1/* 2 * {- join("\n * ", @autowarntext) -} 3 * 4 * Copyright 2007-2024 The OpenSSL Project Authors. All Rights Reserved. 5 * Copyright Nokia 2007-2019 6 * Copyright Siemens AG 2015-2019 7 * 8 * Licensed under the Apache License 2.0 (the "License"). You may not use 9 * this file except in compliance with the License. You can obtain a copy 10 * in the file LICENSE in the source distribution or at 11 * https://www.openssl.org/source/license.html 12 */ 13 14{- 15use OpenSSL::stackhash qw(generate_stack_macros); 16-} 17 18#ifndef OPENSSL_CMP_H 19# define OPENSSL_CMP_H 20 21# include <openssl/opensslconf.h> 22# ifndef OPENSSL_NO_CMP 23 24# include <openssl/crmf.h> 25# include <openssl/cmperr.h> 26# include <openssl/cmp_util.h> 27# include <openssl/http.h> 28 29/* explicit #includes not strictly needed since implied by the above: */ 30# include <openssl/types.h> 31# include <openssl/safestack.h> 32# include <openssl/x509.h> 33# include <openssl/x509v3.h> 34 35# ifdef __cplusplus 36extern "C" { 37# endif 38 39# define OSSL_CMP_PVNO_2 2 40# define OSSL_CMP_PVNO_3 3 41# define OSSL_CMP_PVNO OSSL_CMP_PVNO_2 /* v2 is the default */ 42 43/*- 44 * PKIFailureInfo ::= BIT STRING { 45 * -- since we can fail in more than one way! 46 * -- More codes may be added in the future if/when required. 47 * badAlg (0), 48 * -- unrecognized or unsupported Algorithm Identifier 49 * badMessageCheck (1), 50 * -- integrity check failed (e.g., signature did not verify) 51 * badRequest (2), 52 * -- transaction not permitted or supported 53 * badTime (3), 54 * -- messageTime was not sufficiently close to the system time, 55 * -- as defined by local policy 56 * badCertId (4), 57 * -- no certificate could be found matching the provided criteria 58 * badDataFormat (5), 59 * -- the data submitted has the wrong format 60 * wrongAuthority (6), 61 * -- the authority indicated in the request is different from the 62 * -- one creating the response token 63 * incorrectData (7), 64 * -- the requester's data is incorrect (for notary services) 65 * missingTimeStamp (8), 66 * -- when the timestamp is missing but should be there 67 * -- (by policy) 68 * badPOP (9), 69 * -- the proof-of-possession failed 70 * certRevoked (10), 71 * -- the certificate has already been revoked 72 * certConfirmed (11), 73 * -- the certificate has already been confirmed 74 * wrongIntegrity (12), 75 * -- invalid integrity, password based instead of signature or 76 * -- vice versa 77 * badRecipientNonce (13), 78 * -- invalid recipient nonce, either missing or wrong value 79 * timeNotAvailable (14), 80 * -- the TSA's time source is not available 81 * unacceptedPolicy (15), 82 * -- the requested TSA policy is not supported by the TSA. 83 * unacceptedExtension (16), 84 * -- the requested extension is not supported by the TSA. 85 * addInfoNotAvailable (17), 86 * -- the additional information requested could not be 87 * -- understood or is not available 88 * badSenderNonce (18), 89 * -- invalid sender nonce, either missing or wrong size 90 * badCertTemplate (19), 91 * -- invalid cert. template or missing mandatory information 92 * signerNotTrusted (20), 93 * -- signer of the message unknown or not trusted 94 * transactionIdInUse (21), 95 * -- the transaction identifier is already in use 96 * unsupportedVersion (22), 97 * -- the version of the message is not supported 