cmp_local.h 40 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932
  1. /*
  2. * Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved.
  3. * Copyright Nokia 2007-2019
  4. * Copyright Siemens AG 2015-2019
  5. *
  6. * Licensed under the Apache License 2.0 (the "License"). You may not use
  7. * this file except in compliance with the License. You can obtain a copy
  8. * in the file LICENSE in the source distribution or at
  9. * https://www.openssl.org/source/license.html
  10. */
  11. #ifndef OSSL_CRYPTO_CMP_LOCAL_H
  12. # define OSSL_CRYPTO_CMP_LOCAL_H
  13. # include "internal/cryptlib.h"
  14. # include <openssl/cmp.h>
  15. # include <openssl/err.h>
  16. /* explicit #includes not strictly needed since implied by the above: */
  17. # include <openssl/crmf.h>
  18. # include <openssl/types.h>
  19. # include <openssl/safestack.h>
  20. # include <openssl/x509.h>
  21. # include <openssl/x509v3.h>
  22. # include "crypto/x509.h"
  23. #define IS_NULL_DN(name) (X509_NAME_get_entry(name, 0) == NULL)
  24. /*
  25. * this structure is used to store the context for CMP sessions
  26. */
  27. struct ossl_cmp_ctx_st {
  28. OSSL_LIB_CTX *libctx;
  29. char *propq;
  30. OSSL_CMP_log_cb_t log_cb; /* log callback for error/debug/etc. output */
  31. OSSL_CMP_severity log_verbosity; /* level of verbosity of log output */
  32. /* message transfer */
  33. OSSL_CMP_transfer_cb_t transfer_cb; /* default: OSSL_CMP_MSG_http_perform */
  34. void *transfer_cb_arg; /* allows to store optional argument to cb */
  35. /* HTTP-based transfer */
  36. OSSL_HTTP_REQ_CTX *http_ctx;
  37. char *serverPath;
  38. char *server;
  39. int serverPort;
  40. char *proxy;
  41. char *no_proxy;
  42. int keep_alive; /* persistent connection: 0=no, 1=prefer, 2=require */
  43. int msg_timeout; /* max seconds to wait for each CMP message round trip */
  44. int total_timeout; /* max number of seconds an enrollment may take, incl. */
  45. /* attempts polling for a response if a 'waiting' PKIStatus is received */
  46. time_t end_time; /* session start time + totaltimeout */
  47. OSSL_HTTP_bio_cb_t http_cb;
  48. void *http_cb_arg; /* allows to store optional argument to cb */
  49. /* server authentication */
  50. /*
  51. * unprotectedErrors may be set as workaround for broken server responses:
  52. * accept missing or invalid protection of regular error messages, negative
  53. * certificate responses (ip/cp/kup), revocation responses (rp), and PKIConf
  54. */
  55. int unprotectedErrors;
  56. X509 *srvCert; /* certificate used to identify the server */
  57. X509 *validatedSrvCert; /* caches any already validated server cert */
  58. X509_NAME *expected_sender; /* expected sender in header of response */
  59. X509_STORE *trusted; /* trust store maybe w CRLs and cert verify callback */
  60. STACK_OF(X509) *untrusted; /* untrusted (intermediate CA) certs */
  61. int ignore_keyusage; /* ignore key usage entry when validating certs */
  62. /*
  63. * permitTAInExtraCertsForIR allows use of root certs in extracerts
  64. * when validating message protection; this is used for 3GPP-style E.7
  65. */
  66. int permitTAInExtraCertsForIR;
  67. /* client authentication */
  68. int unprotectedSend; /* send unprotected PKI messages */
  69. X509 *cert; /* protection cert used to identify and sign for MSG_SIG_ALG */
  70. STACK_OF(X509) *chain; /* (cached) chain of protection cert including it */
  71. EVP_PKEY *pkey; /* the key pair corresponding to cert */
  72. ASN1_OCTET_STRING *referenceValue; /* optional username for MSG_MAC_ALG */
  73. ASN1_OCTET_STRING *secretValue; /* password/shared secret for MSG_MAC_ALG */
  74. /* PBMParameters for MSG_MAC_ALG */
  75. size_t pbm_slen; /* salt length, currently fixed to 16 */
  76. EVP_MD *pbm_owf; /* one-way function (OWF), default: SHA256 */
  77. int pbm_itercnt; /* OWF iteration count, currently fixed to 500 */
  78. int pbm_mac; /* NID of MAC algorithm, default: HMAC-SHA1 as per RFC 4210 */
  79. /* CMP message header and extra certificates */
  80. X509_NAME *recipient; /* to set in recipient in pkiheader */
