A local copy of OpenSSL from GitHub
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

928 lines
40 KiB

  1. /*
  2. * Copyright 2007-2020 The OpenSSL Project Authors. All Rights Reserved.
  3. * Copyright Nokia 2007-2019
  4. * Copyright Siemens AG 2015-2019
  5. *
  6. * Licensed under the Apache License 2.0 (the "License"). You may not use
  7. * this file except in compliance with the License. You can obtain a copy
  8. * in the file LICENSE in the source distribution or at
  9. * https://www.openssl.org/source/license.html
  10. */
  11. #ifndef OSSL_CRYPTO_CMP_LOCAL_H
  12. # define OSSL_CRYPTO_CMP_LOCAL_H
  13. # include "internal/cryptlib.h"
  14. # include <openssl/cmp.h>
  15. # include <openssl/err.h>
  16. /* explicit #includes not strictly needed since implied by the above: */
  17. # include <openssl/crmf.h>
  18. # include <openssl/types.h>
  19. # include <openssl/safestack.h>
  20. # include <openssl/x509.h>
  21. # include <openssl/x509v3.h>
  22. /*
  23. * this structure is used to store the context for CMP sessions
  24. */
  25. struct ossl_cmp_ctx_st {
  26. OSSL_LIB_CTX *libctx;
  27. const char *propq;
  28. OSSL_CMP_log_cb_t log_cb; /* log callback for error/debug/etc. output */
  29. OSSL_CMP_severity log_verbosity; /* level of verbosity of log output */
  30. /* message transfer */
  31. OSSL_CMP_transfer_cb_t transfer_cb; /* default: OSSL_CMP_MSG_http_perform */
  32. void *transfer_cb_arg; /* allows to store optional argument to cb */
  33. /* HTTP-based transfer */
  34. char *serverPath;
  35. char *server;
  36. int serverPort;
  37. char *proxy;
  38. char *no_proxy;
  39. int msg_timeout; /* max seconds to wait for each CMP message round trip */
  40. int total_timeout; /* max number of seconds an enrollment may take, incl. */
  41. /* attempts polling for a response if a 'waiting' PKIStatus is received */
  42. time_t end_time; /* session start time + totaltimeout */
  43. OSSL_HTTP_bio_cb_t http_cb;
  44. void *http_cb_arg; /* allows to store optional argument to cb */
  45. /* server authentication */
  46. /*
  47. * unprotectedErrors may be set as workaround for broken server responses:
  48. * accept missing or invalid protection of regular error messages, negative
  49. * certificate responses (ip/cp/kup), revocation responses (rp), and PKIConf
  50. */
  51. int unprotectedErrors;
  52. X509 *srvCert; /* certificate used to identify the server */
  53. X509 *validatedSrvCert; /* caches any already validated server cert */
  54. X509_NAME *expected_sender; /* expected sender in header of response */
  55. X509_STORE *trusted; /* trust store maybe w CRLs and cert verify callback */
  56. STACK_OF(X509) *untrusted; /* untrusted (intermediate CA) certs */
  57. int ignore_keyusage; /* ignore key usage entry when validating certs */
  58. /*
  59. * permitTAInExtraCertsForIR allows use of root certs in extracerts
  60. * when validating message protection; this is used for 3GPP-style E.7
  61. */
  62. int permitTAInExtraCertsForIR;
  63. /* client authentication */
  64. int unprotectedSend; /* send unprotected PKI messages */
  65. X509 *cert; /* protection cert used to identify and sign for MSG_SIG_ALG */
  66. STACK_OF(X509) *chain; /* (cached) chain of protection cert including it */
  67. EVP_PKEY *pkey; /* the key pair corresponding to cert */
  68. ASN1_OCTET_STRING *referenceValue; /* optional user name for MSG_MAC_ALG */
  69. ASN1_OCTET_STRING *secretValue; /* password/shared secret for MSG_MAC_ALG */
  70. /* PBMParameters for MSG_MAC_ALG */
  71. size_t pbm_slen; /* salt length, currently fixed to 16 */
  72. EVP_MD *pbm_owf; /* one-way function (OWF), default: SHA256 */
  73. int pbm_itercnt; /* OWF iteration count, currently fixed to 500 */
  74. int pbm_mac; /* NID of MAC algorithm, default: HMAC-SHA1 as per RFC 4210 */
  75. /* CMP message header and extra certificates */
  76. X509_NAME *recipient; /* to set in recipient in pkiheader */
  77. EVP_MD *digest; /* digest used in MSG_SIG_ALG and POPO, default SHA256 */
  78. ASN1_OCTET_STRING *transactionID; /* the current transaction ID */
  79. ASN1_OCTET_STRING *senderNonce; /* last nonce sent */
  80. ASN1_OCTET_STRING *recipNonce; /* last nonce received */
  81. ASN1_UTF8STRING *freeText; /* optional string to include each msg */
  82. STACK_OF(OSSL_CMP_ITAV) *geninfo_ITAVs;
  83. int implicitConfirm; /* set implicitConfirm in IR/KUR/CR messages */
  84. int disableConfirm; /* disable certConf in IR/KUR/CR for broken servers */
  85. STACK_OF(X509) *extraCertsOut; /* to be included in request messages */
  86. /* certificate template */
  87. EVP_PKEY *newPkey; /* explicit new private/public key for cert enrollment */
  88. int newPkey_priv; /* flag indicating if newPkey contains private key */
  89. X509_NAME *issuer; /* issuer name to used in cert template */
  90. int days; /* Number of days new certificates are asked to be valid for */
  91. X509_NAME *subjectName; /* subject name to be used in cert template */
  92. STACK_OF(GENERAL_NAME) *subjectAltNames; /* to add to the cert template */
  93. int SubjectAltName_nodefault;
  94. int setSubjectAltNameCritical;
  95. X509_EXTENSIONS *reqExtensions; /* exts to be added to cert template */
  96. CERTIFICATEPOLICIES *policies; /* policies to be included in extensions */
  97. int setPoliciesCritical;
  98. int popoMethod; /* Proof-of-possession mechanism; default: signature */
  99. X509 *oldCert; /* cert to be updated (via KUR) or to be revoked (via RR) */
  100. X509_REQ *p10CSR; /* for P10CR: PKCS#10 CSR to be sent */
  101. /* misc body contents */
  102. int revocationReason; /* revocation reason code to be included in RR */
  103. STACK_OF(OSSL_CMP_ITAV) *genm_ITAVs; /* content of general message */
  104. /* result returned in responses */
  105. int status; /* PKIStatus of last received IP/CP/KUP/RP/error or -1 */
  106. /* TODO: this should be a stack since there could be more than one */
  107. OSSL_CMP_PKIFREETEXT *statusString; /* of last IP/CP/KUP/RP/error */
  108. int failInfoCode; /* failInfoCode of last received IP/CP/KUP/error, or -1 */
  109. /* TODO: this should be a stack since there could be more than one */
  110. X509 *newCert; /* newly enrolled cert received from the CA */
  111. /* TODO: this should be a stack since there could be more than one */
  112. STACK_OF(X509) *newChain; /* chain of newly enrolled cert received */
  113. STACK_OF(X509) *caPubs; /* CA certs received from server (in IP message) */
  114. STACK_OF(X509) *extraCertsIn; /* extraCerts received from server */
  115. /* certificate confirmation */
  116. OSSL_CMP_certConf_cb_t certConf_cb; /* callback for app checking new cert */
  117. void *certConf_cb_arg; /* allows to store an argument individual to cb */
  118. } /* OSSL_CMP_CTX */;
  119. /*
  120. * ##########################################################################
  121. * ASN.1 DECLARATIONS
  122. * ##########################################################################
  123. */
  124. /*-
  125. * RevAnnContent ::= SEQUENCE {
  126. * status PKIStatus,
  127. * certId CertId,
  128. * willBeRevokedAt GeneralizedTime,
  129. * badSinceDate GeneralizedTime,
  130. * crlDetails Extensions OPTIONAL
  131. * -- extra CRL details (e.g., crl number, reason, location, etc.)
