ctx_st { 34 OSSL_LIB_CTX *libctx; 35 char *propq; 36 OSSL_CMP_log_cb_t log_cb; /* log callback for error/debug/etc. output */ 37 OSSL_CMP_severity log_verbosity; /* level of verbosity of log output */ 38 39 /* message transfer */ 40 OSSL_CMP_transfer_cb_t transfer_cb; /* default: OSSL_CMP_MSG_http_perform */ 41 void *transfer_cb_arg; /* allows to store optional argument to cb */ 42 /* HTTP-based transfer */ 43 OSSL_HTTP_REQ_CTX *http_ctx; 44 char *serverPath; 45 char *server; 46 int serverPort; 47 char *proxy; 48 char *no_proxy; 49 int keep_alive; /* persistent connection: 0=no, 1=prefer, 2=require */ 50 int msg_timeout; /* max seconds to wait for each CMP message round trip */ 51 int total_timeout; /* max number of seconds an enrollment may take, incl. */ 52 int tls_used; /* whether to use TLS for client-side HTTP connections */ 53 /* attempts polling for a response if a 'waiting' PKIStatus is received */ 54 time_t end_time; /* session start time + totaltimeout */ 55 # ifndef OPENSSL_NO_HTTP 56 OSSL_HTTP_bio_cb_t http_cb; 57 void *http_cb_arg; /* allows to store optional argument to cb */ 58 # endif 59 60 /* server authentication */ 61 /* 62 * unprotectedErrors may be set as workaround for broken server responses: 63 * accept missing or invalid protection of regular error messages, negative 64 * certificate responses (ip/cp/kup), revocation responses (rp), and PKIConf 65 */ 66 int unprotectedErrors; 67 int noCacheExtraCerts; 68 X509 *srvCert; /* certificate used to identify the server */ 69 X509 *validatedSrvCert; /* caches any already validated server cert */ 70 X509_NAME *expected_sender; /* expected sender in header of response */ 71 X509_STORE *trusted; /* trust store maybe w CRLs and cert verify callback */ 72 STACK_OF(X509) *untrusted; /* untrusted (intermediate CA) certs */ 73 int ignore_keyusage; /* ignore key usage entry when validating certs */ 74 /* 75 * permitTAInExtraCertsForIR allows use of root certs in extracerts 76 * when validating message protection; this is used for 3GPP-style E.7 77 */ 78 int permitTAInExtraCertsForIR; 79 80 /* client authentication */ 81 int unprotectedSend; /* send unprotected PKI messages */ 82 X509 *cert; /* protection cert used to identify and sign for MSG_SIG_ALG */ 83 STACK_OF(X509) *chain; /* (cached) chain of protection cert including it */ 84 EVP_PKEY *pkey; /* the key pair corresponding to cert */ 85 ASN1_OCTET_STRING *referenceValue; /* optional username for MSG_MAC_ALG */ 86 ASN1_OCTET_STRING *secretValue; /* password/shared secret for MSG_MAC_ALG */ 87 /* PBMParameters for MSG_MAC_ALG */ 88 size_t pbm_slen; /* salt length, currently fixed to 16 */ 89 EVP_MD *pbm_owf; /* one-way function (OWF), default: SHA256 */ 90 int pbm_itercnt; /* OWF iteration count, currently fixed to 500 */ 91 int pbm_mac; /* NID of MAC algorithm, default: HMAC-SHA1 as per RFC 4210 */ 92 93 /* CMP message header and extra certificates */ 94 X509_NAME *recipient; /* to set in recipient in pkiheader */ 95 EVP_MD *digest; /* digest used in MSG_SIG_ALG and POPO, default SHA256 */ 96 ASN1_OCTET_STRING *transactionID; /* the current transaction ID */ 97 ASN1_OCTET_STRING *senderNonce; /* last nonce sent */ 98 ASN1_OCTET_STRING *recipNonce; /* last nonce received */ 99 ASN1_OCTET_STRING *first_senderNonce; /* sender nonce when starting to poll */ 100 ASN1_UTF8STRING *freeText; /* optional string to include each msg */ 101 STACK_OF(OSSL_CMP_ITAV) *geninfo_ITAVs; 102 int implicitConfirm; /* set implicitConfirm in IR/KUR/CR messages */ 103 int disableConfirm; /* disable certConf in IR/KUR/CR for broken servers */ 104 STACK_OF(X509) *extraCertsOut; /* to be included in request messages */ 105 106 /* certificate template */ 107 EVP_PKEY *newPkey; /* explicit new private/public key for cert enrollment */ 108 int newPkey_priv; /* flag indicating if newPkey contains private key */ 109 X509_NAME *issuer; /* issuer name to used in cert template, also in rr */ 110 ASN1_INTEGER *serialNumber; /* certificate serial number to use in rr */ 111 int days; /* Number of days new certificates are asked to be valid for */ 112 X509_NAME *subjectName; /* subject name to be used in cert template */ 113 STACK_OF(GENERAL_NAME) *subjectAltNames; /* to add to the cert template */ 114 int SubjectAltName_nodefault; 115 int setSubjectAltNameCritical; 116 X509_EXTENSIONS *reqExtensions; /* exts to be added to cert template */ 117 CERTIFICATEPOLICIES *policies; /* policies to be included in extensions */ 118 int setPoliciesCritical; 119 int popoMethod; /* Proof-of-possession mechanism; default: signature */ 120 X509 *oldCert; /* cert to be updated (via KUR) or to be revoked (via RR) */ 121 X509_REQ *p10CSR; /* for P10CR: PKCS#10 CSR to be sent */ 122 123 /* misc body contents */ 124 int revocationReason; /* revocation reason code to be included in RR */ 125 STACK_OF(OSSL_CMP_ITAV) *genm_ITAVs; /* content of general message */ 126 127 /* result returned in responses, so far supporting only one certResponse */ 128 int status; /* PKIStatus of last received IP/CP/KUP/RP/error or -1 */ 129 OSSL_CMP_PKIFREETEXT *statusString; /* of last IP/CP/KUP/RP/error */ 130 int failInfoCode; /* failInfoCode of last received IP/CP/KUP/error, or -1 */ 131 X509 *newCert; /* newly enrolled cert received from the CA */ 132 STACK_OF(X509) *newChain; /* chain of newly enrolled cert received */ 133 STACK_OF(X509) *caPubs; /* CA certs received from server (in IP message) */ 134 STACK_OF(X509) *extraCertsIn; /* extraCerts received from server */ 135 136 /* certificate confirmation */ 137 OSSL_CMP_certConf_cb_t certConf_cb; /* callback for app checking new cert */ 138 void *certConf_cb_arg; /* allows to store an argument individual to cb */ 139 } /* OSSL_CMP_CTX */; 140 141 /* 142 * ########################################################################## 143 * ASN.1 DECLARATIONS 144 * ########################################################################## 145 */ 146 147 /*- 148 * RevAnnContent ::= SEQUENCE { 149 * status PKIStatus, 150 * certId CertId, 151 * willBeRevokedAt GeneralizedTime, 152 * badSinceDate GeneralizedTime, 153 * crlDetails Extensions OPTIONAL 154 * -- extra CRL details (e.g., crl number, reason, location, etc.) 155 * } 156 */ 157 typedef struct ossl_cmp_revanncontent_st { 158 ASN1_INTEGER *status; 159 OSSL_CRMF_CERTID *certId; 160 ASN1_GENERALIZEDTIME *willBeRevokedAt; 161 ASN1_GENERALIZEDTIME *badSinceDate; 162 X509_EXTENSIONS *crlDetails; 163 } OSSL_CMP_REVANNCONTENT; 164 DECLARE_ASN1_FUNCTIONS(OSSL_CMP_REVANNCONTENT) 165 166 /*- 167 * Challenge ::= SEQUENCE { 168 * owf AlgorithmIdentifier OPTIONAL, 169 * 170 * -- MUST be present in the first Challenge; MAY be omitted in 171 * -- any subsequent Challenge in POPODecKeyChallContent (if 172 * -- omitted, then the owf used in the immediately preceding 173 * -- Challenge is to be used). 174 * 175 * witness OCTET STRING, 176 * -- the result of applying the one-way function (owf) to a 177 * -- randomly-generated INTEGER, A. [Note that a different 178 * -- INTEGER MUST be used for each Challenge.] 179 * challenge OCTET STRING 180 * -- the encryption (under the public key for which the cert. 181 * -- request is being made) of Rand, where Rand is specified as 182 * -- Rand ::= SEQUENCE { 183 * -- int INTEGER, 184 * -- - the randomly-generated INTEGER A (above) 185 * -- sender GeneralName 186 * -- - the sender's name (as included in PKIHeader) 187 * -- } 188 * } 189 */ 190 typedef struct ossl_cmp_challenge_st { 191 X509_ALGOR *owf; 192 ASN1_OCTET_STRING *witness; 193 ASN1_OCTET_STRING *challenge; 194 } OSSL_CMP_CHALLENGE; 195 DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CHALLENGE) 196 197 /*- 198 * CAKeyUpdAnnContent ::= SEQUENCE { 199 * oldWithNew Certificate, 200 * newWithOld Certificate, 201 * newWithNew Certificate 202 * } 203 */ 204 typedef struct ossl_cmp_cakeyupdanncontent_st { 205 X509 *oldWithNew; 206 X509 *newWithOld; 207 X509 *newWithNew; 208 } OSSL_CMP_CAKEYUPDANNCONTENT; 209 DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CAKEYUPDANNCONTENT) 210 211 typedef struct ossl_cmp_rootcakeyupdate_st OSSL_CMP_ROOTCAKEYUPDATE; 212 DECLARE_ASN1_FUNCTIONS(OSSL_CMP_ROOTCAKEYUPDATE) 213 214 typedef struct ossl_cmp_certreqtemplate_st OSSL_CMP_CERTREQTEMPLATE; 215 DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CERTREQTEMPLATE) 216 217 /*- 218 * CRLSource ::= CHOICE { 219 * dpn [0] DistributionPointName, 220 * issuer [1] GeneralNames } 221 */ 222 223 typedef struct ossl_cmp_crlsource_st { 224 int type; 225 union { 226 DIST_POINT_NAME *dpn; 227 GENERAL_NAMES *issuer; 228 } value; 229 } OSSL_CMP_CRLSOURCE; 230 DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CRLSOURCE) 231 232 /* 233 * CRLStatus ::= SEQUENCE { 234 * source CRLSource, 235 * thisUpdate Time OPTIONAL } 236 */ 237 238 struct ossl_cmp_crlstatus_st { 239 OSSL_CMP_CRLSOURCE *source; 240 ASN1_TIME *thisUpdate; 241 }; /* OSSL_CMP_CRLSTATUS */ 242 DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CRLSTATUS) 243 244 /*- 245 * declared already here as it will be used in OSSL_CMP_MSG (nested) and 246 * infoType and infoValue 247 */ 248 typedef STACK_OF(OSSL_CMP_MSG) OSSL_CMP_MSGS; 249 DECLARE_ASN1_FUNCTIONS(OSSL_CMP_MSGS) 250 251 /*- 252 * InfoTypeAndValue ::= SEQUENCE { 253 * infoType OBJECT IDENTIFIER, 254 * infoValue ANY DEFINED BY infoType OPTIONAL 255 * } 256 */ 257 struct ossl_cmp_itav_st { 258 ASN1_OBJECT *infoType; 259 union { 260 char *ptr; 261 /* NID_id_it_caProtEncCert - CA Protocol Encryption Certificate */ 262 X509 *caProtEncCert; 263 /* NID_id_it_signKeyPairTypes - Signing Key Pair Types */ 264 STACK_OF(X509_ALGOR) *signKeyPairTypes; 265 /* NID_id_it_encKeyPairTypes - Encryption/Key Agreement Key Pair Types */ 266 STACK_OF(X509_ALGOR) *encKeyPairTypes; 267 /* NID_id_it_preferredSymmAlg - Preferred Symmetric Algorithm */ 268 X509_ALGOR *preferredSymmAlg; 269 /* NID_id_it_caKeyUpdateInfo - Updated CA Key Pair */ 270 OSSL_CMP_CAKEYUPDANNCONTENT *caKeyUpdateInfo; 271 /* NID_id_it_currentCRL - CRL */ 272 X509_CRL *currentCRL; 273 /* NID_id_it_unsupportedOIDs - Unsupported Object Identifiers */ 274 STACK_OF(ASN1_OBJECT) *unsupportedOIDs; 275 /* NID_id_it_keyPairParamReq - Key Pair Parameters Request */ 276 ASN1_OBJECT *keyPairParamReq; 277 /* NID_id_it_keyPairParamRep - Key Pair Parameters Response */ 278 X509_ALGOR *keyPairParamRep; 279 /* NID_id_it_revPassphrase - Revocation Passphrase */ 280 OSSL_CRMF_ENCRYPTEDVALUE *revPassphrase; 281 /* NID_id_it_implicitConfirm - ImplicitConfirm */ 282 ASN1_NULL *implicitConfirm; 283 /* NID_id_it_confirmWaitTime - ConfirmWaitTime */ 284 ASN1_GENERALIZEDTIME *confirmWaitTime; 285 /* NID_id_it_origPKIMessage - origPKIMessage */ 286 OSSL_CMP_MSGS *origPKIMessage; 287 /* NID_id_it_suppLangTags - Supported Language Tags */ 288 STACK_OF(ASN1_UTF8STRING) *suppLangTagsValue; 289 /* NID_id_it_certProfile - Certificate Profile */ 290 STACK_OF(ASN1_UTF8STRING) *certProfile; 291 /* NID_id_it_caCerts - CA Certificates */ 292 STACK_OF(X509) *caCerts; 293 /* NID_id_it_rootCaCert - Root CA Certificate */ 294 X509 *rootCaCert; 295 /* NID_id_it_rootCaKeyUpdate - Root CA Certificate Update */ 296 OSSL_CMP_ROOTCAKEYUPDATE *rootCaKeyUpdate; 297 /* NID_id_it_certReqTemplate - Certificate Request Template */ 298 OSSL_CMP_CERTREQTEMPLATE *certReqTemplate; 299 /* NID_id_it_crlStatusList - CRL Update Retrieval */ 300 STACK_OF(OSSL_CMP_CRLSTATUS) *crlStatusList; 301 /* NID_id_it_crls - Certificate Status Lists */ 302 STACK_OF(X509_CRL) *crls; 303 304 /* this is to be used for so far undeclared objects */ 305 ASN1_TYPE *other; 306 } infoValue; 307 } /* OSSL_CMP_ITAV */; 308 DECLARE_ASN1_FUNCTIONS(OSSL_CMP_ITAV) 309 310 typedef struct ossl_cmp_certorenccert_st { 311 int type; 312 union { 313 X509 *certificate; 314 OSSL_CRMF_ENCRYPTEDVALUE *encryptedCert; 315 } value; 316 } OSSL_CMP_CERTORENCCERT; 317 DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CERTORENCCERT) 318 319 /*- 320 * CertifiedKeyPair ::= SEQUENCE { 321 * certOrEncCert CertOrEncCert, 322 * privateKey [0] EncryptedValue OPTIONAL, 323 * -- see [CRMF] for comment on encoding 324 * publicationInfo [1] PKIPublicationInfo OPTIONAL 325 * } 326 */ 327 typedef struct ossl_cmp_certifiedkeypair_st { 328 OSSL_CMP_CERTORENCCERT *certOrEncCert; 329 OSSL_CRMF_ENCRYPTEDVALUE *privateKey; 330 OSSL_CRMF_PKIPUBLICATIONINFO *publicationInfo; 331 } OSSL_CMP_CERTIFIEDKEYPAIR; 332 DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CERTIFIEDKEYPAIR) 333 334 /*- 335 * PKIStatusInfo ::= SEQUENCE { 336 * status PKIStatus, 337 * statusString PKIFreeText OPTIONAL, 338 * failInfo PKIFailureInfo OPTIONAL 339 * } 340 */ 341 struct ossl_cmp_pkisi_st { 342 OSSL_CMP_PKISTATUS *status; 343 OSSL_CMP_PKIFREETEXT *statusString; 344 OSSL_CMP_PKIFAILUREINFO *failInfo; 345 } /* OSSL_CMP_PKISI */; 346 347 /*- 348 * RevReqContent ::= SEQUENCE OF RevDetails 349 * 350 * RevDetails ::= SEQUENCE { 351 * certDetails CertTemplate, 352 * crlEntryDetails Extensions OPTIONAL 353 * } 354 */ 355 struct ossl_cmp_revdetails_st { 356 OSSL_CRMF_CERTTEMPLATE *certDetails; 357 X509_EXTENSIONS *crlEntryDetails; 358 } /* OSSL_CMP_REVDETAILS */; 359 typedef struct ossl_cmp_revdetails_st OSSL_CMP_REVDETAILS; 360 DECLARE_ASN1_FUNCTIONS(OSSL_CMP_REVDETAILS) 361 DEFINE_STACK_OF(OSSL_CMP_REVDETAILS) 362 363 /*- 364 * RevRepContent ::= SEQUENCE { 365 * status SEQUENCE SIZE (1..MAX) OF PKIStatusInfo, 366 * -- in same order as was sent in RevReqContent 367 * revCerts [0] SEQUENCE SIZE (1..MAX) OF CertId 368 * OPTIONAL, 369 * -- IDs for which revocation was requested 370 * -- (same order as status) 371 * crls [1] SEQUENCE SIZE (1..MAX) OF CertificateList 372 * OPTIONAL 373 * -- the resulting CRLs (there may be more than one) 374 * } 375 */ 376 struct ossl_cmp_revrepcontent_st { 377 STACK_OF(OSSL_CMP_PKISI) *status; 378 STACK_OF(OSSL_CRMF_CERTID) *revCerts; 379 STACK_OF(X509_CRL) *crls; 380 } /* OSSL_CMP_REVREPCONTENT */; 381 DECLARE_ASN1_FUNCTIONS(OSSL_CMP_REVREPCONTENT) 382 383 /*- 384 * KeyRecRepContent ::= SEQUENCE { 385 * status PKIStatusInfo, 386 * newSigCert [0] Certificate OPTIONAL, 387 * caCerts [1] SEQUENCE SIZE (1..MAX) OF 388 * Certificate OPTIONAL, 389 * keyPairHist [2] SEQUENCE SIZE (1..MAX) OF 390 * CertifiedKeyPair OPTIONAL 391 * } 392 */ 393 typedef struct ossl_cmp_keyrecrepcontent_st { 394 OSSL_CMP_PKISI *status; 395 X509 *newSigCert; 396 STACK_OF(X509) *caCerts; 397 STACK_OF(OSSL_CMP_CERTIFIEDKEYPAIR) *keyPairHist; 398 } OSSL_CMP_KEYRECREPCONTENT; 399 DECLARE_ASN1_FUNCTIONS(OSSL_CMP_KEYRECREPCONTENT) 400 401 /*- 402 * ErrorMsgContent ::= SEQUENCE { 403 * pKIStatusInfo PKIStatusInfo, 404 * errorCode INTEGER OPTIONAL, 405 * -- implementation-specific error codes 406 * errorDetails PKIFreeText OPTIONAL 407 * -- implementation-specific error details 408 * } 409 */ 410 typedef struct ossl_cmp_errormsgcontent_st { 411 OSSL_CMP_PKISI *pKIStatusInfo; 412 ASN1_INTEGER *errorCode; 413 OSSL_CMP_PKIFREETEXT *errorDetails; 414 } OSSL_CMP_ERRORMSGCONTENT; 