1=pod 2 3=head1 NAME 4 5OSSL_CMP_validate_msg, 6OSSL_CMP_validate_cert_path 7- functions for verifying CMP message protection 8 9=head1 SYNOPSIS 10 11 #include <openssl/cmp.h> 12 int OSSL_CMP_validate_msg(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg); 13 int OSSL_CMP_validate_cert_path(const OSSL_CMP_CTX *ctx, 14 X509_STORE *trusted_store, X509 *cert); 15 16=head1 DESCRIPTION 17 18This is the API for validating the protection of CMP messages, 19which includes validating CMP message sender certificates and their paths 20while optionally checking the revocation status of the certificates(s). 21 22OSSL_CMP_validate_msg() validates the protection of the given I<msg>, 23which must be signature-based or using password-based MAC (PBM). 24In the former case a suitable trust anchor must be given in the CMP context 25I<ctx>, and in the latter case the matching secret must have been set there 26using L<OSSL_CMP_CTX_set1_secretValue(3)>. 27 28In case of signature algorithm, the certificate to use for the signature check 29is preferably the one provided by a call to L<OSSL_CMP_CTX_set1_srvCert(3)>. 30If no such sender cert has been pinned then candidate sender certificates are 31taken from the list of certificates received in the I<msg> extraCerts, then any 32certificates provided before via L<OSSL_CMP_CTX_set1_untrusted(3)>, and 33then all trusted certificates provided via L<OSSL_CMP_CTX_set0_trusted(3)>. 34A candidate certificate is acceptable only if it is currently valid 35(or the trust store contains a verification callback that overrides the verdict 36that the certificate is expired or not yet valid), its subject DN matches 37the I<msg> sender DN (as far as present), and its subject key identifier 38is present and matches the senderKID (as far as the latter is present). 39Each acceptable cert is tried in the given order to see if the message 40signature check succeeds and the cert and its path can be verified 41using any trust store set via L<OSSL_CMP_CTX_set0_trusted(3)>. 42 43If the option OSSL_CMP_OPT_PERMIT_TA_IN_EXTRACERTS_FOR_IR was set by calling 44L<OSSL_CMP_CTX_set_option(3)>, for an Initialization Response (IP) message 45any self-issued certificate from the I<msg> extraCerts field may be used 46as a trust anchor for the path verification of an 'acceptable' cert if it can be 47used also to validate the issued certificate returned in the IP message. This is 48according to TS 33.310 [Network Domain Security (NDS); Authentication Framework 49(AF)] document specified by the The 3rd Generation Partnership Project (3GPP). 50Note that using this option is dangerous as the certificate obtained this way 51has not been authenticated (at least not at CMP level). 52Taking it over as a trust anchor implements trust-on-first-use (TOFU). 53 54Any cert that has been found as described above is cached and tried first when 55validating the signatures of subsequent messages in the same transaction. 56 57OSSL_CMP_validate_cert_path() attempts to validate the given certificate and its 58path using the given store of trusted certs (possibly including CRLs and a cert 59verification callback) and non-trusted intermediate certs from the I<ctx>. 60 61=head1 NOTES 62 63CMP is defined in RFC 4210 (and CRMF in RFC 4211). 64 65=head1 RETURN VALUES 66 67OSSL_CMP_validate_msg() and OSSL_CMP_validate_cert_path() 68return 1 on success, 0 on error or validation failed. 69 70=head1 SEE ALSO 71 72L<OSSL_CMP_CTX_new(3)>, L<OSSL_CMP_exec_certreq(3)>, 73L<OSSL_CMP_CTX_set1_secretValue(3)>, L<OSSL_CMP_CTX_set1_srvCert(3)>, 74L<OSSL_CMP_CTX_set1_untrusted(3)>, L<OSSL_CMP_CTX_set0_trusted(3)> 75 76=head1 HISTORY 77 78The OpenSSL CMP support was added in OpenSSL 3.0. 79 80=head1 COPYRIGHT 81 82Copyright 2007-2024 The OpenSSL Project Authors. All Rights Reserved. 83 84Licensed under the Apache License 2.0 (the "License"). You may not use 85this file except in compliance with the License. You can obtain a copy 86in the file LICENSE in the source distribution or at 87L<https://www.openssl.org/source/license.html>. 88 89=cut 90