  132. * }
  133. */
  134. typedef struct ossl_cmp_revanncontent_st {
  135. ASN1_INTEGER *status;
  136. OSSL_CRMF_CERTID *certId;
  137. ASN1_GENERALIZEDTIME *willBeRevokedAt;
  138. ASN1_GENERALIZEDTIME *badSinceDate;
  139. X509_EXTENSIONS *crlDetails;
  140. } OSSL_CMP_REVANNCONTENT;
  141. DECLARE_ASN1_FUNCTIONS(OSSL_CMP_REVANNCONTENT)
  142. /*-
  143. * Challenge ::= SEQUENCE {
  144. * owf AlgorithmIdentifier OPTIONAL,
  145. *
  146. * -- MUST be present in the first Challenge; MAY be omitted in
  147. * -- any subsequent Challenge in POPODecKeyChallContent (if
  148. * -- omitted, then the owf used in the immediately preceding
  149. * -- Challenge is to be used).
  150. *
  151. * witness OCTET STRING,
  152. * -- the result of applying the one-way function (owf) to a
  153. * -- randomly-generated INTEGER, A. [Note that a different
  154. * -- INTEGER MUST be used for each Challenge.]
  155. * challenge OCTET STRING
  156. * -- the encryption (under the public key for which the cert.
  157. * -- request is being made) of Rand, where Rand is specified as
  158. * -- Rand ::= SEQUENCE {
  159. * -- int INTEGER,
  160. * -- - the randomly-generated INTEGER A (above)
  161. * -- sender GeneralName
  162. * -- - the sender's name (as included in PKIHeader)
  163. * -- }
  164. * }
  165. */
  166. typedef struct ossl_cmp_challenge_st {
  167. X509_ALGOR *owf;
  168. ASN1_OCTET_STRING *witness;
  169. ASN1_OCTET_STRING *challenge;
  170. } OSSL_CMP_CHALLENGE;
  171. DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CHALLENGE)
  172. /*-
  173. * CAKeyUpdAnnContent ::= SEQUENCE {
  174. * oldWithNew Certificate,
  175. * newWithOld Certificate,
  176. * newWithNew Certificate
  177. * }
  178. */
  179. typedef struct ossl_cmp_cakeyupdanncontent_st {
  180. X509 *oldWithNew;
  181. X509 *newWithOld;
  182. X509 *newWithNew;
  183. } OSSL_CMP_CAKEYUPDANNCONTENT;
  184. DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CAKEYUPDANNCONTENT)
  185. /*-
  186. * declared already here as it will be used in OSSL_CMP_MSG (nested) and
  187. * infoType and infoValue
  188. */
  189. typedef STACK_OF(OSSL_CMP_MSG) OSSL_CMP_MSGS;
  190. DECLARE_ASN1_FUNCTIONS(OSSL_CMP_MSGS)
  191. /*-
  192. * InfoTypeAndValue ::= SEQUENCE {
  193. * infoType OBJECT IDENTIFIER,
  194. * infoValue ANY DEFINED BY infoType OPTIONAL
  195. * }
  196. */
  197. struct ossl_cmp_itav_st {
  198. ASN1_OBJECT *infoType;
  199. union {
  200. char *ptr;
  201. /* NID_id_it_caProtEncCert - CA Protocol Encryption Certificate */
  202. X509 *caProtEncCert;
  203. /* NID_id_it_signKeyPairTypes - Signing Key Pair Types */
  204. STACK_OF(X509_ALGOR) *signKeyPairTypes;
  205. /* NID_id_it_encKeyPairTypes - Encryption/Key Agreement Key Pair Types */
  206. STACK_OF(X509_ALGOR) *encKeyPairTypes;
  207. /* NID_id_it_preferredSymmAlg - Preferred Symmetric Algorithm */
  208. X509_ALGOR *preferredSymmAlg;
  209. /* NID_id_it_caKeyUpdateInfo - Updated CA Key Pair */
  210. OSSL_CMP_CAKEYUPDANNCONTENT *caKeyUpdateInfo;
  211. /* NID_id_it_currentCRL - CRL */
  212. X509_CRL *currentCRL;
  213. /* NID_id_it_unsupportedOIDs - Unsupported Object Identifiers */
  214. STACK_OF(ASN1_OBJECT) *unsupportedOIDs;
  215. /* NID_id_it_keyPairParamReq - Key Pair Parameters Request */
  216. ASN1_OBJECT *keyPairParamReq;
  217. /* NID_id_it_keyPairParamRep - Key Pair Parameters Response */
  218. X509_ALGOR *keyPairParamRep;
  219. /* NID_id_it_revPassphrase - Revocation Passphrase */
  220. OSSL_CRMF_ENCRYPTEDVALUE *revPassphrase;
  221. /* NID_id_it_implicitConfirm - ImplicitConfirm */
  222. ASN1_NULL *implicitConfirm;
  223. /* NID_id_it_confirmWaitTime - ConfirmWaitTime */
  224. ASN1_GENERALIZEDTIME *confirmWaitTime;
  225. /* NID_id_it_origPKIMessage - origPKIMessage */
  226. OSSL_CMP_MSGS *origPKIMessage;
  227. /* NID_id_it_suppLangTags - Supported Language Tags */
  228. STACK_OF(ASN1_UTF8STRING) *suppLangTagsValue;
  229. /* this is to be used for so far undeclared objects */
  230. ASN1_TYPE *other;
  231. } infoValue;
  232. } /* OSSL_CMP_ITAV */;
  233. DECLARE_ASN1_FUNCTIONS(OSSL_CMP_ITAV)
  234. typedef struct ossl_cmp_certorenccert_st {
  235. int type;
  236. union {
  237. X509 *certificate;
  238. OSSL_CRMF_ENCRYPTEDVALUE *encryptedCert;
  239. } value;
  240. } OSSL_CMP_CERTORENCCERT;
  241. DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CERTORENCCERT)
  242. /*-
  243. * CertifiedKeyPair ::= SEQUENCE {
  244. * certOrEncCert CertOrEncCert,
  245. * privateKey [0] EncryptedValue OPTIONAL,
  246. * -- see [CRMF] for comment on encoding
  247. * publicationInfo [1] PKIPublicationInfo OPTIONAL
  248. * }
  249. */
  250. typedef struct ossl_cmp_certifiedkeypair_st {
  251. OSSL_CMP_CERTORENCCERT *certOrEncCert;
  252. OSSL_CRMF_ENCRYPTEDVALUE *privateKey;
  253. OSSL_CRMF_PKIPUBLICATIONINFO *publicationInfo;
  254. } OSSL_CMP_CERTIFIEDKEYPAIR;
  255. DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CERTIFIEDKEYPAIR)