415 DECLARE_ASN1_FUNCTIONS(OSSL_CMP_ERRORMSGCONTENT) 416 417 /*- 418 * CertConfirmContent ::= SEQUENCE OF CertStatus 419 * 420 * CertStatus ::= SEQUENCE { 421 * certHash OCTET STRING, 422 * -- the hash of the certificate, using the same hash algorithm 423 * -- as is used to create and verify the certificate signature 424 * certReqId INTEGER, 425 * -- to match this confirmation with the corresponding req/rep 426 * statusInfo PKIStatusInfo OPTIONAL, 427 * hashAlg [0] AlgorithmIdentifier OPTIONAL 428 * } 429 */ 430 struct ossl_cmp_certstatus_st { 431 ASN1_OCTET_STRING *certHash; 432 ASN1_INTEGER *certReqId; 433 OSSL_CMP_PKISI *statusInfo; 434 X509_ALGOR *hashAlg; /* 0 */ 435 } /* OSSL_CMP_CERTSTATUS */; 436 DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CERTSTATUS) 437 typedef STACK_OF(OSSL_CMP_CERTSTATUS) OSSL_CMP_CERTCONFIRMCONTENT; 438 DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CERTCONFIRMCONTENT) 439 440 /*- 441 * CertResponse ::= SEQUENCE { 442 * certReqId INTEGER, 443 * -- to match this response with corresponding request (a value 444 * -- of -1 is to be used if certReqId is not specified in the 445 * -- corresponding request) 446 * status PKIStatusInfo, 447 * certifiedKeyPair CertifiedKeyPair OPTIONAL, 448 * rspInfo OCTET STRING OPTIONAL 449 * -- analogous to the id-regInfo-utf8Pairs string defined 450 * -- for regInfo in CertReqMsg [CRMF] 451 * } 452 */ 453 struct ossl_cmp_certresponse_st { 454 ASN1_INTEGER *certReqId; 455 OSSL_CMP_PKISI *status; 456 OSSL_CMP_CERTIFIEDKEYPAIR *certifiedKeyPair; 457 ASN1_OCTET_STRING *rspInfo; 458 } /* OSSL_CMP_CERTRESPONSE */; 459 DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CERTRESPONSE) 460 461 /*- 462 * CertRepMessage ::= SEQUENCE { 463 * caPubs [1] SEQUENCE SIZE (1..MAX) OF CMPCertificate 464 * OPTIONAL, 465 * response SEQUENCE OF CertResponse 466 * } 467 */ 468 struct ossl_cmp_certrepmessage_st { 469 STACK_OF(X509) *caPubs; 470 STACK_OF(OSSL_CMP_CERTRESPONSE) *response; 471 } /* OSSL_CMP_CERTREPMESSAGE */; 472 DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CERTREPMESSAGE) 473 474 /*- 475 * PollReqContent ::= SEQUENCE OF SEQUENCE { 476 * certReqId INTEGER 477 * } 478 */ 479 typedef struct ossl_cmp_pollreq_st { 480 ASN1_INTEGER *certReqId; 481 } OSSL_CMP_POLLREQ; 482 DECLARE_ASN1_FUNCTIONS(OSSL_CMP_POLLREQ) 483 DEFINE_STACK_OF(OSSL_CMP_POLLREQ) 484 typedef STACK_OF(OSSL_CMP_POLLREQ) OSSL_CMP_POLLREQCONTENT; 485 DECLARE_ASN1_FUNCTIONS(OSSL_CMP_POLLREQCONTENT) 486 487 /*- 488 * PollRepContent ::= SEQUENCE OF SEQUENCE { 489 * certReqId INTEGER, 490 * checkAfter INTEGER, -- time in seconds 491 * reason PKIFreeText OPTIONAL 492 * } 493 */ 494 struct ossl_cmp_pollrep_st { 495 ASN1_INTEGER *certReqId; 496 ASN1_INTEGER *checkAfter; 497 OSSL_CMP_PKIFREETEXT *reason; 498 } /* OSSL_CMP_POLLREP */; 499 DECLARE_ASN1_FUNCTIONS(OSSL_CMP_POLLREP) 500 DEFINE_STACK_OF(OSSL_CMP_POLLREP) 501 DECLARE_ASN1_FUNCTIONS(OSSL_CMP_POLLREPCONTENT) 502 503 /*- 504 * PKIHeader ::= SEQUENCE { 505 * pvno INTEGER { cmp1999(1), cmp2000(2), cmp2021(3) }, 506 * sender GeneralName, 507 * -- identifies the sender 508 * recipient GeneralName, 509 * -- identifies the intended recipient 510 * messageTime [0] GeneralizedTime OPTIONAL, 511 * -- time of production of this message (used when sender 512 * -- believes that the transport will be "suitable"; i.e., 513 * -- that the time will still be meaningful upon receipt) 514 * protectionAlg [1] AlgorithmIdentifier OPTIONAL, 515 * -- algorithm used for calculation of protection bits 516 * senderKID [2] KeyIdentifier OPTIONAL, 517 * recipKID [3] KeyIdentifier OPTIONAL, 518 * -- to identify specific keys used for protection 519 * transactionID [4] OCTET STRING OPTIONAL, 520 * -- identifies the transaction; i.e., this will be the same in 521 * -- corresponding request, response, certConf, and PKIConf 522 * -- messages 523 * senderNonce [5] OCTET STRING OPTIONAL, 524 * recipNonce [6] OCTET STRING OPTIONAL, 525 * -- nonces used to provide replay protection, senderNonce 526 * -- is inserted by the creator of this message; recipNonce 527 * -- is a nonce previously inserted in a related message by 528 * -- the intended recipient of this message 529 * freeText [7] PKIFreeText OPTIONAL, 530 * -- this may be used to indicate context-specific instructions 531 * -- (this field is intended for human consumption) 532 * generalInfo [8] SEQUENCE SIZE (1..MAX) OF 533 * InfoTypeAndValue OPTIONAL 534 * -- this may be used to convey context-specific information 535 * -- (this field not primarily intended for human consumption) 536 * } 537 */ 538 struct ossl_cmp_pkiheader_st { 539 ASN1_INTEGER *pvno; 540 GENERAL_NAME *sender; 541 GENERAL_NAME *recipient; 542 ASN1_GENERALIZEDTIME *messageTime; /* 0 */ 543 X509_ALGOR *protectionAlg; /* 1 */ 544 ASN1_OCTET_STRING *senderKID; /* 2 */ 545 ASN1_OCTET_STRING *recipKID; /* 3 */ 546 ASN1_OCTET_STRING *transactionID; /* 4 */ 547 ASN1_OCTET_STRING *senderNonce; /* 5 */ 548 ASN1_OCTET_STRING *recipNonce; /* 6 */ 549 OSSL_CMP_PKIFREETEXT *freeText; /* 7 */ 550 STACK_OF(OSSL_CMP_ITAV) *generalInfo; /* 8 */ 551 } /* OSSL_CMP_PKIHEADER */; 552 553 typedef STACK_OF(OSSL_CMP_CHALLENGE) OSSL_CMP_POPODECKEYCHALLCONTENT; 554 DECLARE_ASN1_FUNCTIONS(OSSL_CMP_POPODECKEYCHALLCONTENT) 555 typedef STACK_OF(ASN1_INTEGER) OSSL_CMP_POPODECKEYRESPCONTENT; 556 DECLARE_ASN1_FUNCTIONS(OSSL_CMP_POPODECKEYRESPCONTENT) 557 typedef STACK_OF(OSSL_CMP_REVDETAILS) OSSL_CMP_REVREQCONTENT; 558 DECLARE_ASN1_FUNCTIONS(OSSL_CMP_REVREQCONTENT) 559 typedef STACK_OF(X509_CRL) OSSL_CMP_CRLANNCONTENT; 560 DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CRLANNCONTENT) 561 typedef STACK_OF(OSSL_CMP_ITAV) OSSL_CMP_GENMSGCONTENT; 562 DECLARE_ASN1_FUNCTIONS(OSSL_CMP_GENMSGCONTENT) 563 typedef STACK_OF(OSSL_CMP_ITAV) OSSL_CMP_GENREPCONTENT; 564 DECLARE_ASN1_FUNCTIONS(OSSL_CMP_GENREPCONTENT) 565 566 /*- 567 * PKIBody ::= CHOICE { -- message-specific body elements 568 * ir [0] CertReqMessages, --Initialization Request 569 * ip [1] CertRepMessage, --Initialization Response 570 * cr [2] CertReqMessages, --Certification Request 571 * cp [3] CertRepMessage, --Certification Response 572 * p10cr [4] CertificationRequest, --imported from [PKCS10] 573 * popdecc [5] POPODecKeyChallContent, --pop Challenge 574 * popdecr [6] POPODecKeyRespContent, --pop Response 575 * kur [7] CertReqMessages, --Key Update Request 576 * kup [8] CertRepMessage, --Key Update Response 577 * krr [9] CertReqMessages, --Key Recovery Request 578 * krp [10] KeyRecRepContent, --Key Recovery Response 579 * rr [11] RevReqContent, --Revocation Request 580 * rp [12] RevRepContent, --Revocation Response 581 * ccr [13] CertReqMessages, --Cross-Cert. Request 582 * ccp [14] CertRepMessage, --Cross-Cert. Response 583 * ckuann [15] CAKeyUpdAnnContent, --CA Key Update Ann. 584 * cann [16] CertAnnContent, --Certificate Ann. 585 * rann [17] RevAnnContent, --Revocation Ann. 586 * crlann [18] CRLAnnContent, --CRL Announcement 587 * pkiconf [19] PKIConfirmContent, --Confirmation 588 * nested [20] NestedMessageContent, --Nested Message 589 * genm [21] GenMsgContent, --General Message 590 * genp [22] GenRepContent, --General Response 591 * error [23] ErrorMsgContent, --Error Message 592 * certConf [24] CertConfirmContent, --Certificate confirm 593 * pollReq [25] PollReqContent, --Polling request 594 * pollRep [26] PollRepContent --Polling response 595 * } 596 */ 597 typedef struct ossl_cmp_pkibody_st { 598 int type; 599 union { 600 OSSL_CRMF_MSGS *ir; /* 0 */ 601 OSSL_CMP_CERTREPMESSAGE *ip; /* 1 */ 602 OSSL_CRMF_MSGS *cr; /* 2 */ 603 OSSL_CMP_CERTREPMESSAGE *cp; /* 3 */ 604 /*- 605 * p10cr [4] CertificationRequest, --imported from [PKCS10] 606 * 607 * PKCS10_CERTIFICATIONREQUEST is effectively X509_REQ 608 * so it is used directly 609 */ 610 X509_REQ *p10cr; /* 4 */ 611 /*- 612 * popdecc [5] POPODecKeyChallContent, --pop Challenge 613 * 614 * POPODecKeyChallContent ::= SEQUENCE OF Challenge 615 */ 616 OSSL_CMP_POPODECKEYCHALLCONTENT *popdecc; /* 5 */ 617 /*- 618 * popdecr [6] POPODecKeyRespContent, --pop Response 619 * 620 * POPODecKeyRespContent ::= SEQUENCE OF INTEGER 621 */ 622 OSSL_CMP_POPODECKEYRESPCONTENT *popdecr; /* 6 */ 623 OSSL_CRMF_MSGS *kur; /* 7 */ 624 OSSL_CMP_CERTREPMESSAGE *kup; /* 8 */ 625 OSSL_CRMF_MSGS *krr; /* 9 */ 626 627 /*- 628 * krp [10] KeyRecRepContent, --Key Recovery Response 629 */ 630 OSSL_CMP_KEYRECREPCONTENT *krp; /* 10 */ 631 /*- 632 * rr [11] RevReqContent, --Revocation Request 633 */ 634 OSSL_CMP_REVREQCONTENT *rr; /* 11 */ 635 /*- 636 * rp [12] RevRepContent, --Revocation Response 637 */ 638 OSSL_CMP_REVREPCONTENT *rp; /* 12 */ 639 /*- 640 * ccr [13] CertReqMessages, --Cross-Cert. Request 641 */ 642 OSSL_CRMF_MSGS *ccr; /* 13 */ 643 /*- 644 * ccp [14] CertRepMessage, --Cross-Cert. Response 645 */ 646 OSSL_CMP_CERTREPMESSAGE *ccp; /* 14 */ 647 /*- 648 * ckuann [15] CAKeyUpdAnnContent, --CA Key Update Ann. 649 */ 650 OSSL_CMP_CAKEYUPDANNCONTENT *ckuann; /* 15 */ 651 /*- 652 * cann [16] CertAnnContent, --Certificate Ann. 653 * OSSL_CMP_CMPCERTIFICATE is effectively X509 so it is used directly 654 */ 655 X509 *cann; /* 16 */ 656 /*- 657 * rann [17] RevAnnContent, --Revocation Ann. 658 */ 659 OSSL_CMP_REVANNCONTENT *rann; /* 17 */ 660 /*- 661 * crlann [18] CRLAnnContent, --CRL Announcement 662 * CRLAnnContent ::= SEQUENCE OF CertificateList 663 */ 664 OSSL_CMP_CRLANNCONTENT *crlann; /* 18 */ 665 /*- 666 * PKIConfirmContent ::= NULL 667 * pkiconf [19] PKIConfirmContent, --Confirmation 668 * OSSL_CMP_PKICONFIRMCONTENT would be only a typedef of ASN1_NULL 669 * OSSL_CMP_CONFIRMCONTENT *pkiconf; 670 * 671 * NOTE: this should ASN1_NULL according to the RFC 672 * but there might be a struct in it when sent from faulty servers... 