98 * notAuthorized (23), 99 * -- the sender was not authorized to make the preceding 100 * -- request or perform the preceding action 101 * systemUnavail (24), 102 * -- the request cannot be handled due to system unavailability 103 * systemFailure (25), 104 * -- the request cannot be handled due to system failure 105 * duplicateCertReq (26) 106 * -- certificate cannot be issued because a duplicate 107 * -- certificate already exists 108 * } 109 */ 110# define OSSL_CMP_PKIFAILUREINFO_badAlg 0 111# define OSSL_CMP_PKIFAILUREINFO_badMessageCheck 1 112# define OSSL_CMP_PKIFAILUREINFO_badRequest 2 113# define OSSL_CMP_PKIFAILUREINFO_badTime 3 114# define OSSL_CMP_PKIFAILUREINFO_badCertId 4 115# define OSSL_CMP_PKIFAILUREINFO_badDataFormat 5 116# define OSSL_CMP_PKIFAILUREINFO_wrongAuthority 6 117# define OSSL_CMP_PKIFAILUREINFO_incorrectData 7 118# define OSSL_CMP_PKIFAILUREINFO_missingTimeStamp 8 119# define OSSL_CMP_PKIFAILUREINFO_badPOP 9 120# define OSSL_CMP_PKIFAILUREINFO_certRevoked 10 121# define OSSL_CMP_PKIFAILUREINFO_certConfirmed 11 122# define OSSL_CMP_PKIFAILUREINFO_wrongIntegrity 12 123# define OSSL_CMP_PKIFAILUREINFO_badRecipientNonce 13 124# define OSSL_CMP_PKIFAILUREINFO_timeNotAvailable 14 125# define OSSL_CMP_PKIFAILUREINFO_unacceptedPolicy 15 126# define OSSL_CMP_PKIFAILUREINFO_unacceptedExtension 16 127# define OSSL_CMP_PKIFAILUREINFO_addInfoNotAvailable 17 128# define OSSL_CMP_PKIFAILUREINFO_badSenderNonce 18 129# define OSSL_CMP_PKIFAILUREINFO_badCertTemplate 19 130# define OSSL_CMP_PKIFAILUREINFO_signerNotTrusted 20 131# define OSSL_CMP_PKIFAILUREINFO_transactionIdInUse 21 132# define OSSL_CMP_PKIFAILUREINFO_unsupportedVersion 22 133# define OSSL_CMP_PKIFAILUREINFO_notAuthorized 23 134# define OSSL_CMP_PKIFAILUREINFO_systemUnavail 24 135# define OSSL_CMP_PKIFAILUREINFO_systemFailure 25 136# define OSSL_CMP_PKIFAILUREINFO_duplicateCertReq 26 137# define OSSL_CMP_PKIFAILUREINFO_MAX 26 138# define OSSL_CMP_PKIFAILUREINFO_MAX_BIT_PATTERN \ 139 ((1 << (OSSL_CMP_PKIFAILUREINFO_MAX + 1)) - 1) 140# if OSSL_CMP_PKIFAILUREINFO_MAX_BIT_PATTERN > INT_MAX 141# error CMP_PKIFAILUREINFO_MAX bit pattern does not fit in type int 142# endif 143typedef ASN1_BIT_STRING OSSL_CMP_PKIFAILUREINFO; 144 145# define OSSL_CMP_CTX_FAILINFO_badAlg (1 << 0) 146# define OSSL_CMP_CTX_FAILINFO_badMessageCheck (1 << 1) 147# define OSSL_CMP_CTX_FAILINFO_badRequest (1 << 2) 148# define OSSL_CMP_CTX_FAILINFO_badTime (1 << 3) 149# define OSSL_CMP_CTX_FAILINFO_badCertId (1 << 4) 150# define OSSL_CMP_CTX_FAILINFO_badDataFormat (1 << 5) 151# define OSSL_CMP_CTX_FAILINFO_wrongAuthority (1 << 6) 152# define OSSL_CMP_CTX_FAILINFO_incorrectData (1 << 7) 153# define OSSL_CMP_CTX_FAILINFO_missingTimeStamp (1 << 8) 154# define OSSL_CMP_CTX_FAILINFO_badPOP (1 << 9) 155# define OSSL_CMP_CTX_FAILINFO_certRevoked (1 << 10) 156# define OSSL_CMP_CTX_FAILINFO_certConfirmed (1 << 11) 157# define OSSL_CMP_CTX_FAILINFO_wrongIntegrity (1 << 12) 158# define OSSL_CMP_CTX_FAILINFO_badRecipientNonce (1 << 13) 159# define OSSL_CMP_CTX_FAILINFO_timeNotAvailable (1 << 14) 160# define OSSL_CMP_CTX_FAILINFO_unacceptedPolicy (1 << 15) 161# define OSSL_CMP_CTX_FAILINFO_unacceptedExtension (1 << 16) 162# define OSSL_CMP_CTX_FAILINFO_addInfoNotAvailable (1 << 17) 163# define OSSL_CMP_CTX_FAILINFO_badSenderNonce (1 << 18) 164# define