  256. /*-
  257. * PKIStatusInfo ::= SEQUENCE {
  258. * status PKIStatus,
  259. * statusString PKIFreeText OPTIONAL,
  260. * failInfo PKIFailureInfo OPTIONAL
  261. * }
  262. */
  263. struct ossl_cmp_pkisi_st {
  264. OSSL_CMP_PKISTATUS *status;
  265. OSSL_CMP_PKIFREETEXT *statusString;
  266. OSSL_CMP_PKIFAILUREINFO *failInfo;
  267. } /* OSSL_CMP_PKISI */;
  268. /*-
  269. * RevReqContent ::= SEQUENCE OF RevDetails
  270. *
  271. * RevDetails ::= SEQUENCE {
  272. * certDetails CertTemplate,
  273. * crlEntryDetails Extensions OPTIONAL
  274. * }
  275. */
  276. struct ossl_cmp_revdetails_st {
  277. OSSL_CRMF_CERTTEMPLATE *certDetails;
  278. X509_EXTENSIONS *crlEntryDetails;
  279. } /* OSSL_CMP_REVDETAILS */;
  280. typedef struct ossl_cmp_revdetails_st OSSL_CMP_REVDETAILS;
  281. DECLARE_ASN1_FUNCTIONS(OSSL_CMP_REVDETAILS)
  282. DEFINE_STACK_OF(OSSL_CMP_REVDETAILS)
  283. /*-
  284. * RevRepContent ::= SEQUENCE {
  285. * status SEQUENCE SIZE (1..MAX) OF PKIStatusInfo,
  286. * -- in same order as was sent in RevReqContent
  287. * revCerts [0] SEQUENCE SIZE (1..MAX) OF CertId
  288. * OPTIONAL,
  289. * -- IDs for which revocation was requested
  290. * -- (same order as status)
  291. * crls [1] SEQUENCE SIZE (1..MAX) OF CertificateList
  292. * OPTIONAL
  293. * -- the resulting CRLs (there may be more than one)
  294. * }
  295. */
  296. struct ossl_cmp_revrepcontent_st {
  297. STACK_OF(OSSL_CMP_PKISI) *status;
  298. STACK_OF(OSSL_CRMF_CERTID) *revCerts;
  299. STACK_OF(X509_CRL) *crls;
  300. } /* OSSL_CMP_REVREPCONTENT */;
  301. DECLARE_ASN1_FUNCTIONS(OSSL_CMP_REVREPCONTENT)
  302. /*-
  303. * KeyRecRepContent ::= SEQUENCE {
  304. * status PKIStatusInfo,
  305. * newSigCert [0] Certificate OPTIONAL,
  306. * caCerts [1] SEQUENCE SIZE (1..MAX) OF
  307. * Certificate OPTIONAL,
  308. * keyPairHist [2] SEQUENCE SIZE (1..MAX) OF
  309. * CertifiedKeyPair OPTIONAL
  310. * }
  311. */
  312. typedef struct ossl_cmp_keyrecrepcontent_st {
  313. OSSL_CMP_PKISI *status;
  314. X509 *newSigCert;
  315. STACK_OF(X509) *caCerts;
  316. STACK_OF(OSSL_CMP_CERTIFIEDKEYPAIR) *keyPairHist;
  317. } OSSL_CMP_KEYRECREPCONTENT;
  318. DECLARE_ASN1_FUNCTIONS(OSSL_CMP_KEYRECREPCONTENT)
  319. /*-
  320. * ErrorMsgContent ::= SEQUENCE {
  321. * pKIStatusInfo PKIStatusInfo,
  322. * errorCode INTEGER OPTIONAL,
  323. * -- implementation-specific error codes
  324. * errorDetails PKIFreeText OPTIONAL
  325. * -- implementation-specific error details
  326. * }
  327. */
  328. typedef struct ossl_cmp_errormsgcontent_st {
  329. OSSL_CMP_PKISI *pKIStatusInfo;
  330. ASN1_INTEGER *errorCode;
  331. OSSL_CMP_PKIFREETEXT *errorDetails;
  332. } OSSL_CMP_ERRORMSGCONTENT;
  333. DECLARE_ASN1_FUNCTIONS(OSSL_CMP_ERRORMSGCONTENT)
  334. /*-
  335. * CertConfirmContent ::= SEQUENCE OF CertStatus
  336. *
  337. * CertStatus ::= SEQUENCE {
  338. * certHash OCTET STRING,
  339. * -- the hash of the certificate, using the same hash algorithm
  340. * -- as is used to create and verify the certificate signature
  341. * certReqId INTEGER,
  342. * -- to match this confirmation with the corresponding req/rep
  343. * statusInfo PKIStatusInfo OPTIONAL
  344. * }
  345. */
  346. struct ossl_cmp_certstatus_st {
  347. ASN1_OCTET_STRING *certHash;
  348. ASN1_INTEGER *certReqId;
  349. OSSL_CMP_PKISI *statusInfo;
  350. } /* OSSL_CMP_CERTSTATUS */;
  351. DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CERTSTATUS)
  352. typedef STACK_OF(OSSL_CMP_CERTSTATUS) OSSL_CMP_CERTCONFIRMCONTENT;
  353. DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CERTCONFIRMCONTENT)
  354. /*-
  355. * CertResponse ::= SEQUENCE {
  356. * certReqId INTEGER,
  357. * -- to match this response with corresponding request (a value
  358. * -- of -1 is to be used if certReqId is not specified in the
  359. * -- corresponding request)
  360. * status PKIStatusInfo,
  361. * certifiedKeyPair CertifiedKeyPair OPTIONAL,
  362. * rspInfo OCTET STRING OPTIONAL
  363. * -- analogous to the id-regInfo-utf8Pairs string defined
  364. * -- for regInfo in CertReqMsg [CRMF]
  365. * }
  366. */
  367. struct ossl_cmp_certresponse_st {
  368. ASN1_INTEGER *certReqId;
  369. OSSL_CMP_PKISI *status;
  370. OSSL_CMP_CERTIFIEDKEYPAIR *certifiedKeyPair;
  371. ASN1_OCTET_STRING *rspInfo;
  372. } /* OSSL_CMP_CERTRESPONSE */;
  373. DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CERTRESPONSE)
  374. /*-
  375. * CertRepMessage ::= SEQUENCE {
  376. * caPubs [1] SEQUENCE SIZE (1..MAX) OF CMPCertificate
  377. * OPTIONAL,
  378. * response SEQUENCE OF CertResponse
  379. * }
  380. */
  381. struct ossl_cmp_certrepmessage_st {
  382. STACK_OF(X509) *caPubs;
  383. STACK_OF(OSSL_CMP_CERTRESPONSE) *response;
  384. } /* OSSL_CMP_CERTREPMESSAGE */;
  385. DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CERTREPMESSAGE)
  386. /*-
  387. * PollReqContent ::= SEQUENCE OF SEQUENCE {