673 */ 674 ASN1_TYPE *pkiconf; /* 19 */ 675 /*- 676 * nested [20] NestedMessageContent, --Nested Message 677 * NestedMessageContent ::= PKIMessages 678 */ 679 OSSL_CMP_MSGS *nested; /* 20 */ 680 /*- 681 * genm [21] GenMsgContent, --General Message 682 * GenMsgContent ::= SEQUENCE OF InfoTypeAndValue 683 */ 684 OSSL_CMP_GENMSGCONTENT *genm; /* 21 */ 685 /*- 686 * genp [22] GenRepContent, --General Response 687 * GenRepContent ::= SEQUENCE OF InfoTypeAndValue 688 */ 689 OSSL_CMP_GENREPCONTENT *genp; /* 22 */ 690 /*- 691 * error [23] ErrorMsgContent, --Error Message 692 */ 693 OSSL_CMP_ERRORMSGCONTENT *error; /* 23 */ 694 /*- 695 * certConf [24] CertConfirmContent, --Certificate confirm 696 */ 697 OSSL_CMP_CERTCONFIRMCONTENT *certConf; /* 24 */ 698 /*- 699 * pollReq [25] PollReqContent, --Polling request 700 */ 701 OSSL_CMP_POLLREQCONTENT *pollReq; /* 25 */ 702 /*- 703 * pollRep [26] PollRepContent --Polling response 704 */ 705 OSSL_CMP_POLLREPCONTENT *pollRep; /* 26 */ 706 } value; 707 } OSSL_CMP_PKIBODY; 708 DECLARE_ASN1_FUNCTIONS(OSSL_CMP_PKIBODY) 709 710 /*- 711 * PKIProtection ::= BIT STRING 712 * 713 * PKIMessages ::= SEQUENCE SIZE (1..MAX) OF PKIMessage 714 * 715 * PKIMessage ::= SEQUENCE { 716 * header PKIHeader, 717 * body PKIBody, 718 * protection [0] PKIProtection OPTIONAL, 719 * extraCerts [1] SEQUENCE SIZE (1..MAX) OF CMPCertificate 720 * OPTIONAL 721 * } 722 */ 723 struct ossl_cmp_msg_st { 724 OSSL_CMP_PKIHEADER *header; 725 OSSL_CMP_PKIBODY *body; 726 ASN1_BIT_STRING *protection; /* 0 */ 727 /* OSSL_CMP_CMPCERTIFICATE is effectively X509 so it is used directly */ 728 STACK_OF(X509) *extraCerts; /* 1 */ 729 OSSL_LIB_CTX *libctx; 730 char *propq; 731 } /* OSSL_CMP_MSG */; 732 OSSL_CMP_MSG *OSSL_CMP_MSG_new(OSSL_LIB_CTX *libctx, const char *propq); 733 void OSSL_CMP_MSG_free(OSSL_CMP_MSG *msg); 734 735 /*- 736 * ProtectedPart ::= SEQUENCE { 737 * header PKIHeader, 738 * body PKIBody 739 * } 740 */ 741 typedef struct ossl_cmp_protectedpart_st { 742 OSSL_CMP_PKIHEADER *header; 743 OSSL_CMP_PKIBODY *body; 744 } OSSL_CMP_PROTECTEDPART; 745 DECLARE_ASN1_FUNCTIONS(OSSL_CMP_PROTECTEDPART) 746 747 /*- 748 * this is not defined here as it is already in CRMF: 749 * id-PasswordBasedMac OBJECT IDENTIFIER ::= {1 2 840 113533 7 66 13} 750 * PBMParameter ::= SEQUENCE { 751 * salt OCTET STRING, 752 * -- note: implementations MAY wish to limit acceptable sizes 753 * -- of this string to values appropriate for their environment 754 * -- in order to reduce the risk of denial-of-service attacks 755 * owf AlgorithmIdentifier, 756 * -- AlgId for a One-Way Function (SHA-1 recommended) 757 * iterationCount INTEGER, 758 * -- number of times the OWF is applied 759 * -- note: implementations MAY wish to limit acceptable sizes 760 * -- of this integer to values appropriate for their environment 761 * -- in order to reduce the risk of denial-of-service attacks 762 * mac AlgorithmIdentifier 763 * -- the MAC AlgId (e.g., DES-MAC, Triple-DES-MAC [PKCS11], 764 * } -- or HMAC [RFC2104, RFC2202]) 765 */ 766 /*- 767 * Not supported: 768 * id-DHBasedMac OBJECT IDENTIFIER ::= {1 2 840 113533 7 66 30} 769 * DHBMParameter ::= SEQUENCE { 770 * owf AlgorithmIdentifier, 771 * -- AlgId for a One-Way Function (SHA-1 recommended) 772 * mac AlgorithmIdentifier 773 * -- the MAC AlgId (e.g., DES-MAC, Triple-DES-MAC [PKCS11], 774 * } -- or HMAC [RFC2104, RFC2202]) 775 */ 776 /*- 777 * The following is not cared for, because it is described in section 5.2.5 778 * that this is beyond the scope of CMP 779 * OOBCert ::= CMPCertificate 780 * 781 * OOBCertHash ::= SEQUENCE { 782 * hashAlg [0] AlgorithmIdentifier OPTIONAL, 783 * certId [1] CertId OPTIONAL, 784 * hashVal BIT STRING 785 * -- hashVal is calculated over the DER encoding of the 786 * -- self-signed certificate with the identifier certID. 787 * } 788 */ 789 790 /* 791 * RootCaKeyUpdateContent ::= SEQUENCE { 792 * newWithNew CMPCertificate, 793 * newWithOld [0] CMPCertificate OPTIONAL, 794 * oldWithNew [1] CMPCertificate OPTIONAL 795 * } 796 */ 797 798 struct ossl_cmp_rootcakeyupdate_st { 799 X509 *newWithNew; 800 X509 *newWithOld; 801 X509 *oldWithNew; 802 } /* OSSL_CMP_ROOTCAKEYUPDATE */; 803 DECLARE_ASN1_FUNCTIONS(OSSL_CMP_ROOTCAKEYUPDATE) 804 805 /*- 806 * CertReqTemplateContent ::= SEQUENCE { 807 * certTemplate CertTemplate, 808 * keySpec Controls OPTIONAL 809 * } 810 */ 811 struct ossl_cmp_certreqtemplate_st { 812 OSSL_CRMF_CERTTEMPLATE *certTemplate; 813 OSSL_CMP_ATAVS *keySpec; 814 } /* OSSL_CMP_CERTREQTEMPLATE */; 815 816 /* from cmp_asn.c */ 817 int ossl_cmp_asn1_get_int(const ASN1_INTEGER *a); 818 819 /* from cmp_util.c */ 820 const char *ossl_cmp_log_parse_metadata(const char *buf, 821 OSSL_CMP_severity *level, char **func, 822 char **file, int *line); 823 # define ossl_cmp_add_error_data(txt) ERR_add_error_txt(" : ", txt) 824 # define ossl_cmp_add_error_line(txt) ERR_add_error_txt("\n", txt) 825 /* The two functions manipulating X509_STORE could be generally useful */ 826 int ossl_cmp_X509_STORE_add1_certs(X509_STORE *store, STACK_OF(X509) *certs, 827 int only_self_issued); 828 STACK_OF(X509) *ossl_cmp_X509_STORE_get1_certs(X509_STORE *store); 829 int