OSSL_CMP_CTX_FAILINFO_badCertTemplate (1 << 19) 165# define OSSL_CMP_CTX_FAILINFO_signerNotTrusted (1 << 20) 166# define OSSL_CMP_CTX_FAILINFO_transactionIdInUse (1 << 21) 167# define OSSL_CMP_CTX_FAILINFO_unsupportedVersion (1 << 22) 168# define OSSL_CMP_CTX_FAILINFO_notAuthorized (1 << 23) 169# define OSSL_CMP_CTX_FAILINFO_systemUnavail (1 << 24) 170# define OSSL_CMP_CTX_FAILINFO_systemFailure (1 << 25) 171# define OSSL_CMP_CTX_FAILINFO_duplicateCertReq (1 << 26) 172 173/*- 174 * PKIStatus ::= INTEGER { 175 * accepted (0), 176 * -- you got exactly what you asked for 177 * grantedWithMods (1), 178 * -- you got something like what you asked for; the 179 * -- requester is responsible for ascertaining the differences 180 * rejection (2), 181 * -- you don't get it, more information elsewhere in the message 182 * waiting (3), 183 * -- the request body part has not yet been processed; expect to 184 * -- hear more later (note: proper handling of this status 185 * -- response MAY use the polling req/rep PKIMessages specified 186 * -- in Section 5.3.22; alternatively, polling in the underlying 187 * -- transport layer MAY have some utility in this regard) 188 * revocationWarning (4), 189 * -- this message contains a warning that a revocation is 190 * -- imminent 191 * revocationNotification (5), 192 * -- notification that a revocation has occurred 193 * keyUpdateWarning (6) 194 * -- update already done for the oldCertId specified in 195 * -- CertReqMsg 196 * } 197 */ 198# define OSSL_CMP_PKISTATUS_request -3 199# define OSSL_CMP_PKISTATUS_trans -2 200# define OSSL_CMP_PKISTATUS_unspecified -1 201# define OSSL_CMP_PKISTATUS_accepted 0 202# define OSSL_CMP_PKISTATUS_grantedWithMods 1 203# define OSSL_CMP_PKISTATUS_rejection 2 204# define OSSL_CMP_PKISTATUS_waiting 3 205# define OSSL_CMP_PKISTATUS_revocationWarning 4 206# define OSSL_CMP_PKISTATUS_revocationNotification 5 207# define OSSL_CMP_PKISTATUS_keyUpdateWarning 6 208typedef ASN1_INTEGER OSSL_CMP_PKISTATUS; 209 210DECLARE_ASN1_ITEM(OSSL_CMP_PKISTATUS) 211 212# define OSSL_CMP_CERTORENCCERT_CERTIFICATE 0 213# define OSSL_CMP_CERTORENCCERT_ENCRYPTEDCERT 1 214 215/* data type declarations */ 216typedef struct ossl_cmp_ctx_st OSSL_CMP_CTX; 217typedef struct ossl_cmp_pkiheader_st OSSL_CMP_PKIHEADER; 218DECLARE_ASN1_FUNCTIONS(OSSL_CMP_PKIHEADER) 219typedef struct ossl_cmp_msg_st OSSL_CMP_MSG; 220DECLARE_ASN1_DUP_FUNCTION(OSSL_CMP_MSG) 221DECLARE_ASN1_ENCODE_FUNCTIONS(OSSL_CMP_MSG, OSSL_CMP_MSG, OSSL_CMP_MSG) 222typedef struct ossl_cmp_certstatus_st OSSL_CMP_CERTSTATUS; 223{- 224 generate_stack_macros("OSSL_CMP_CERTSTATUS"); 225-} 226typedef struct ossl_cmp_itav_st OSSL_CMP_ITAV; 227DECLARE_ASN1_DUP_FUNCTION(OSSL_CMP_ITAV) 228{- 229 generate_stack_macros("OSSL_CMP_ITAV"); 230-} 231 232typedef struct ossl_cmp_crlstatus_st OSSL_CMP_CRLSTATUS; 233{- 234 generate_stack_macros("OSSL_CMP_CRLSTATUS"); 235-} 236 237typedef OSSL_CRMF_ATTRIBUTETYPEANDVALUE OSSL_CMP_ATAV; 238# define OSSL_CMP_ATAV_free OSSL_CRMF_ATTRIBUTETYPEANDVALUE_free 239typedef STACK_OF(OSSL_CRMF_ATTRIBUTETYPEANDVALUE) OSSL_CMP_ATAVS; 240DECLARE_ASN1_FUNCTIONS(OSSL_CMP_ATAVS) 241# define stack_st_OSSL_CMP_ATAV stack_st_OSSL_CRMF_ATTRIBUTETYPEANDVALUE 242# define sk_OSSL_CMP_ATAV_num sk_OSSL_CRMF_ATTRIBUTETYPEANDVALUE_num 243# define sk_OSSL_CMP_ATAV_value sk_OSSL_CRMF_ATTRIBUTETYPEANDVALUE_value 