  388. * certReqId INTEGER
  389. * }
  390. */
  391. typedef struct ossl_cmp_pollreq_st {
  392. ASN1_INTEGER *certReqId;
  393. } OSSL_CMP_POLLREQ;
  394. DECLARE_ASN1_FUNCTIONS(OSSL_CMP_POLLREQ)
  395. DEFINE_STACK_OF(OSSL_CMP_POLLREQ)
  396. typedef STACK_OF(OSSL_CMP_POLLREQ) OSSL_CMP_POLLREQCONTENT;
  397. DECLARE_ASN1_FUNCTIONS(OSSL_CMP_POLLREQCONTENT)
  398. /*-
  399. * PollRepContent ::= SEQUENCE OF SEQUENCE {
  400. * certReqId INTEGER,
  401. * checkAfter INTEGER, -- time in seconds
  402. * reason PKIFreeText OPTIONAL
  403. * }
  404. */
  405. struct ossl_cmp_pollrep_st {
  406. ASN1_INTEGER *certReqId;
  407. ASN1_INTEGER *checkAfter;
  408. OSSL_CMP_PKIFREETEXT *reason;
  409. } /* OSSL_CMP_POLLREP */;
  410. DECLARE_ASN1_FUNCTIONS(OSSL_CMP_POLLREP)
  411. DEFINE_STACK_OF(OSSL_CMP_POLLREP)
  412. DECLARE_ASN1_FUNCTIONS(OSSL_CMP_POLLREPCONTENT)
  413. /*-
  414. * PKIHeader ::= SEQUENCE {
  415. * pvno INTEGER { cmp1999(1), cmp2000(2) },
  416. * sender GeneralName,
  417. * -- identifies the sender
  418. * recipient GeneralName,
  419. * -- identifies the intended recipient
  420. * messageTime [0] GeneralizedTime OPTIONAL,
  421. * -- time of production of this message (used when sender
  422. * -- believes that the transport will be "suitable"; i.e.,
  423. * -- that the time will still be meaningful upon receipt)
  424. * protectionAlg [1] AlgorithmIdentifier OPTIONAL,
  425. * -- algorithm used for calculation of protection bits
  426. * senderKID [2] KeyIdentifier OPTIONAL,
  427. * recipKID [3] KeyIdentifier OPTIONAL,
  428. * -- to identify specific keys used for protection
  429. * transactionID [4] OCTET STRING OPTIONAL,
  430. * -- identifies the transaction; i.e., this will be the same in
  431. * -- corresponding request, response, certConf, and PKIConf
  432. * -- messages
  433. * senderNonce [5] OCTET STRING OPTIONAL,
  434. * recipNonce [6] OCTET STRING OPTIONAL,
  435. * -- nonces used to provide replay protection, senderNonce
  436. * -- is inserted by the creator of this message; recipNonce
  437. * -- is a nonce previously inserted in a related message by
  438. * -- the intended recipient of this message
  439. * freeText [7] PKIFreeText OPTIONAL,
  440. * -- this may be used to indicate context-specific instructions
  441. * -- (this field is intended for human consumption)
  442. * generalInfo [8] SEQUENCE SIZE (1..MAX) OF
  443. * InfoTypeAndValue OPTIONAL
  444. * -- this may be used to convey context-specific information
  445. * -- (this field not primarily intended for human consumption)
  446. * }
  447. */
  448. struct ossl_cmp_pkiheader_st {
  449. ASN1_INTEGER *pvno;
  450. GENERAL_NAME *sender;
  451. GENERAL_NAME *recipient;
  452. ASN1_GENERALIZEDTIME *messageTime; /* 0 */
  453. X509_ALGOR *protectionAlg; /* 1 */
  454. ASN1_OCTET_STRING *senderKID; /* 2 */
  455. ASN1_OCTET_STRING *recipKID; /* 3 */
  456. ASN1_OCTET_STRING *transactionID; /* 4 */
  457. ASN1_OCTET_STRING *senderNonce; /* 5 */
  458. ASN1_OCTET_STRING *recipNonce; /* 6 */
  459. OSSL_CMP_PKIFREETEXT *freeText; /* 7 */
  460. STACK_OF(OSSL_CMP_ITAV) *generalInfo; /* 8 */
  461. } /* OSSL_CMP_PKIHEADER */;
  462. typedef STACK_OF(OSSL_CMP_CHALLENGE) OSSL_CMP_POPODECKEYCHALLCONTENT;
  463. DECLARE_ASN1_FUNCTIONS(OSSL_CMP_POPODECKEYCHALLCONTENT)
  464. typedef STACK_OF(ASN1_INTEGER) OSSL_CMP_POPODECKEYRESPCONTENT;
  465. DECLARE_ASN1_FUNCTIONS(OSSL_CMP_POPODECKEYRESPCONTENT)
  466. typedef STACK_OF(OSSL_CMP_REVDETAILS) OSSL_CMP_REVREQCONTENT;
  467. DECLARE_ASN1_FUNCTIONS(OSSL_CMP_REVREQCONTENT)
  468. typedef STACK_OF(X509_CRL) OSSL_CMP_CRLANNCONTENT;
  469. DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CRLANNCONTENT)
  470. typedef STACK_OF(OSSL_CMP_ITAV) OSSL_CMP_GENMSGCONTENT;
  471. DECLARE_ASN1_FUNCTIONS(OSSL_CMP_GENMSGCONTENT)
  472. typedef STACK_OF(OSSL_CMP_ITAV) OSSL_CMP_GENREPCONTENT;
  473. DECLARE_ASN1_FUNCTIONS(OSSL_CMP_GENREPCONTENT)
  474. /*-
  475. * PKIBody ::= CHOICE { -- message-specific body elements
  476. * ir [0] CertReqMessages, --Initialization Request
  477. * ip [1] CertRepMessage, --Initialization Response
  478. * cr [2] CertReqMessages, --Certification Request
  479. * cp [3] CertRepMessage, --Certification Response
  480. * p10cr [4] CertificationRequest, --imported from [PKCS10]
  481. * popdecc [5] POPODecKeyChallContent, --pop Challenge
  482. * popdecr [6] POPODecKeyRespContent, --pop Response
  483. * kur [7] CertReqMessages, --Key Update Request
  484. * kup [8] CertRepMessage, --Key Update Response
  485. * krr [9] CertReqMessages, --Key Recovery Request
  486. * krp [10] KeyRecRepContent, --Key Recovery Response
  487. * rr [11] RevReqContent, --Revocation Request
  488. * rp [12] RevRepContent, --Revocation Response
  489. * ccr [13] CertReqMessages, --Cross-Cert. Request
  490. * ccp [14] CertRepMessage, --Cross-Cert. Response
  491. * ckuann [15] CAKeyUpdAnnContent, --CA Key Update Ann.