ossl_cmp_sk_ASN1_UTF8STRING_push_str(STACK_OF(ASN1_UTF8STRING) *sk, 830 const char *text, int len); 831 int ossl_cmp_asn1_octet_string_set1(ASN1_OCTET_STRING **tgt, 832 const ASN1_OCTET_STRING *src); 833 int ossl_cmp_asn1_octet_string_set1_bytes(ASN1_OCTET_STRING **tgt, 834 const unsigned char *bytes, int len); 835 836 /* from cmp_ctx.c */ 837 int ossl_cmp_print_log(OSSL_CMP_severity level, const OSSL_CMP_CTX *ctx, 838 const char *func, const char *file, int line, 839 const char *level_str, const char *format, ...); 840 # define ossl_cmp_log(level, ctx, msg) \ 841 ossl_cmp_print_log(OSSL_CMP_LOG_##level, ctx, OPENSSL_FUNC, OPENSSL_FILE, \ 842 OPENSSL_LINE, #level, "%s", msg) 843 # define ossl_cmp_log1(level, ctx, fmt, arg1) \ 844 ossl_cmp_print_log(OSSL_CMP_LOG_##level, ctx, OPENSSL_FUNC, OPENSSL_FILE, \ 845 OPENSSL_LINE, #level, fmt, arg1) 846 # define ossl_cmp_log2(level, ctx, fmt, arg1, arg2) \ 847 ossl_cmp_print_log(OSSL_CMP_LOG_##level, ctx, OPENSSL_FUNC, OPENSSL_FILE, \ 848 OPENSSL_LINE, #level, fmt, arg1, arg2) 849 # define ossl_cmp_log3(level, ctx, fmt, arg1, arg2, arg3) \ 850 ossl_cmp_print_log(OSSL_CMP_LOG_##level, ctx, OPENSSL_FUNC, OPENSSL_FILE, \ 851 OPENSSL_LINE, #level, fmt, arg1, arg2, arg3) 852 # define ossl_cmp_log4(level, ctx, fmt, arg1, arg2, arg3, arg4) \ 853 ossl_cmp_print_log(OSSL_CMP_LOG_##level, ctx, OPENSSL_FUNC, OPENSSL_FILE, \ 854 OPENSSL_LINE, #level, fmt, arg1, arg2, arg3, arg4) 855 # define OSSL_CMP_LOG_ERROR OSSL_CMP_LOG_ERR 856 # define OSSL_CMP_LOG_WARN OSSL_CMP_LOG_WARNING 857 # define ossl_cmp_alert(ctx, msg) ossl_cmp_log(ALERT, ctx, msg) 858 # define ossl_cmp_err(ctx, msg) ossl_cmp_log(ERROR, ctx, msg) 859 # define ossl_cmp_warn(ctx, msg) ossl_cmp_log(WARN, ctx, msg) 860 # define ossl_cmp_info(ctx, msg) ossl_cmp_log(INFO, ctx, msg) 861 # define ossl_cmp_debug(ctx, msg) ossl_cmp_log(DEBUG, ctx, msg) 862 # define ossl_cmp_trace(ctx, msg) ossl_cmp_log(TRACE, ctx, msg) 863 int ossl_cmp_ctx_set1_validatedSrvCert(OSSL_CMP_CTX *ctx, X509 *cert); 864 int ossl_cmp_ctx_set_status(OSSL_CMP_CTX *ctx, int status); 865 int ossl_cmp_ctx_set0_statusString(OSSL_CMP_CTX *ctx, 866 OSSL_CMP_PKIFREETEXT *text); 867 int ossl_cmp_ctx_set_failInfoCode(OSSL_CMP_CTX *ctx, int fail_info); 868 int ossl_cmp_ctx_set0_newCert(OSSL_CMP_CTX *ctx, X509 *cert); 869 int ossl_cmp_ctx_set1_newChain(OSSL_CMP_CTX *ctx, STACK_OF(X509) *newChain); 870 int ossl_cmp_ctx_set1_caPubs(OSSL_CMP_CTX *ctx, STACK_OF(X509) *caPubs); 871 int ossl_cmp_ctx_set1_extraCertsIn(OSSL_CMP_CTX *ctx, 872 STACK_OF(X509) *extraCertsIn); 873 int ossl_cmp_ctx_set1_recipNonce(OSSL_CMP_CTX *ctx, 874 const ASN1_OCTET_STRING *nonce); 875 EVP_PKEY *ossl_cmp_ctx_get0_newPubkey(const OSSL_CMP_CTX *ctx); 876 int ossl_cmp_ctx_set1_first_senderNonce(OSSL_CMP_CTX *ctx, 877 const ASN1_OCTET_STRING *nonce); 878 879 /* from cmp_status.c */ 880 int ossl_cmp_pkisi_get_status(const OSSL_CMP_PKISI *si); 881 const char *ossl_cmp_PKIStatus_to_string(int status); 882 OSSL_CMP_PKIFREETEXT *ossl_cmp_pkisi_get0_statusString(const OSSL_CMP_PKISI *s); 883 int ossl_cmp_pkisi_get_pkifailureinfo(const OSSL_CMP_PKISI *si); 884 int ossl_cmp_pkisi_check_pkifailureinfo(const OSSL_CMP_PKISI *si, int index); 885 886 /* from cmp_hdr.c */ 887 int ossl_cmp_hdr_set_pvno(OSSL_CMP_PKIHEADER *hdr, int pvno); 888 int ossl_cmp_hdr_get_pvno(const OSSL_CMP_PKIHEADER *hdr); 889 int ossl_cmp_hdr_get_protection_nid(const OSSL_CMP_PKIHEADER *hdr); 890 ASN1_OCTET_STRING *ossl_cmp_hdr_get0_senderNonce(const OSSL_CMP_PKIHEADER *hdr); 891 int ossl_cmp_general_name_is_NULL_DN(GENERAL_NAME *name); 892 int ossl_cmp_hdr_set1_sender(OSSL_CMP_PKIHEADER *hdr, const X509_NAME *nm); 893 int ossl_cmp_hdr_set1_recipient(OSSL_CMP_PKIHEADER *hdr, const X509_NAME *nm); 894 int ossl_cmp_hdr_update_messageTime(OSSL_CMP_PKIHEADER *hdr); 895 int ossl_cmp_hdr_set1_senderKID(OSSL_CMP_PKIHEADER *hdr, 896 const ASN1_OCTET_STRING *senderKID); 897 int ossl_cmp_hdr_push0_freeText(OSSL_CMP_PKIHEADER *hdr, ASN1_UTF8STRING *text); 898 int ossl_cmp_hdr_push1_freeText(OSSL_CMP_PKIHEADER *hdr, ASN1_UTF8STRING *text); 899 int ossl_cmp_hdr_generalInfo_push0_item(OSSL_CMP_PKIHEADER *hdr, 900 OSSL_CMP_ITAV *itav); 901 int ossl_cmp_hdr_generalInfo_push1_items(OSSL_CMP_PKIHEADER *hdr, 902 const STACK_OF(OSSL_CMP_ITAV) *itavs); 903 int ossl_cmp_hdr_set_implicitConfirm(OSSL_CMP_PKIHEADER *hdr); 904 int ossl_cmp_hdr_has_implicitConfirm(const OSSL_CMP_PKIHEADER *hdr); 905 # define OSSL_CMP_TRANSACTIONID_LENGTH 16 906 # define OSSL_CMP_SENDERNONCE_LENGTH 16 907 int ossl_cmp_hdr_set_transactionID(OSSL_CMP_CTX *ctx, OSSL_CMP_PKIHEADER *hdr); 908 int ossl_cmp_hdr_init(OSSL_CMP_CTX *ctx, OSSL_CMP_PKIHEADER *hdr); 909 910 /* from cmp_msg.c */ 911 /* OSSL_CMP_MSG bodytype ASN.1 choice IDs */ 912 # define OSSL_CMP_PKIBODY_IR 0 913 # define OSSL_CMP_PKIBODY_IP 1 914 # define OSSL_CMP_PKIBODY_CR 2 915 # define OSSL_CMP_PKIBODY_CP 3 916 # define OSSL_CMP_PKIBODY_P10CR 4 917 # define OSSL_CMP_PKIBODY_POPDECC 5 918 # define OSSL_CMP_PKIBODY_POPDECR 6 919 # define