244# define sk_OSSL_CMP_ATAV_push sk_OSSL_CRMF_ATTRIBUTETYPEANDVALUE_push 245# define sk_OSSL_CMP_ATAV_pop_free sk_OSSL_CRMF_ATTRIBUTETYPEANDVALUE_pop_free 246 247typedef struct ossl_cmp_revrepcontent_st OSSL_CMP_REVREPCONTENT; 248typedef struct ossl_cmp_pkisi_st OSSL_CMP_PKISI; 249DECLARE_ASN1_FUNCTIONS(OSSL_CMP_PKISI) 250DECLARE_ASN1_DUP_FUNCTION(OSSL_CMP_PKISI) 251{- 252 generate_stack_macros("OSSL_CMP_PKISI"); 253-} 254typedef struct ossl_cmp_certrepmessage_st OSSL_CMP_CERTREPMESSAGE; 255{- 256 generate_stack_macros("OSSL_CMP_CERTREPMESSAGE"); 257-} 258typedef struct ossl_cmp_pollrep_st OSSL_CMP_POLLREP; 259typedef STACK_OF(OSSL_CMP_POLLREP) OSSL_CMP_POLLREPCONTENT; 260typedef struct ossl_cmp_certresponse_st OSSL_CMP_CERTRESPONSE; 261{- 262 generate_stack_macros("OSSL_CMP_CERTRESPONSE"); 263-} 264typedef STACK_OF(ASN1_UTF8STRING) OSSL_CMP_PKIFREETEXT; 265 266/* 267 * function DECLARATIONS 268 */ 269 270/* from cmp_asn.c */ 271OSSL_CMP_ITAV *OSSL_CMP_ITAV_create(ASN1_OBJECT *type, ASN1_TYPE *value); 272void OSSL_CMP_ITAV_set0(OSSL_CMP_ITAV *itav, ASN1_OBJECT *type, 273 ASN1_TYPE *value); 274ASN1_OBJECT *OSSL_CMP_ITAV_get0_type(const OSSL_CMP_ITAV *itav); 275ASN1_TYPE *OSSL_CMP_ITAV_get0_value(const OSSL_CMP_ITAV *itav); 276int OSSL_CMP_ITAV_push0_stack_item(STACK_OF(OSSL_CMP_ITAV) **sk_p, 277 OSSL_CMP_ITAV *itav); 278void OSSL_CMP_ITAV_free(OSSL_CMP_ITAV *itav); 279 280OSSL_CMP_ITAV *OSSL_CMP_ITAV_new0_certProfile(STACK_OF(ASN1_UTF8STRING) 281 *certProfile); 282int OSSL_CMP_ITAV_get0_certProfile(const OSSL_CMP_ITAV *itav, 283 STACK_OF(ASN1_UTF8STRING) **out); 284OSSL_CMP_ITAV *OSSL_CMP_ITAV_new_caCerts(const STACK_OF(X509) *caCerts); 285int OSSL_CMP_ITAV_get0_caCerts(const OSSL_CMP_ITAV *itav, STACK_OF(X509) **out); 286 287OSSL_CMP_ITAV *OSSL_CMP_ITAV_new_rootCaCert(const X509 *rootCaCert); 288int OSSL_CMP_ITAV_get0_rootCaCert(const OSSL_CMP_ITAV *itav, X509 **out); 289OSSL_CMP_ITAV *OSSL_CMP_ITAV_new_rootCaKeyUpdate(const X509 *newWithNew, 290 const X509 *newWithOld, 291 const X509 *oldWithNew); 292int OSSL_CMP_ITAV_get0_rootCaKeyUpdate(const OSSL_CMP_ITAV *itav, 293 X509 **newWithNew, 294 X509 **newWithOld, 295 X509 **oldWithNew); 296 297OSSL_CMP_CRLSTATUS *OSSL_CMP_CRLSTATUS_create(const X509_CRL *crl, 298 const X509 *cert, int only_DN); 299OSSL_CMP_CRLSTATUS *OSSL_CMP_CRLSTATUS_new1(const DIST_POINT_NAME *dpn, 300 const GENERAL_NAMES *issuer, 301 const ASN1_TIME *thisUpdate); 302int OSSL_CMP_CRLSTATUS_get0(const OSSL_CMP_CRLSTATUS *crlstatus, 303 DIST_POINT_NAME **dpn, GENERAL_NAMES **issuer, 304 ASN1_TIME **thisUpdate); 305void OSSL_CMP_CRLSTATUS_free(OSSL_CMP_CRLSTATUS *crlstatus); 306OSSL_CMP_ITAV 307*OSSL_CMP_ITAV_new0_crlStatusList(STACK_OF(OSSL_CMP_CRLSTATUS) *crlStatusList); 308int OSSL_CMP_ITAV_get0_crlStatusList(const OSSL_CMP_ITAV *itav, 309 STACK_OF(OSSL_CMP_CRLSTATUS) **out); 310OSSL_CMP_ITAV *OSSL_CMP_ITAV_new_crls(const X509_CRL *crls); 311int OSSL_CMP_ITAV_get0_crls(const OSSL_CMP_ITAV *it, STACK_OF(X509_CRL) **out); 312OSSL_CMP_ITAV 313*OSSL_CMP_ITAV_new0_certReqTemplate(OSSL_CRMF_CERTTEMPLATE *certTemplate, 314 OSSL_CMP_ATAVS *keySpec); 315int OSSL_CMP_ITAV_get1_certReqTemplate(const OSSL_CMP_ITAV *itav, 316 OSSL_CRMF_CERTTEMPLATE **certTemplate, 317 OSSL_CMP_ATAVS **keySpec); 318 319OSSL_CMP_ATAV *OSSL_CMP_ATAV_create(ASN1_OBJECT *type, ASN1_TYPE *value); 320void OSSL_CMP_ATAV_set0(OSSL_CMP_ATAV *itav, ASN1_OBJECT *type, 321 ASN1_TYPE *value); 322ASN1_OBJECT *OSSL_CMP_ATAV_get0_type(const OSSL_CMP_ATAV *itav); 323ASN1_TYPE *OSSL_CMP_ATAV_get0_value(const OSSL_CMP_ATAV *itav); 324OSSL_CMP_ATAV *OSSL_CMP_ATAV_new_algId(const X509_ALGOR *alg); 325X509_ALGOR *OSSL_CMP_ATAV_get0_algId(const OSSL_CMP_ATAV *atav); 326OSSL_CMP_ATAV *OSSL_CMP_ATAV_new_rsaKeyLen(int len); 327int OSSL_CMP_ATAV_get_rsaKeyLen(const OSSL_CMP_ATAV *atav); 328int OSSL_CMP_ATAV_push1(OSSL_CMP_ATAVS **sk_p, const OSSL_CMP_ATAV *atav); 329 330void OSSL_CMP_MSG_free(OSSL_CMP_MSG *msg); 331 332/* from cmp_ctx.c */ 333OSSL_CMP_CTX *OSSL_CMP_CTX_new(OSSL_LIB_CTX *libctx, const char *propq); 334void OSSL_CMP_CTX_free(OSSL_CMP_CTX *ctx); 335int OSSL_CMP_CTX_reinit(OSSL_CMP_CTX *ctx); 336OSSL_LIB_CTX *OSSL_CMP_CTX_get0_libctx(const OSSL_CMP_CTX *ctx); 337const char *OSSL_CMP_CTX_get0_propq(const OSSL_CMP_CTX *ctx); 338/* CMP general options: */ 339# define OSSL_CMP_OPT_LOG_VERBOSITY 0 340/* CMP transfer options: */ 341# define OSSL_CMP_OPT_KEEP_ALIVE 10 342# define OSSL_CMP_OPT_MSG_TIMEOUT 11 343# define OSSL_CMP_OPT_TOTAL_TIMEOUT 12 344# define OSSL_CMP_OPT_USE_TLS 13 345/* CMP request options: */ 346# define OSSL_CMP_OPT_VALIDITY_DAYS 20 347# define OSSL_CMP_OPT_SUBJECTALTNAME_NODEFAULT 21 348# define OSSL_CMP_OPT_SUBJECTALTNAME_CRITICAL 22 349# define OSSL_CMP_OPT_POLICIES_CRITICAL 23 350# define OSSL_CMP_OPT_POPO_METHOD 24 351# define OSSL_CMP_OPT_IMPLICIT_CONFIRM 25 352# define OSSL_CMP_OPT_DISABLE_CONFIRM 26 353# define OSSL_CMP_OPT_REVOCATION_REASON 27 354/* CMP protection options: */ 355# define OSSL_CMP_OPT_UNPROTECTED_SEND 30 356# define OSSL_CMP_OPT_UNPROTECTED_ERRORS 31 357# define OSSL_CMP_OPT_OWF_ALGNID 32 358# define OSSL_CMP_OPT_MAC_ALGNID 33 359# define OSSL_CMP_OPT_DIGEST_ALGNID 34 360# define OSSL_CMP_OPT_IGNORE_KEYUSAGE 35 361# define OSSL_CMP_OPT_PERMIT_TA_IN_EXTRACERTS_FOR_IR 36 362# define OSSL_CMP_OPT_NO_CACHE_EXTRACERTS 37 363int OSSL_CMP_CTX_set_option(OSSL_CMP_CTX *ctx, int opt, int val); 364int OSSL_CMP_CTX_get_option(const OSSL_CMP_CTX *ctx, int opt); 365/* CMP-specific callback for logging and outputting the error queue: */ 366int OSSL_CMP_CTX_set_log_cb(OSSL_CMP_CTX *ctx, OSSL_CMP_log_cb_t cb); 367# define OSSL_CMP_CTX_set_log_verbosity(ctx, level) \ 368 OSSL_CMP_CTX_set_option(ctx, OSSL_CMP_OPT_LOG_VERBOSITY, level) 369void OSSL_CMP_CTX_print_errors(const OSSL_CMP_CTX *ctx); 370/* message transfer: */ 371int OSSL_CMP_CTX_set1_serverPath(OSSL_CMP_CTX *ctx, const char *path); 372int OSSL_CMP_CTX_set1_server(OSSL_CMP_CTX *ctx, const char *address); 373int OSSL_CMP_CTX_set_serverPort(OSSL_CMP_CTX *ctx, int port); 374int OSSL_CMP_CTX_set1_proxy(OSSL_CMP_CTX *ctx, const char *name); 375int OSSL_CMP_CTX_set1_no_proxy(OSSL_CMP_CTX *ctx, const char *names); 376# ifndef OPENSSL_NO_HTTP 377int OSSL_CMP_CTX_set_http_cb(OSSL_CMP_CTX *ctx, OSSL_HTTP_bio_cb_t cb); 378int OSSL_CMP_CTX_set_http_cb_arg(OSSL_CMP_CTX *ctx, void *arg); 379void *OSSL_CMP_CTX_get_http_cb_arg(const OSSL_CMP_CTX *ctx); 380# endif 381typedef OSSL_CMP_MSG *(*OSSL_CMP_transfer_cb_t) (OSSL_CMP_CTX *ctx, 382 const OSSL_CMP_MSG *req); 383int OSSL_CMP_CTX_set_transfer_cb(OSSL_CMP_CTX *ctx, OSSL_CMP_transfer_cb_t cb); 384int OSSL_CMP_CTX_set_transfer_cb_arg(OSSL_CMP_CTX *ctx, void *arg); 