  492. * cann [16] CertAnnContent, --Certificate Ann.
  493. * rann [17] RevAnnContent, --Revocation Ann.
  494. * crlann [18] CRLAnnContent, --CRL Announcement
  495. * pkiconf [19] PKIConfirmContent, --Confirmation
  496. * nested [20] NestedMessageContent, --Nested Message
  497. * genm [21] GenMsgContent, --General Message
  498. * genp [22] GenRepContent, --General Response
  499. * error [23] ErrorMsgContent, --Error Message
  500. * certConf [24] CertConfirmContent, --Certificate confirm
  501. * pollReq [25] PollReqContent, --Polling request
  502. * pollRep [26] PollRepContent --Polling response
  503. * }
  504. */
  505. typedef struct ossl_cmp_pkibody_st {
  506. int type;
  507. union {
  508. OSSL_CRMF_MSGS *ir; /* 0 */
  509. OSSL_CMP_CERTREPMESSAGE *ip; /* 1 */
  510. OSSL_CRMF_MSGS *cr; /* 2 */
  511. OSSL_CMP_CERTREPMESSAGE *cp; /* 3 */
  512. /*-
  513. * p10cr [4] CertificationRequest, --imported from [PKCS10]
  514. *
  515. * PKCS10_CERTIFICATIONREQUEST is effectively X509_REQ
  516. * so it is used directly
  517. */
  518. X509_REQ *p10cr; /* 4 */
  519. /*-
  520. * popdecc [5] POPODecKeyChallContent, --pop Challenge
  521. *
  522. * POPODecKeyChallContent ::= SEQUENCE OF Challenge
  523. */
  524. OSSL_CMP_POPODECKEYCHALLCONTENT *popdecc; /* 5 */
  525. /*-
  526. * popdecr [6] POPODecKeyRespContent, --pop Response
  527. *
  528. * POPODecKeyRespContent ::= SEQUENCE OF INTEGER
  529. */
  530. OSSL_CMP_POPODECKEYRESPCONTENT *popdecr; /* 6 */
  531. OSSL_CRMF_MSGS *kur; /* 7 */
  532. OSSL_CMP_CERTREPMESSAGE *kup; /* 8 */
  533. OSSL_CRMF_MSGS *krr; /* 9 */
  534. /*-
  535. * krp [10] KeyRecRepContent, --Key Recovery Response
  536. */
  537. OSSL_CMP_KEYRECREPCONTENT *krp; /* 10 */
  538. /*-
  539. * rr [11] RevReqContent, --Revocation Request
  540. */
  541. OSSL_CMP_REVREQCONTENT *rr; /* 11 */
  542. /*-
  543. * rp [12] RevRepContent, --Revocation Response
  544. */
  545. OSSL_CMP_REVREPCONTENT *rp; /* 12 */
  546. /*-
  547. * ccr [13] CertReqMessages, --Cross-Cert. Request
  548. */
  549. OSSL_CRMF_MSGS *ccr; /* 13 */
  550. /*-
  551. * ccp [14] CertRepMessage, --Cross-Cert. Response
  552. */
  553. OSSL_CMP_CERTREPMESSAGE *ccp; /* 14 */
  554. /*-
  555. * ckuann [15] CAKeyUpdAnnContent, --CA Key Update Ann.
  556. */
  557. OSSL_CMP_CAKEYUPDANNCONTENT *ckuann; /* 15 */
  558. /*-
  559. * cann [16] CertAnnContent, --Certificate Ann.
  560. * OSSL_CMP_CMPCERTIFICATE is effectively X509 so it is used directly
  561. */
  562. X509 *cann; /* 16 */
  563. /*-
  564. * rann [17] RevAnnContent, --Revocation Ann.
  565. */
  566. OSSL_CMP_REVANNCONTENT *rann; /* 17 */
  567. /*-
  568. * crlann [18] CRLAnnContent, --CRL Announcement
  569. * CRLAnnContent ::= SEQUENCE OF CertificateList
  570. */
  571. OSSL_CMP_CRLANNCONTENT *crlann; /* 18 */
  572. /*-
  573. * PKIConfirmContent ::= NULL
  574. * pkiconf [19] PKIConfirmContent, --Confirmation
  575. * OSSL_CMP_PKICONFIRMCONTENT would be only a typedef of ASN1_NULL
  576. * OSSL_CMP_CONFIRMCONTENT *pkiconf;
  577. *
  578. * NOTE: this should ASN1_NULL according to the RFC
  579. * but there might be a struct in it when sent from faulty servers...
