2
0

OSSL_CMP_exec_certreq.pod 7.5 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174
  1. =pod
  2. =head1 NAME
  3. OSSL_CMP_exec_certreq,
  4. OSSL_CMP_exec_IR_ses,
  5. OSSL_CMP_exec_CR_ses,
  6. OSSL_CMP_exec_P10CR_ses,
  7. OSSL_CMP_exec_KUR_ses,
  8. OSSL_CMP_IR,
  9. OSSL_CMP_CR,
  10. OSSL_CMP_P10CR,
  11. OSSL_CMP_KUR,
  12. OSSL_CMP_try_certreq,
  13. OSSL_CMP_exec_RR_ses,
  14. OSSL_CMP_exec_GENM_ses
  15. - functions implementing CMP client transactions
  16. =head1 SYNOPSIS
  17. #include <openssl/cmp.h>
  18. X509 *OSSL_CMP_exec_certreq(OSSL_CMP_CTX *ctx, int req_type,
  19. const OSSL_CRMF_MSG *crm);
  20. X509 *OSSL_CMP_exec_IR_ses(OSSL_CMP_CTX *ctx);
  21. X509 *OSSL_CMP_exec_CR_ses(OSSL_CMP_CTX *ctx);
  22. X509 *OSSL_CMP_exec_P10CR_ses(OSSL_CMP_CTX *ctx);
  23. X509 *OSSL_CMP_exec_KUR_ses(OSSL_CMP_CTX *ctx);
  24. #define OSSL_CMP_IR
  25. #define OSSL_CMP_CR
  26. #define OSSL_CMP_P10CR
  27. #define OSSL_CMP_KUR
  28. int OSSL_CMP_try_certreq(OSSL_CMP_CTX *ctx, int req_type,
  29. const OSSL_CRMF_MSG *crm, int *checkAfter);
  30. X509 *OSSL_CMP_exec_RR_ses(OSSL_CMP_CTX *ctx);
  31. STACK_OF(OSSL_CMP_ITAV) *OSSL_CMP_exec_GENM_ses(OSSL_CMP_CTX *ctx);
  32. =head1 DESCRIPTION
  33. This is the OpenSSL API for doing CMP (Certificate Management Protocol)
  34. client-server transactions, i.e., sequences of CMP requests and responses.
  35. All functions take a populated OSSL_CMP_CTX structure as their first argument.
  36. Usually the server name, port, and path ("CMP alias") need to be set, as well as
  37. credentials the client can use for authenticating itself to the client.
  38. In order to authenticate the server the client typically needs a trust store.
  39. The functions return their respective main results directly, while there are
  40. also accessor functions for retrieving various results and status information
  41. from the B<ctx>. See L<OSSL_CMP_CTX_new(3)> etc. for details.
  42. The default conveying protocol is HTTP.
  43. Timeout values may be given per request-response pair and per transaction.
  44. See L<OSSL_CMP_MSG_http_perform(3)> for details.
  45. OSSL_CMP_exec_IR_ses() requests an initial certificate from the given PKI.
  46. OSSL_CMP_exec_CR_ses() requests an additional certificate.
  47. OSSL_CMP_exec_P10CR_ses() conveys a legacy PKCS#10 CSR requesting a certificate.
  48. OSSL_CMP_exec_KUR_ses() obtains an updated certificate.
  49. These four types of certificate enrollment are implemented as macros
  50. calling OSSL_CMP_exec_certreq().
  51. OSSL_CMP_exec_certreq() performs a certificate request of the type specified
  52. by the B<req_type> parameter, which may be IR, CR, P10CR, or KUR.
  53. For IR, CR, and KUR, the certificate template to be used in the request
  54. may be supplied via the B<crm> parameter pointing to a CRMF structure.
  55. Typically B<crm> is NULL, then the template ingredients are taken from B<ctx>
  56. and need to be filled in using L<OSSL_CMP_CTX_set1_subjectName(3)>,
  57. L<OSSL_CMP_CTX_set0_newPkey(3)>, L<OSSL_CMP_CTX_set1_oldCert(3)>, etc.
  58. For P10CR, L<OSSL_CMP_CTX_set1_p10CSR(3)> needs to be used instead.
  59. The enrollment session may be blocked by sleeping until the addressed
  60. CA (or an intermedate PKI component) can fully process and answer the request.
  61. OSSL_CMP_try_certreq() is an alternative to the above functions that is
  62. more flexible regarding what to do after receiving a checkAfter value.
  63. When called for the first time (with no certificate request in progress for
  64. the given B<ctx>) it starts a new transaction by sending a certificate request
  65. constructed as stated above using the B<req_type> and optional B<crm> parameter.
  66. Otherwise (when according to B<ctx> a 'waiting' status has been received before)
  67. it continues polling for the pending request
  68. unless the B<req_type> argument is < 0, which aborts the request.
  69. If the requested certificate is available the function returns 1 and the
  70. caller can use L<OSSL_CMP_CTX_get0_newCert(3)> to retrieve the new certificate.