385void *OSSL_CMP_CTX_get_transfer_cb_arg(const OSSL_CMP_CTX *ctx); 386/* server authentication: */ 387int OSSL_CMP_CTX_set1_srvCert(OSSL_CMP_CTX *ctx, X509 *cert); 388int OSSL_CMP_CTX_set1_expected_sender(OSSL_CMP_CTX *ctx, const X509_NAME *name); 389int OSSL_CMP_CTX_set0_trustedStore(OSSL_CMP_CTX *ctx, X509_STORE *store); 390# define OSSL_CMP_CTX_set0_trusted OSSL_CMP_CTX_set0_trustedStore 391X509_STORE *OSSL_CMP_CTX_get0_trustedStore(const OSSL_CMP_CTX *ctx); 392# define OSSL_CMP_CTX_get0_trusted OSSL_CMP_CTX_get0_trustedStore 393int OSSL_CMP_CTX_set1_untrusted(OSSL_CMP_CTX *ctx, STACK_OF(X509) *certs); 394STACK_OF(X509) *OSSL_CMP_CTX_get0_untrusted(const OSSL_CMP_CTX *ctx); 395/* client authentication: */ 396int OSSL_CMP_CTX_set1_cert(OSSL_CMP_CTX *ctx, X509 *cert); 397int OSSL_CMP_CTX_build_cert_chain(OSSL_CMP_CTX *ctx, X509_STORE *own_trusted, 398 STACK_OF(X509) *candidates); 399int OSSL_CMP_CTX_set1_pkey(OSSL_CMP_CTX *ctx, EVP_PKEY *pkey); 400int OSSL_CMP_CTX_set1_referenceValue(OSSL_CMP_CTX *ctx, 401 const unsigned char *ref, int len); 402int OSSL_CMP_CTX_set1_secretValue(OSSL_CMP_CTX *ctx, 403 const unsigned char *sec, int len); 404/* CMP message header and extra certificates: */ 405int OSSL_CMP_CTX_set1_recipient(OSSL_CMP_CTX *ctx, const X509_NAME *name); 406int OSSL_CMP_CTX_push0_geninfo_ITAV(OSSL_CMP_CTX *ctx, OSSL_CMP_ITAV *itav); 407int OSSL_CMP_CTX_reset_geninfo_ITAVs(OSSL_CMP_CTX *ctx); 408STACK_OF(OSSL_CMP_ITAV) 409 *OSSL_CMP_CTX_get0_geninfo_ITAVs(const OSSL_CMP_CTX *ctx); 410int OSSL_CMP_CTX_set1_extraCertsOut(OSSL_CMP_CTX *ctx, 411 STACK_OF(X509) *extraCertsOut); 412/* certificate template: */ 413int OSSL_CMP_CTX_set0_newPkey(OSSL_CMP_CTX *ctx, int priv, EVP_PKEY *pkey); 414EVP_PKEY *OSSL_CMP_CTX_get0_newPkey(const OSSL_CMP_CTX *ctx, int priv); 415int OSSL_CMP_CTX_set1_issuer(OSSL_CMP_CTX *ctx, const X509_NAME *name); 416int OSSL_CMP_CTX_set1_serialNumber(OSSL_CMP_CTX *ctx, const ASN1_INTEGER *sn); 417int OSSL_CMP_CTX_set1_subjectName(OSSL_CMP_CTX *ctx, const X509_NAME *name); 418int OSSL_CMP_CTX_push1_subjectAltName(OSSL_CMP_CTX *ctx, 419 const GENERAL_NAME *name); 420int OSSL_CMP_CTX_set0_reqExtensions(OSSL_CMP_CTX *ctx, X509_EXTENSIONS *exts); 421int OSSL_CMP_CTX_reqExtensions_have_SAN(OSSL_CMP_CTX *ctx); 422int OSSL_CMP_CTX_push0_policy(OSSL_CMP_CTX *ctx, POLICYINFO *pinfo); 423int OSSL_CMP_CTX_set1_oldCert(OSSL_CMP_CTX *ctx, X509 *cert); 424int OSSL_CMP_CTX_set1_p10CSR(OSSL_CMP_CTX *ctx, const X509_REQ *csr); 425/* misc body contents: */ 426int OSSL_CMP_CTX_push0_genm_ITAV(OSSL_CMP_CTX *ctx, OSSL_CMP_ITAV *itav); 427/* certificate confirmation: */ 428typedef int (*OSSL_CMP_certConf_cb_t) (OSSL_CMP_CTX *ctx, X509 *cert, 429 int fail_info, const char **txt); 430int OSSL_CMP_certConf_cb(OSSL_CMP_CTX *ctx, X509 *cert, int fail_info, 431 const char **text); 432int OSSL_CMP_CTX_set_certConf_cb(OSSL_CMP_CTX *ctx, OSSL_CMP_certConf_cb_t cb); 433int OSSL_CMP_CTX_set_certConf_cb_arg(OSSL_CMP_CTX *ctx, void *arg); 434void *OSSL_CMP_CTX_get_certConf_cb_arg(const OSSL_CMP_CTX *ctx); 435/* result fetching: */ 436int OSSL_CMP_CTX_get_status(const OSSL_CMP_CTX *ctx); 437OSSL_CMP_PKIFREETEXT *OSSL_CMP_CTX_get0_statusString(const OSSL_CMP_CTX *ctx); 438int OSSL_CMP_CTX_get_failInfoCode(const OSSL_CMP_CTX *ctx); 439# define OSSL_CMP_PKISI_BUFLEN 1024 440X509 *OSSL_CMP_CTX_get0_validatedSrvCert(const