  580. */
  581. ASN1_TYPE *pkiconf; /* 19 */
  582. /*-
  583. * nested [20] NestedMessageContent, --Nested Message
  584. * NestedMessageContent ::= PKIMessages
  585. */
  586. OSSL_CMP_MSGS *nested; /* 20 */
  587. /*-
  588. * genm [21] GenMsgContent, --General Message
  589. * GenMsgContent ::= SEQUENCE OF InfoTypeAndValue
  590. */
  591. OSSL_CMP_GENMSGCONTENT *genm; /* 21 */
  592. /*-
  593. * genp [22] GenRepContent, --General Response
  594. * GenRepContent ::= SEQUENCE OF InfoTypeAndValue
  595. */
  596. OSSL_CMP_GENREPCONTENT *genp; /* 22 */
  597. /*-
  598. * error [23] ErrorMsgContent, --Error Message
  599. */
  600. OSSL_CMP_ERRORMSGCONTENT *error; /* 23 */
  601. /*-
  602. * certConf [24] CertConfirmContent, --Certificate confirm
  603. */
  604. OSSL_CMP_CERTCONFIRMCONTENT *certConf; /* 24 */
  605. /*-
  606. * pollReq [25] PollReqContent, --Polling request
  607. */
  608. OSSL_CMP_POLLREQCONTENT *pollReq; /* 25 */
  609. /*-
  610. * pollRep [26] PollRepContent --Polling response
  611. */
  612. OSSL_CMP_POLLREPCONTENT *pollRep; /* 26 */
  613. } value;
  614. } OSSL_CMP_PKIBODY;
  615. DECLARE_ASN1_FUNCTIONS(OSSL_CMP_PKIBODY)
  616. /*-
  617. * PKIProtection ::= BIT STRING
  618. *
  619. * PKIMessages ::= SEQUENCE SIZE (1..MAX) OF PKIMessage
  620. *
  621. * PKIMessage ::= SEQUENCE {
  622. * header PKIHeader,
  623. * body PKIBody,
  624. * protection [0] PKIProtection OPTIONAL,
  625. * extraCerts [1] SEQUENCE SIZE (1..MAX) OF CMPCertificate
  626. * OPTIONAL
  627. * }
  628. */
  629. struct ossl_cmp_msg_st {
  630. OSSL_CMP_PKIHEADER *header;
  631. OSSL_CMP_PKIBODY *body;
  632. ASN1_BIT_STRING *protection; /* 0 */
  633. /* OSSL_CMP_CMPCERTIFICATE is effectively X509 so it is used directly */
  634. STACK_OF(X509) *extraCerts; /* 1 */
  635. } /* OSSL_CMP_MSG */;
  636. DECLARE_ASN1_FUNCTIONS(OSSL_CMP_MSG)
  637. /*-
  638. * ProtectedPart ::= SEQUENCE {
  639. * header PKIHeader,
  640. * body PKIBody
  641. * }
  642. */
  643. typedef struct ossl_cmp_protectedpart_st {
  644. OSSL_CMP_PKIHEADER *header;
  645. OSSL_CMP_PKIBODY *body;
  646. } OSSL_CMP_PROTECTEDPART;
  647. DECLARE_ASN1_FUNCTIONS(OSSL_CMP_PROTECTEDPART)
  648. /*-
  649. * this is not defined here as it is already in CRMF:
  650. * id-PasswordBasedMac OBJECT IDENTIFIER ::= {1 2 840 113533 7 66 13}
  651. * PBMParameter ::= SEQUENCE {
  652. * salt OCTET STRING,
  653. * -- note: implementations MAY wish to limit acceptable sizes
  654. * -- of this string to values appropriate for their environment
  655. * -- in order to reduce the risk of denial-of-service attacks
  656. * owf AlgorithmIdentifier,
  657. * -- AlgId for a One-Way Function (SHA-1 recommended)
  658. * iterationCount INTEGER,
  659. * -- number of times the OWF is applied
  660. * -- note: implementations MAY wish to limit acceptable sizes
  661. * -- of this integer to values appropriate for their environment
  662. * -- in order to reduce the risk of denial-of-service attacks
  663. * mac AlgorithmIdentifier
  664. * -- the MAC AlgId (e.g., DES-MAC, Triple-DES-MAC [PKCS11],
  665. * } -- or HMAC [RFC2104, RFC2202])
  666. */
  667. /*-
  668. * TODO: this is not yet defined here - but DH is anyway not used yet
  669. *
  670. * id-DHBasedMac OBJECT IDENTIFIER ::= {1 2 840 113533 7 66 30}
  671. * DHBMParameter ::= SEQUENCE {
  672. * owf AlgorithmIdentifier,
  673. * -- AlgId for a One-Way Function (SHA-1 recommended)
  674. * mac AlgorithmIdentifier
  675. * -- the MAC AlgId (e.g., DES-MAC, Triple-DES-MAC [PKCS11],
  676. * } -- or HMAC [RFC2104, RFC2202])
  677. */
  678. /*-
  679. * The following is not cared for, because it is described in section 5.2.5
  680. * that this is beyond the scope of CMP
  681. * OOBCert ::= CMPCertificate
  682. *
  683. * OOBCertHash ::= SEQUENCE {
  684. * hashAlg [0] AlgorithmIdentifier OPTIONAL,
  685. * certId [1] CertId OPTIONAL,
  686. * hashVal BIT STRING
  687. * -- hashVal is calculated over the DER encoding of the
  688. * -- self-signed certificate with the identifier certID.
  689. * }
  690. */
  691. /* from cmp_asn.c */
  692. int ossl_cmp_asn1_get_int(const ASN1_INTEGER *a);
  693. /* from cmp_util.c */
  694. const char *ossl_cmp_log_parse_metadata(const char *buf,
  695. OSSL_CMP_severity *level, char **func,
  696. char **file, int *line);
  697. # define ossl_cmp_add_error_data(txt) ERR_add_error_txt(" : ", txt)
  698. # define ossl_cmp_add_error_line(txt) ERR_add_error_txt("\n", txt)
  699. /* The two functions manipulating X509_STORE could be generally useful */
  700. int ossl_cmp_X509_STORE_add1_certs(X509_STORE *store, STACK_OF(X509) *certs,
  701. int only_self_issued);
  702. STACK_OF(X509) *ossl_cmp_X509_STORE_get1_certs(X509_STORE *store);
  703. int ossl_cmp_sk_ASN1_UTF8STRING_push_str(STACK_OF(ASN1_UTF8STRING) *sk,
  704. const char *text);
  705. int ossl_cmp_asn1_octet_string_set1(ASN1_OCTET_STRING **tgt,