  71. If no error occurred but no certificate is available yet then
  72. OSSL_CMP_try_certreq() remembers in the CMP context that it should be retried
  73. and returns -1 after assigning the received checkAfter value
  74. via the output pointer argument (unless it is NULL).
  75. The checkAfter value indicates the number of seconds the caller should let pass
  76. before trying again. The caller is free to sleep for the given number of seconds
  77. or for some other time and/or to do anything else before retrying by calling
  78. OSSL_CMP_try_certreq() again with the same parameter values as before.
  79. OSSL_CMP_try_certreq() then polls
  80. to see whether meanwhile the requested certificate is available.
  81. If the caller decides to abort the pending certificate request and provides
  82. a negative value as the B<req_type> argument then OSSL_CMP_try_certreq()
  83. aborts the CMP transaction by sending an error message to the server.
  84. OSSL_CMP_exec_RR_ses() requests the revocation of the certificate
  85. specified in the B<ctx> using L<OSSL_CMP_CTX_set1_oldCert(3)>.
  86. RFC 4210 is vague in which PKIStatus should be returned by the server.
  87. We take "accepted" and "grantedWithMods" as clear success and handle
  88. "revocationWarning" and "revocationNotification" just as warnings because CAs
  89. typically return them as an indication that the certificate was already revoked.
  90. "rejection" is a clear error. The values "waiting" and "keyUpdateWarning"
  91. make no sense for revocation and thus are treated as an error as well.
  92. OSSL_CMP_exec_GENM_ses() sends a general message containing the sequence of
  93. infoType and infoValue pairs (InfoTypeAndValue; short: B<ITAV>)
  94. provided in the B<ctx> using L<OSSL_CMP_CTX_push0_genm_ITAV(3)>.
  95. It returns the list of B<ITAV>s received in the GenRep.
  96. This can be used, for instance, to poll for CRLs or CA Key Updates.
  97. See RFC 4210 section 5.3.19 and appendix E.5 for details.
  98. =head1 NOTES
  99. CMP is defined in RFC 4210 (and CRMF in RFC 4211).
  100. So far the CMP client implementation is limited to one request per CMP message
  101. (and consequently to at most one response component per CMP message).
  102. =head1 RETURN VALUES
  103. OSSL_CMP_exec_certreq(), OSSL_CMP_exec_IR_ses(), OSSL_CMP_exec_CR_ses(),
  104. OSSL_CMP_exec_P10CR_ses(), and OSSL_CMP_exec_KUR_ses() return a
  105. pointer to the newly obtained X509 certificate on success, B<NULL> on error.
  106. This pointer will be freed implicitly by OSSL_CMP_CTX_free() or
  107. CSSL_CMP_CTX_reinit().
  108. OSSL_CMP_try_certreq() returns 1 if the requested certificate is available
  109. via L<OSSL_CMP_CTX_get0_newCert(3)>
  110. or on successfully aborting a pending certificate request, 0 on error, and -1
  111. in case a 'waiting' status has been received and checkAfter value is available.
  112. In the latter case L<OSSL_CMP_CTX_get0_newCert(3)> yields NULL
  113. and the output parameter B<checkAfter> has been used to
  114. assign the received value unless B<checkAfter> is NULL.
  115. OSSL_CMP_exec_RR_ses() returns the
  116. pointer to the revoked certificate on success, B<NULL> on error.
  117. This pointer will be freed implicitly by OSSL_CMP_CTX_free().
  118. OSSL_CMP_exec_GENM_ses() returns a
  119. pointer to the received B<ITAV> sequence on success, B<NULL> on error.
  120. This pointer must be freed by the caller.
  121. =head1 EXAMPLES
  122. See OSSL_CMP_CTX for examples on how to prepare the context for these
  123. functions.
  124. =head1 SEE ALSO
  125. L<OSSL_CMP_CTX_new(3)>, L<OSSL_CMP_CTX_free(3)>,
  126. L<OSSL_CMP_CTX_set1_subjectName(3)>, L<OSSL_CMP_CTX_set0_newPkey(3)>,
  127. L<OSSL_CMP_CTX_set1_p10CSR(3)>, L<OSSL_CMP_CTX_set1_oldCert(3)>,
  128. L<OSSL_CMP_CTX_get0_newCert(3)>, L<OSSL_CMP_CTX_push0_genm_ITAV(3)>,
  129. L<OSSL_CMP_MSG_http_perform(3)>
  130. =head1 HISTORY
  131. The OpenSSL CMP support was added in OpenSSL 3.0.
  132. =head1 COPYRIGHT
  133. Copyright 2007-2020 The OpenSSL Project Authors. All Rights Reserved.
  134. Licensed under the Apache License 2.0 (the "License"). You may not use
  135. this file except in compliance with the License. You can obtain a copy
  136. in the file LICENSE in the source distribution or at
  137. L<https://www.openssl.org/source/license.html>.
  138. =cut