  81. EVP_MD *digest; /* digest used in MSG_SIG_ALG and POPO, default SHA256 */
  82. ASN1_OCTET_STRING *transactionID; /* the current transaction ID */
  83. ASN1_OCTET_STRING *senderNonce; /* last nonce sent */
  84. ASN1_OCTET_STRING *recipNonce; /* last nonce received */
  85. ASN1_UTF8STRING *freeText; /* optional string to include each msg */
  86. STACK_OF(OSSL_CMP_ITAV) *geninfo_ITAVs;
  87. int implicitConfirm; /* set implicitConfirm in IR/KUR/CR messages */
  88. int disableConfirm; /* disable certConf in IR/KUR/CR for broken servers */
  89. STACK_OF(X509) *extraCertsOut; /* to be included in request messages */
  90. /* certificate template */
  91. EVP_PKEY *newPkey; /* explicit new private/public key for cert enrollment */
  92. int newPkey_priv; /* flag indicating if newPkey contains private key */
  93. X509_NAME *issuer; /* issuer name to used in cert template */
  94. int days; /* Number of days new certificates are asked to be valid for */
  95. X509_NAME *subjectName; /* subject name to be used in cert template */
  96. STACK_OF(GENERAL_NAME) *subjectAltNames; /* to add to the cert template */
  97. int SubjectAltName_nodefault;
  98. int setSubjectAltNameCritical;
  99. X509_EXTENSIONS *reqExtensions; /* exts to be added to cert template */
  100. CERTIFICATEPOLICIES *policies; /* policies to be included in extensions */
  101. int setPoliciesCritical;
  102. int popoMethod; /* Proof-of-possession mechanism; default: signature */
  103. X509 *oldCert; /* cert to be updated (via KUR) or to be revoked (via RR) */
  104. X509_REQ *p10CSR; /* for P10CR: PKCS#10 CSR to be sent */
  105. /* misc body contents */
  106. int revocationReason; /* revocation reason code to be included in RR */
  107. STACK_OF(OSSL_CMP_ITAV) *genm_ITAVs; /* content of general message */
  108. /* result returned in responses */
  109. int status; /* PKIStatus of last received IP/CP/KUP/RP/error or -1 */
  110. OSSL_CMP_PKIFREETEXT *statusString; /* of last IP/CP/KUP/RP/error */
  111. int failInfoCode; /* failInfoCode of last received IP/CP/KUP/error, or -1 */
  112. X509 *newCert; /* newly enrolled cert received from the CA */
  113. STACK_OF(X509) *newChain; /* chain of newly enrolled cert received */
  114. STACK_OF(X509) *caPubs; /* CA certs received from server (in IP message) */
  115. STACK_OF(X509) *extraCertsIn; /* extraCerts received from server */
  116. /* certificate confirmation */
  117. OSSL_CMP_certConf_cb_t certConf_cb; /* callback for app checking new cert */
  118. void *certConf_cb_arg; /* allows to store an argument individual to cb */
  119. } /* OSSL_CMP_CTX */;
  120. /*
  121. * ##########################################################################
  122. * ASN.1 DECLARATIONS
  123. * ##########################################################################
  124. */
  125. /*-
  126. * RevAnnContent ::= SEQUENCE {
  127. * status PKIStatus,
  128. * certId CertId,
  129. * willBeRevokedAt GeneralizedTime,
  130. * badSinceDate GeneralizedTime,
  131. * crlDetails Extensions OPTIONAL
  132. * -- extra CRL details (e.g., crl number, reason, location, etc.)
  133. * }
  134. */
  135. typedef struct ossl_cmp_revanncontent_st {
  136. ASN1_INTEGER *status;
  137. OSSL_CRMF_CERTID *certId;
  138. ASN1_GENERALIZEDTIME *willBeRevokedAt;
  139. ASN1_GENERALIZEDTIME *badSinceDate;
  140. X509_EXTENSIONS *crlDetails;
  141. } OSSL_CMP_REVANNCONTENT;
  142. DECLARE_ASN1_FUNCTIONS(OSSL_CMP_REVANNCONTENT)
  143. /*-
  144. * Challenge ::= SEQUENCE {
  145. * owf AlgorithmIdentifier OPTIONAL,
  146. *
  147. * -- MUST be present in the first Challenge; MAY be omitted in
  148. * -- any subsequent Challenge in POPODecKeyChallContent (if
  149. * -- omitted, then the owf used in the immediately preceding
  150. * -- Challenge is to be used).
  151. *
  152. * witness OCTET STRING,
  153. * -- the result of applying the one-way function (owf) to a
  154. * -- randomly-generated INTEGER, A. [Note that a different
  155. * -- INTEGER MUST be used for each Challenge.]
  156. * challenge OCTET STRING
  157. * -- the encryption (under the public key for which the cert.