  706. const ASN1_OCTET_STRING *src);
  707. int ossl_cmp_asn1_octet_string_set1_bytes(ASN1_OCTET_STRING **tgt,
  708. const unsigned char *bytes, int len);
  709. STACK_OF(X509)
  710. *ossl_cmp_build_cert_chain(OSSL_LIB_CTX *libctx, const char *propq,
  711. X509_STORE *store,
  712. STACK_OF(X509) *certs, X509 *cert);
  713. /* from cmp_ctx.c */
  714. int ossl_cmp_print_log(OSSL_CMP_severity level, const OSSL_CMP_CTX *ctx,
  715. const char *func, const char *file, int line,
  716. const char *level_str, const char *format, ...);
  717. # define ossl_cmp_log(level, ctx, msg) \
  718. ossl_cmp_print_log(OSSL_CMP_LOG_##level, ctx, OPENSSL_FUNC, OPENSSL_FILE, \
  719. OPENSSL_LINE, #level, "%s", msg)
  720. # define ossl_cmp_log1(level, ctx, fmt, arg1) \
  721. ossl_cmp_print_log(OSSL_CMP_LOG_##level, ctx, OPENSSL_FUNC, OPENSSL_FILE, \
  722. OPENSSL_LINE, #level, fmt, arg1)
  723. # define ossl_cmp_log2(level, ctx, fmt, arg1, arg2) \
  724. ossl_cmp_print_log(OSSL_CMP_LOG_##level, ctx, OPENSSL_FUNC, OPENSSL_FILE, \
  725. OPENSSL_LINE, #level, fmt, arg1, arg2)
  726. # define ossl_cmp_log3(level, ctx, fmt, arg1, arg2, arg3) \
  727. ossl_cmp_print_log(OSSL_CMP_LOG_##level, ctx, OPENSSL_FUNC, OPENSSL_FILE, \
  728. OPENSSL_LINE, #level, fmt, arg1, arg2, arg3)
  729. # define ossl_cmp_log4(level, ctx, fmt, arg1, arg2, arg3, arg4) \
  730. ossl_cmp_print_log(OSSL_CMP_LOG_##level, ctx, OPENSSL_FUNC, OPENSSL_FILE, \
  731. OPENSSL_LINE, #level, fmt, arg1, arg2, arg3, arg4)
  732. # define OSSL_CMP_LOG_ERROR OSSL_CMP_LOG_ERR
  733. # define OSSL_CMP_LOG_WARN OSSL_CMP_LOG_WARNING
  734. # define ossl_cmp_alert(ctx, msg) ossl_cmp_log(ALERT, ctx, msg)
  735. # define ossl_cmp_err(ctx, msg) ossl_cmp_log(ERROR, ctx, msg)
  736. # define ossl_cmp_warn(ctx, msg) ossl_cmp_log(WARN, ctx, msg)
  737. # define ossl_cmp_info(ctx, msg) ossl_cmp_log(INFO, ctx, msg)
  738. # define ossl_cmp_debug(ctx, msg) ossl_cmp_log(DEBUG, ctx, msg)
  739. int ossl_cmp_ctx_set0_validatedSrvCert(OSSL_CMP_CTX *ctx, X509 *cert);
  740. int ossl_cmp_ctx_set_status(OSSL_CMP_CTX *ctx, int status);
  741. int ossl_cmp_ctx_set0_statusString(OSSL_CMP_CTX *ctx,
  742. OSSL_CMP_PKIFREETEXT *text);
  743. int ossl_cmp_ctx_set_failInfoCode(OSSL_CMP_CTX *ctx, int fail_info);
  744. int ossl_cmp_ctx_set0_newCert(OSSL_CMP_CTX *ctx, X509 *cert);
  745. int ossl_cmp_ctx_set1_newChain(OSSL_CMP_CTX *ctx, STACK_OF(X509) *newChain);
  746. int ossl_cmp_ctx_set1_caPubs(OSSL_CMP_CTX *ctx, STACK_OF(X509) *caPubs);
  747. int ossl_cmp_ctx_set1_extraCertsIn(OSSL_CMP_CTX *ctx,
  748. STACK_OF(X509) *extraCertsIn);
  749. int ossl_cmp_ctx_set1_recipNonce(OSSL_CMP_CTX *ctx,
  750. const ASN1_OCTET_STRING *nonce);
  751. /* from cmp_status.c */
  752. int ossl_cmp_pkisi_get_status(const OSSL_CMP_PKISI *si);
  753. const char *ossl_cmp_PKIStatus_to_string(int status);
  754. OSSL_CMP_PKIFREETEXT *ossl_cmp_pkisi_get0_statusString(const OSSL_CMP_PKISI *s);
  755. int ossl_cmp_pkisi_get_pkifailureinfo(const OSSL_CMP_PKISI *si);
  756. int ossl_cmp_pkisi_check_pkifailureinfo(const OSSL_CMP_PKISI *si, int index);
  757. /* from cmp_hdr.c */
  758. int ossl_cmp_hdr_set_pvno(OSSL_CMP_PKIHEADER *hdr, int pvno);
  759. int ossl_cmp_hdr_get_pvno(const OSSL_CMP_PKIHEADER *hdr);
  760. int ossl_cmp_hdr_get_protection_nid(const OSSL_CMP_PKIHEADER *hdr);
  761. ASN1_OCTET_STRING *ossl_cmp_hdr_get0_senderNonce(const OSSL_CMP_PKIHEADER *hdr);
  762. int ossl_cmp_general_name_is_NULL_DN(GENERAL_NAME *name);
  763. int ossl_cmp_hdr_set1_sender(OSSL_CMP_PKIHEADER *hdr, const X509_NAME *nm);
  764. int ossl_cmp_hdr_set1_recipient(OSSL_CMP_PKIHEADER *hdr, const X509_NAME *nm);
  765. int ossl_cmp_hdr_update_messageTime(OSSL_CMP_PKIHEADER *hdr);
  766. int ossl_cmp_hdr_set1_senderKID(OSSL_CMP_PKIHEADER *hdr,
  767. const ASN1_OCTET_STRING *senderKID);
  768. int ossl_cmp_hdr_push0_freeText(OSSL_CMP_PKIHEADER *hdr, ASN1_UTF8STRING *text);
  769. int ossl_cmp_hdr_push1_freeText(OSSL_CMP_PKIHEADER *hdr, ASN1_UTF8STRING *text);
  770. int ossl_cmp_hdr_generalInfo_push0_item(OSSL_CMP_PKIHEADER *hdr,
  771. OSSL_CMP_ITAV *itav);
  772. int ossl_cmp_hdr_generalInfo_push1_items(OSSL_CMP_PKIHEADER *hdr,
  773. const STACK_OF(OSSL_CMP_ITAV) *itavs);
  774. int ossl_cmp_hdr_set_implicitConfirm(OSSL_CMP_PKIHEADER *hdr);
  775. int ossl_cmp_hdr_has_implicitConfirm(const OSSL_CMP_PKIHEADER *hdr);
  776. # define OSSL_CMP_TRANSACTIONID_LENGTH 16
  777. # define OSSL_CMP_SENDERNONCE_LENGTH 16
  778. int ossl_cmp_hdr_set_transactionID(OSSL_CMP_CTX *ctx, OSSL_CMP_PKIHEADER *hdr);
  779. int ossl_cmp_hdr_init(OSSL_CMP_CTX *ctx, OSSL_CMP_PKIHEADER *hdr);
  780. /* from cmp_msg.c */
  781. /* OSSL_CMP_MSG bodytype ASN.1 choice IDs */
  782. # define OSSL_CMP_PKIBODY_IR 0
  783. # define OSSL_CMP_PKIBODY_IP 1
  784. # define OSSL_CMP_PKIBODY_CR 2
  785. # define OSSL_CMP_PKIBODY_CP 3
  786. # define OSSL_CMP_PKIBODY_P10CR 4