OSSL_CMP_PKIBODY_KUR 7 920 # define OSSL_CMP_PKIBODY_KUP 8 921 # define OSSL_CMP_PKIBODY_KRR 9 922 # define OSSL_CMP_PKIBODY_KRP 10 923 # define OSSL_CMP_PKIBODY_RR 11 924 # define OSSL_CMP_PKIBODY_RP 12 925 # define OSSL_CMP_PKIBODY_CCR 13 926 # define OSSL_CMP_PKIBODY_CCP 14 927 # define OSSL_CMP_PKIBODY_CKUANN 15 928 # define OSSL_CMP_PKIBODY_CANN 16 929 # define OSSL_CMP_PKIBODY_RANN 17 930 # define OSSL_CMP_PKIBODY_CRLANN 18 931 # define OSSL_CMP_PKIBODY_PKICONF 19 932 # define OSSL_CMP_PKIBODY_NESTED 20 933 # define OSSL_CMP_PKIBODY_GENM 21 934 # define OSSL_CMP_PKIBODY_GENP 22 935 # define OSSL_CMP_PKIBODY_ERROR 23 936 # define OSSL_CMP_PKIBODY_CERTCONF 24 937 # define OSSL_CMP_PKIBODY_POLLREQ 25 938 # define OSSL_CMP_PKIBODY_POLLREP 26 939 # define OSSL_CMP_PKIBODY_TYPE_MAX OSSL_CMP_PKIBODY_POLLREP 940 /* certReqId for the first - and so far only - certificate request */ 941 # define OSSL_CMP_CERTREQID 0 942 # define OSSL_CMP_CERTREQID_NONE -1 943 # define OSSL_CMP_CERTREQID_INVALID -2 944 /* sequence id for the first - and so far only - revocation request */ 945 # define OSSL_CMP_REVREQSID 0 946 int ossl_cmp_msg_set0_libctx(OSSL_CMP_MSG *msg, OSSL_LIB_CTX *libctx, 947 const char *propq); 948 const char *ossl_cmp_bodytype_to_string(int type); 949 int ossl_cmp_msg_set_bodytype(OSSL_CMP_MSG *msg, int type); 950 OSSL_CMP_MSG *ossl_cmp_msg_create(OSSL_CMP_CTX *ctx, int bodytype); 951 OSSL_CMP_MSG *ossl_cmp_certreq_new(OSSL_CMP_CTX *ctx, int bodytype, 952 const OSSL_CRMF_MSG *crm); 953 OSSL_CMP_MSG *ossl_cmp_certrep_new(OSSL_CMP_CTX *ctx, int bodytype, 954 int certReqId, const OSSL_CMP_PKISI *si, 955 X509 *cert, const X509 *encryption_recip, 956 STACK_OF(X509) *chain, STACK_OF(X509) *caPubs, 957 int unprotectedErrors); 958 OSSL_CMP_MSG *ossl_cmp_rr_new(OSSL_CMP_CTX *ctx); 959 OSSL_CMP_MSG *ossl_cmp_rp_new(OSSL_CMP_CTX *ctx, const OSSL_CMP_PKISI *si, 960 const OSSL_CRMF_CERTID *cid, 961 int unprotectedErrors); 962 OSSL_CMP_MSG *ossl_cmp_pkiconf_new(OSSL_CMP_CTX *ctx); 963 OSSL_CMP_MSG *ossl_cmp_pollRep_new(OSSL_CMP_CTX *ctx, int crid, 964 int64_t poll_after); 965 int ossl_cmp_msg_gen_push0_ITAV(OSSL_CMP_MSG *msg, OSSL_CMP_ITAV *itav); 966 int ossl_cmp_msg_gen_push1_ITAVs(OSSL_CMP_MSG *msg, 967 const STACK_OF(OSSL_CMP_ITAV) *itavs); 968 OSSL_CMP_MSG *ossl_cmp_genm_new(OSSL_CMP_CTX *ctx); 969 OSSL_CMP_MSG *ossl_cmp_genp_new(OSSL_CMP_CTX *ctx, 970 const STACK_OF(OSSL_CMP_ITAV) *itavs); 971 OSSL_CMP_MSG *ossl_cmp_error_new(OSSL_CMP_CTX *ctx, const OSSL_CMP_PKISI *si, 972 int64_t errorCode, const char *details, 973 int unprotected); 974 int ossl_cmp_certstatus_set0_certHash(OSSL_CMP_CERTSTATUS *certStatus, 975 ASN1_OCTET_STRING *hash); 976 OSSL_CMP_MSG *ossl_cmp_certConf_new(OSSL_CMP_CTX *ctx, int certReqId, 977 int fail_info, const char *text); 978 OSSL_CMP_MSG *ossl_cmp_pollReq_new(OSSL_CMP_CTX *ctx, int crid); 979 OSSL_CMP_MSG *ossl_cmp_pollRep_new(OSSL_CMP_CTX *ctx, int crid, 980 int64_t poll_after); 981 OSSL_CMP_PKISI * 982 ossl_cmp_revrepcontent_get_pkisi(OSSL_CMP_REVREPCONTENT *rrep, int rsid); 983 OSSL_CRMF_CERTID *ossl_cmp_revrepcontent_get_CertId(OSSL_CMP_REVREPCONTENT *rc, 984 int rsid); 985 OSSL_CMP_POLLREP * 986 ossl_cmp_pollrepcontent_get0_pollrep(const OSSL_CMP_POLLREPCONTENT *prc, 987 int rid); 988 OSSL_CMP_CERTRESPONSE * 989 ossl_cmp_certrepmessage_get0_certresponse(const OSSL_CMP_CERTREPMESSAGE *crm, 990 int rid); 991 X509 *ossl_cmp_certresponse_get1_cert(const OSSL_CMP_CTX *ctx, 992 const OSSL_CMP_CERTRESPONSE *crep); 993 OSSL_CMP_MSG *ossl_cmp_msg_load(const char *file); 994 int ossl_cmp_is_error_with_waiting(const OSSL_CMP_MSG *msg); 995 996 /* from cmp_protect.c */ 997 int ossl_cmp_msg_add_extraCerts(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg); 998 ASN1_BIT_STRING *ossl_cmp_calc_protection(const OSSL_CMP_CTX *ctx, 999 const OSSL_CMP_MSG *msg); 1000 int ossl_cmp_msg_protect(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg); 1001 1002 /* from cmp_vfy.c */ 1003 typedef int (*ossl_cmp_allow_unprotected_cb_t)(const OSSL_CMP_CTX *ctx, 1004 const OSSL_CMP_MSG *msg, 1005 int invalid_protection, int arg); 1006 int ossl_cmp_msg_check_update(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *msg, 1007 ossl_cmp_allow_unprotected_cb_t cb, int cb_arg); 1008 int ossl_cmp_msg_check_received(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *msg, 1009 ossl_cmp_allow_unprotected_cb_t cb, int cb_arg); 1010 int ossl_cmp_verify_popo(const OSSL_CMP_CTX *ctx, 1011 const OSSL_CMP_MSG *msg, int accept_RAVerified); 1012 1013 /* from cmp_client.c */ 1014 /* expected max time per msg round trip, used for last try during polling: */ 1015 # define OSSL_CMP_EXPECTED_RESP_TIME 2 1016 int ossl_cmp_exchange_certConf(OSSL_CMP_CTX *ctx, int certReqId, 1017 int fail_info, const char *txt); 1018 int ossl_cmp_exchange_error(OSSL_CMP_CTX *ctx, int status, int fail_info, 1019 const char *txt, int errorCode, const char *detail); 1020 1021 #endif /* !defined(OSSL_CRYPTO_CMP_LOCAL_H) */ 1022