OSSL_CMP_CTX *ctx); 441X509 *OSSL_CMP_CTX_get0_newCert(const OSSL_CMP_CTX *ctx); 442STACK_OF(X509) *OSSL_CMP_CTX_get1_newChain(const OSSL_CMP_CTX *ctx); 443STACK_OF(X509) *OSSL_CMP_CTX_get1_caPubs(const OSSL_CMP_CTX *ctx); 444STACK_OF(X509) *OSSL_CMP_CTX_get1_extraCertsIn(const OSSL_CMP_CTX *ctx); 445int OSSL_CMP_CTX_set1_transactionID(OSSL_CMP_CTX *ctx, 446 const ASN1_OCTET_STRING *id); 447int OSSL_CMP_CTX_set1_senderNonce(OSSL_CMP_CTX *ctx, 448 const ASN1_OCTET_STRING *nonce); 449 450/* from cmp_status.c */ 451char *OSSL_CMP_CTX_snprint_PKIStatus(const OSSL_CMP_CTX *ctx, char *buf, 452 size_t bufsize); 453char *OSSL_CMP_snprint_PKIStatusInfo(const OSSL_CMP_PKISI *statusInfo, 454 char *buf, size_t bufsize); 455OSSL_CMP_PKISI * 456OSSL_CMP_STATUSINFO_new(int status, int fail_info, const char *text); 457 458/* from cmp_hdr.c */ 459ASN1_OCTET_STRING *OSSL_CMP_HDR_get0_transactionID(const 460 OSSL_CMP_PKIHEADER *hdr); 461ASN1_OCTET_STRING *OSSL_CMP_HDR_get0_recipNonce(const OSSL_CMP_PKIHEADER *hdr); 462STACK_OF(OSSL_CMP_ITAV) 463 *OSSL_CMP_HDR_get0_geninfo_ITAVs(const OSSL_CMP_PKIHEADER *hdr); 464 465/* from cmp_msg.c */ 466OSSL_CMP_PKIHEADER *OSSL_CMP_MSG_get0_header(const OSSL_CMP_MSG *msg); 467int OSSL_CMP_MSG_get_bodytype(const OSSL_CMP_MSG *msg); 468X509_PUBKEY *OSSL_CMP_MSG_get0_certreq_publickey(const OSSL_CMP_MSG *msg); 469int OSSL_CMP_MSG_update_transactionID(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg); 470int OSSL_CMP_MSG_update_recipNonce(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg); 471OSSL_CRMF_MSG *OSSL_CMP_CTX_setup_CRM(OSSL_CMP_CTX *ctx, int for_KUR, int rid); 472OSSL_CMP_MSG *OSSL_CMP_MSG_read(const char *file, OSSL_LIB_CTX *libctx, 473 const char *propq); 474int OSSL_CMP_MSG_write(const char *file, const OSSL_CMP_MSG *msg); 475OSSL_CMP_MSG *d2i_OSSL_CMP_MSG_bio(BIO *bio, OSSL_CMP_MSG **msg); 476int i2d_OSSL_CMP_MSG_bio(BIO *bio, const OSSL_CMP_MSG *msg); 477 478/* from cmp_vfy.c */ 479int OSSL_CMP_validate_msg(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *msg); 480int OSSL_CMP_validate_cert_path(const OSSL_CMP_CTX *ctx, 481 X509_STORE *trusted_store, X509 *cert); 482 483/* from cmp_http.c */ 484# ifndef OPENSSL_NO_HTTP 485OSSL_CMP_MSG *OSSL_CMP_MSG_http_perform(OSSL_CMP_CTX *ctx, 486 const OSSL_CMP_MSG *req); 487# endif 488 489/* from cmp_server.c */ 490typedef struct ossl_cmp_srv_ctx_st OSSL_CMP_SRV_CTX; 491OSSL_CMP_MSG *OSSL_CMP_SRV_process_request(OSSL_CMP_SRV_CTX *srv_ctx, 492 const OSSL_CMP_MSG *req); 493OSSL_CMP_MSG * OSSL_CMP_CTX_server_perform(OSSL_CMP_CTX *client_ctx, 494 const OSSL_CMP_MSG *req); 495OSSL_CMP_SRV_CTX *OSSL_CMP_SRV_CTX_new(OSSL_LIB_CTX *libctx, const char *propq); 496void OSSL_CMP_SRV_CTX_free(OSSL_CMP_SRV_CTX *srv_ctx); 497typedef OSSL_CMP_PKISI *(*OSSL_CMP_SRV_cert_request_cb_t) 498 (OSSL_CMP_SRV_CTX *srv_ctx, const OSSL_CMP_MSG *req, int certReqId, 499 const OSSL_CRMF_MSG *crm, const X509_REQ *p10cr, 500 X509 **certOut, STACK_OF(X509) **chainOut, STACK_OF(X509) **caPubs); 501typedef OSSL_CMP_PKISI *(*OSSL_CMP_SRV_rr_cb_t)(OSSL_CMP_SRV_CTX *srv_ctx, 502 const OSSL_CMP_MSG *req, 503 const X509_NAME *issuer, 504 const ASN1_INTEGER *serial); 505typedef int (*OSSL_CMP_SRV_genm_cb_t)(OSSL_CMP_SRV_CTX *srv_ctx, 506 const OSSL_CMP_MSG *req, 507 const STACK_OF(OSSL_CMP_ITAV) *in, 508 STACK_OF(OSSL_CMP_ITAV) **out); 