  787. # define OSSL_CMP_PKIBODY_POPDECC 5
  788. # define OSSL_CMP_PKIBODY_POPDECR 6
  789. # define OSSL_CMP_PKIBODY_KUR 7
  790. # define OSSL_CMP_PKIBODY_KUP 8
  791. # define OSSL_CMP_PKIBODY_KRR 9
  792. # define OSSL_CMP_PKIBODY_KRP 10
  793. # define OSSL_CMP_PKIBODY_RR 11
  794. # define OSSL_CMP_PKIBODY_RP 12
  795. # define OSSL_CMP_PKIBODY_CCR 13
  796. # define OSSL_CMP_PKIBODY_CCP 14
  797. # define OSSL_CMP_PKIBODY_CKUANN 15
  798. # define OSSL_CMP_PKIBODY_CANN 16
  799. # define OSSL_CMP_PKIBODY_RANN 17
  800. # define OSSL_CMP_PKIBODY_CRLANN 18
  801. # define OSSL_CMP_PKIBODY_PKICONF 19
  802. # define OSSL_CMP_PKIBODY_NESTED 20
  803. # define OSSL_CMP_PKIBODY_GENM 21
  804. # define OSSL_CMP_PKIBODY_GENP 22
  805. # define OSSL_CMP_PKIBODY_ERROR 23
  806. # define OSSL_CMP_PKIBODY_CERTCONF 24
  807. # define OSSL_CMP_PKIBODY_POLLREQ 25
  808. # define OSSL_CMP_PKIBODY_POLLREP 26
  809. # define OSSL_CMP_PKIBODY_TYPE_MAX OSSL_CMP_PKIBODY_POLLREP
  810. /* certReqId for the first - and so far only - certificate request */
  811. # define OSSL_CMP_CERTREQID 0
  812. /* sequence id for the first - and so far only - revocation request */
  813. # define OSSL_CMP_REVREQSID 0
  814. const char *ossl_cmp_bodytype_to_string(int type);
  815. int ossl_cmp_msg_set_bodytype(OSSL_CMP_MSG *msg, int type);
  816. int ossl_cmp_msg_get_bodytype(const OSSL_CMP_MSG *msg);
  817. OSSL_CMP_MSG *ossl_cmp_msg_create(OSSL_CMP_CTX *ctx, int bodytype);
  818. OSSL_CMP_MSG *ossl_cmp_certreq_new(OSSL_CMP_CTX *ctx, int bodytype,
  819. const OSSL_CRMF_MSG *crm);
  820. OSSL_CMP_MSG *ossl_cmp_certrep_new(OSSL_CMP_CTX *ctx, int bodytype,
  821. int certReqId, OSSL_CMP_PKISI *si,
  822. X509 *cert, STACK_OF(X509) *chain,
  823. STACK_OF(X509) *caPubs, int encrypted,
  824. int unprotectedErrors);
  825. OSSL_CMP_MSG *ossl_cmp_rr_new(OSSL_CMP_CTX *ctx);
  826. OSSL_CMP_MSG *ossl_cmp_rp_new(OSSL_CMP_CTX *ctx, OSSL_CMP_PKISI *si,
  827. OSSL_CRMF_CERTID *certId, int unprot_err);
  828. OSSL_CMP_MSG *ossl_cmp_pkiconf_new(OSSL_CMP_CTX *ctx);
  829. OSSL_CMP_MSG *ossl_cmp_pollRep_new(OSSL_CMP_CTX *ctx, int crid,
  830. int64_t poll_after);
  831. int ossl_cmp_msg_gen_push0_ITAV(OSSL_CMP_MSG *msg, OSSL_CMP_ITAV *itav);
  832. int ossl_cmp_msg_gen_push1_ITAVs(OSSL_CMP_MSG *msg,
  833. const STACK_OF(OSSL_CMP_ITAV) *itavs);
  834. OSSL_CMP_MSG *ossl_cmp_genm_new(OSSL_CMP_CTX *ctx);
  835. OSSL_CMP_MSG *ossl_cmp_genp_new(OSSL_CMP_CTX *ctx,
  836. const STACK_OF(OSSL_CMP_ITAV) *itavs);
  837. OSSL_CMP_MSG *ossl_cmp_error_new(OSSL_CMP_CTX *ctx, OSSL_CMP_PKISI *si,
  838. int errorCode,
  839. const char *details, int unprotected);
  840. int ossl_cmp_certstatus_set0_certHash(OSSL_CMP_CERTSTATUS *certStatus,
  841. ASN1_OCTET_STRING *hash);
  842. OSSL_CMP_MSG *ossl_cmp_certConf_new(OSSL_CMP_CTX *ctx, int fail_info,
  843. const char *text);
  844. OSSL_CMP_MSG *ossl_cmp_pollReq_new(OSSL_CMP_CTX *ctx, int crid);
  845. OSSL_CMP_MSG *ossl_cmp_pollRep_new(OSSL_CMP_CTX *ctx, int crid,
  846. int64_t poll_after);
  847. OSSL_CMP_PKISI *
  848. ossl_cmp_revrepcontent_get_pkisi(OSSL_CMP_REVREPCONTENT *rrep, int rsid);
  849. OSSL_CRMF_CERTID *ossl_cmp_revrepcontent_get_CertId(OSSL_CMP_REVREPCONTENT *rc,
  850. int rsid);
  851. OSSL_CMP_POLLREP *
  852. ossl_cmp_pollrepcontent_get0_pollrep(const OSSL_CMP_POLLREPCONTENT *prc,
  853. int rid);
  854. OSSL_CMP_CERTRESPONSE *
  855. ossl_cmp_certrepmessage_get0_certresponse(const OSSL_CMP_CERTREPMESSAGE *crm,
  856. int rid);
  857. X509 *ossl_cmp_certresponse_get1_cert(const OSSL_CMP_CERTRESPONSE *crep,
  858. const OSSL_CMP_CTX *ctx, EVP_PKEY *pkey);
  859. OSSL_CMP_MSG *ossl_cmp_msg_load(const char *file);
  860. /* from cmp_protect.c */
  861. int ossl_cmp_msg_add_extraCerts(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg);
  862. ASN1_BIT_STRING *ossl_cmp_calc_protection(const OSSL_CMP_CTX *ctx,
  863. const OSSL_CMP_MSG *msg);
  864. int ossl_cmp_msg_protect(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg);
  865. /* from cmp_vfy.c */
  866. typedef int (*ossl_cmp_allow_unprotected_cb_t)(const OSSL_CMP_CTX *ctx,
  867. const OSSL_CMP_MSG *msg,
  868. int invalid_protection, int arg);
  869. int ossl_cmp_msg_check_update(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *msg,
  870. ossl_cmp_allow_unprotected_cb_t cb, int cb_arg);
  871. int ossl_cmp_msg_check_received(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *msg,
  872. ossl_cmp_allow_unprotected_cb_t cb, int cb_arg);
  873. int ossl_cmp_verify_popo(const OSSL_CMP_CTX *ctx,
  874. const OSSL_CMP_MSG *msg, int accept_RAVerified);
  875. /* from cmp_client.c */
  876. int ossl_cmp_exchange_certConf(OSSL_CMP_CTX *ctx, int fail_info,
  877. const char *txt);
  878. int ossl_cmp_exchange_error(OSSL_CMP_CTX *ctx, int status, int fail_info,
  879. const char *txt, int errorCode, const char *detail);
  880. #endif /* !defined(OSSL_CRYPTO_CMP_LOCAL_H) */