OSSL_CMP_validate_msg.pod 3.2 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879
  1. =pod
  2. =head1 NAME
  3. OSSL_CMP_validate_msg,
  4. OSSL_CMP_validate_cert_path
  5. - functions for verifying CMP message protection
  6. =head1 SYNOPSIS
  7. #include <openssl/cmp.h>
  8. int OSSL_CMP_validate_msg(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg);
  9. int OSSL_CMP_validate_cert_path(const OSSL_CMP_CTX *ctx,
  10. X509_STORE *trusted_store, X509 *cert);
  11. =head1 DESCRIPTION
  12. This is the API for validating the protection of CMP messages,
  13. which includes validating CMP message sender certificates and their paths
  14. while optionally checking the revocation status of the certificates(s).
  15. OSSL_CMP_validate_msg() validates the protection of the given C<msg>
  16. using either password-based mac (PBM) or a signature algorithm.
  17. In case of signature algorithm, the certificate to use for the signature check
  18. is preferably the one provided by a call to L<OSSL_CMP_CTX_set1_srvCert(3)>.
  19. If no such sender cert has been pinned then candidate sender certificates are
  20. taken from the list of certificates received in the C<msg> extraCerts, then any
  21. certificates provided before via L<OSSL_CMP_CTX_set1_untrusted(3)>, and
  22. then all trusted certificates provided via L<OSSL_CMP_CTX_set0_trustedStore(3)>,
  23. where a candidate is acceptable only if has not expired, its subject DN matches
  24. the C<msg> sender DN (as far as present), and its subject key identifier
  25. is present and matches the senderKID (as far as the latter present).
  26. Each acceptable cert is tried in the given order to see if the message
  27. signature check succeeds and the cert and its path can be verified
  28. using any trust store set via L<OSSL_CMP_CTX_set0_trustedStore(3)>.
  29. If the option OSSL_CMP_OPT_PERMIT_TA_IN_EXTRACERTS_FOR_IR was set by calling
  30. L<OSSL_CMP_CTX_set_option(3)>, for an Initialization Response (IP) message
  31. any self-issued certificate from the C<msg> extraCerts field may also be used
  32. as trust anchor for the path verification of an acceptable cert if it can be
  33. used also to validate the issued certificate returned in the IP message. This is
  34. according to TS 33.310 [Network Domain Security (NDS); Authentication Framework
  35. (AF)] document specified by the The 3rd Generation Partnership Project (3GPP).
  36. Any cert that has been found as described above is cached and tried first when
  37. validating the signatures of subsequent messages in the same transaction.
  38. OSSL_CMP_validate_cert_path() attempts to validate the given certificate and its
  39. path using the given store of trusted certs (possibly including CRLs and a cert
  40. verification callback) and non-trusted intermediate certs from the B<ctx>.
  41. =head1 NOTES
  42. CMP is defined in RFC 4210 (and CRMF in RFC 4211).
  43. =head1 RETURN VALUES
  44. OSSL_CMP_validate_msg() and OSSL_CMP_validate_cert_path()
  45. return 1 on success, 0 on error or validation failed.
  46. =head1 SEE ALSO
  47. L<OSSL_CMP_CTX_new(3)>, L<OSSL_CMP_exec_certreq(3)>
  48. =head1 HISTORY
  49. The OpenSSL CMP support was added in OpenSSL 3.0.
  50. =head1 COPYRIGHT
  51. Copyright 2007-2020 The OpenSSL Project Authors. All Rights Reserved.
  52. Licensed under the Apache License 2.0 (the "License"). You may not use
  53. this file except in compliance with the License. You can obtain a copy
  54. in the file LICENSE in the source distribution or at
  55. L<https://www.openssl.org/source/license.html>.
  56. =cut