509typedef void (*OSSL_CMP_SRV_error_cb_t)(OSSL_CMP_SRV_CTX *srv_ctx, 510 const OSSL_CMP_MSG *req, 511 const OSSL_CMP_PKISI *statusInfo, 512 const ASN1_INTEGER *errorCode, 513 const OSSL_CMP_PKIFREETEXT *errDetails); 514typedef int (*OSSL_CMP_SRV_certConf_cb_t)(OSSL_CMP_SRV_CTX *srv_ctx, 515 const OSSL_CMP_MSG *req, 516 int certReqId, 517 const ASN1_OCTET_STRING *certHash, 518 const OSSL_CMP_PKISI *si); 519typedef int (*OSSL_CMP_SRV_pollReq_cb_t)(OSSL_CMP_SRV_CTX *srv_ctx, 520 const OSSL_CMP_MSG *req, int certReqId, 521 OSSL_CMP_MSG **certReq, 522 int64_t *check_after); 523int OSSL_CMP_SRV_CTX_init(OSSL_CMP_SRV_CTX *srv_ctx, void *custom_ctx, 524 OSSL_CMP_SRV_cert_request_cb_t process_cert_request, 525 OSSL_CMP_SRV_rr_cb_t process_rr, 526 OSSL_CMP_SRV_genm_cb_t process_genm, 527 OSSL_CMP_SRV_error_cb_t process_error, 528 OSSL_CMP_SRV_certConf_cb_t process_certConf, 529 OSSL_CMP_SRV_pollReq_cb_t process_pollReq); 530typedef int (*OSSL_CMP_SRV_delayed_delivery_cb_t)(OSSL_CMP_SRV_CTX *srv_ctx, 531 const OSSL_CMP_MSG *req); 532typedef int (*OSSL_CMP_SRV_clean_transaction_cb_t)(OSSL_CMP_SRV_CTX *srv_ctx, 533 const ASN1_OCTET_STRING *id); 534int OSSL_CMP_SRV_CTX_init_trans(OSSL_CMP_SRV_CTX *srv_ctx, 535 OSSL_CMP_SRV_delayed_delivery_cb_t delay, 536 OSSL_CMP_SRV_clean_transaction_cb_t clean); 537OSSL_CMP_CTX *OSSL_CMP_SRV_CTX_get0_cmp_ctx(const OSSL_CMP_SRV_CTX *srv_ctx); 538void *OSSL_CMP_SRV_CTX_get0_custom_ctx(const OSSL_CMP_SRV_CTX *srv_ctx); 539int OSSL_CMP_SRV_CTX_set_send_unprotected_errors(OSSL_CMP_SRV_CTX *srv_ctx, 540 int val); 541int OSSL_CMP_SRV_CTX_set_accept_unprotected(OSSL_CMP_SRV_CTX *srv_ctx, int val); 542int OSSL_CMP_SRV_CTX_set_accept_raverified(OSSL_CMP_SRV_CTX *srv_ctx, int val); 543int OSSL_CMP_SRV_CTX_set_grant_implicit_confirm(OSSL_CMP_SRV_CTX *srv_ctx, 544 int val); 545 546/* from cmp_client.c */ 547X509 *OSSL_CMP_exec_certreq(OSSL_CMP_CTX *ctx, int req_type, 548 const OSSL_CRMF_MSG *crm); 549# define OSSL_CMP_IR 0 550# define OSSL_CMP_CR 2 551# define OSSL_CMP_P10CR 4 552# define OSSL_CMP_KUR 7 553# define OSSL_CMP_GENM 21 554# define OSSL_CMP_ERROR 23 555# define OSSL_CMP_exec_IR_ses(ctx) \ 556 OSSL_CMP_exec_certreq(ctx, OSSL_CMP_IR, NULL) 557# define OSSL_CMP_exec_CR_ses(ctx) \ 558 OSSL_CMP_exec_certreq(ctx, OSSL_CMP_CR, NULL) 559# define OSSL_CMP_exec_P10CR_ses(ctx) \ 560 OSSL_CMP_exec_certreq(ctx, OSSL_CMP_P10CR, NULL) 561# define OSSL_CMP_exec_KUR_ses(ctx) \ 562 OSSL_CMP_exec_certreq(ctx, OSSL_CMP_KUR, NULL) 563int OSSL_CMP_try_certreq(OSSL_CMP_CTX *ctx, int req_type, 564 const OSSL_CRMF_MSG *crm, int *checkAfter); 565int OSSL_CMP_exec_RR_ses(OSSL_CMP_CTX *ctx); 566STACK_OF(OSSL_CMP_ITAV) *OSSL_CMP_exec_GENM_ses(OSSL_CMP_CTX *ctx); 567 568/* from cmp_genm.c */ 569int OSSL_CMP_get1_caCerts(OSSL_CMP_CTX *ctx, STACK_OF(X509) **out); 570int OSSL_CMP_get1_rootCaKeyUpdate(OSSL_CMP_CTX *ctx, 571 const X509 *oldWithOld, X509 **newWithNew, 572 X509 **newWithOld, X509 **oldWithNew); 573int OSSL_CMP_get1_crlUpdate(OSSL_CMP_CTX *ctx, const X509 *crlcert, 574 const X509_CRL *last_crl, 575 X509_CRL **crl); 576int OSSL_CMP_get1_certReqTemplate(OSSL_CMP_CTX *ctx, 577 OSSL_CRMF_CERTTEMPLATE **certTemplate, 578 OSSL_CMP_ATAVS **keySpec); 579 580# ifdef __cplusplus 581} 582# endif 583# endif /* !defined(OPENSSL_NO_CMP) */ 584#endif /* !defined(OPENSSL_CMP_H) */ 585