  158. * -- request is being made) of Rand, where Rand is specified as
  159. * -- Rand ::= SEQUENCE {
  160. * -- int INTEGER,
  161. * -- - the randomly-generated INTEGER A (above)
  162. * -- sender GeneralName
  163. * -- - the sender's name (as included in PKIHeader)
  164. * -- }
  165. * }
  166. */
  167. typedef struct ossl_cmp_challenge_st {
  168. X509_ALGOR *owf;
  169. ASN1_OCTET_STRING *witness;
  170. ASN1_OCTET_STRING *challenge;
  171. } OSSL_CMP_CHALLENGE;
  172. DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CHALLENGE)
  173. /*-
  174. * CAKeyUpdAnnContent ::= SEQUENCE {
  175. * oldWithNew Certificate,
  176. * newWithOld Certificate,
  177. * newWithNew Certificate
  178. * }
  179. */
  180. typedef struct ossl_cmp_cakeyupdanncontent_st {
  181. X509 *oldWithNew;
  182. X509 *newWithOld;
  183. X509 *newWithNew;
  184. } OSSL_CMP_CAKEYUPDANNCONTENT;
  185. DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CAKEYUPDANNCONTENT)
  186. /*-
  187. * declared already here as it will be used in OSSL_CMP_MSG (nested) and
  188. * infoType and infoValue
  189. */
  190. typedef STACK_OF(OSSL_CMP_MSG) OSSL_CMP_MSGS;
  191. DECLARE_ASN1_FUNCTIONS(OSSL_CMP_MSGS)
  192. /*-
  193. * InfoTypeAndValue ::= SEQUENCE {
  194. * infoType OBJECT IDENTIFIER,
  195. * infoValue ANY DEFINED BY infoType OPTIONAL
  196. * }
  197. */
  198. struct ossl_cmp_itav_st {
  199. ASN1_OBJECT *infoType;
  200. union {
  201. char *ptr;
  202. /* NID_id_it_caProtEncCert - CA Protocol Encryption Certificate */
  203. X509 *caProtEncCert;
  204. /* NID_id_it_signKeyPairTypes - Signing Key Pair Types */
  205. STACK_OF(X509_ALGOR) *signKeyPairTypes;
  206. /* NID_id_it_encKeyPairTypes - Encryption/Key Agreement Key Pair Types */
  207. STACK_OF(X509_ALGOR) *encKeyPairTypes;
  208. /* NID_id_it_preferredSymmAlg - Preferred Symmetric Algorithm */
  209. X509_ALGOR *preferredSymmAlg;
  210. /* NID_id_it_caKeyUpdateInfo - Updated CA Key Pair */
  211. OSSL_CMP_CAKEYUPDANNCONTENT *caKeyUpdateInfo;
  212. /* NID_id_it_currentCRL - CRL */
  213. X509_CRL *currentCRL;
  214. /* NID_id_it_unsupportedOIDs - Unsupported Object Identifiers */
  215. STACK_OF(ASN1_OBJECT) *unsupportedOIDs;
  216. /* NID_id_it_keyPairParamReq - Key Pair Parameters Request */
  217. ASN1_OBJECT *keyPairParamReq;
  218. /* NID_id_it_keyPairParamRep - Key Pair Parameters Response */
  219. X509_ALGOR *keyPairParamRep;
  220. /* NID_id_it_revPassphrase - Revocation Passphrase */
  221. OSSL_CRMF_ENCRYPTEDVALUE *revPassphrase;
  222. /* NID_id_it_implicitConfirm - ImplicitConfirm */
  223. ASN1_NULL *implicitConfirm;
  224. /* NID_id_it_confirmWaitTime - ConfirmWaitTime */
  225. ASN1_GENERALIZEDTIME *confirmWaitTime;
  226. /* NID_id_it_origPKIMessage - origPKIMessage */
  227. OSSL_CMP_MSGS *origPKIMessage;
  228. /* NID_id_it_suppLangTags - Supported Language Tags */
  229. STACK_OF(ASN1_UTF8STRING) *suppLangTagsValue;
  230. /* this is to be used for so far undeclared objects */
  231. ASN1_TYPE *other;
  232. } infoValue;
  233. } /* OSSL_CMP_ITAV */;
  234. DECLARE_ASN1_FUNCTIONS(OSSL_CMP_ITAV)
  235. typedef struct ossl_cmp_certorenccert_st {
  236. int type;
  237. union {
  238. X509 *certificate;
  239. OSSL_CRMF_ENCRYPTEDVALUE *encryptedCert;
  240. } value;
  241. } OSSL_CMP_CERTORENCCERT;
  242. DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CERTORENCCERT)
  243. /*-
  244. * CertifiedKeyPair ::= SEQUENCE {
  245. * certOrEncCert CertOrEncCert,
  246. * privateKey [0] EncryptedValue OPTIONAL,
  247. * -- see [CRMF] for comment on encoding
  248. * publicationInfo [1] PKIPublicationInfo OPTIONAL
  249. * }
  250. */
  251. typedef struct ossl_cmp_certifiedkeypair_st {
  252. OSSL_CMP_CERTORENCCERT *certOrEncCert;
  253. OSSL_CRMF_ENCRYPTEDVALUE *privateKey;
  254. OSSL_CRMF_PKIPUBLICATIONINFO *publicationInfo;
  255. } OSSL_CMP_CERTIFIEDKEYPAIR;
  256. DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CERTIFIEDKEYPAIR)
  257. /*-
  258. * PKIStatusInfo ::= SEQUENCE {
  259. * status PKIStatus,
  260. * statusString PKIFreeText OPTIONAL,
  261. * failInfo PKIFailureInfo OPTIONAL
  262. * }
  263. */
  264. struct ossl_cmp_pkisi_st {
  265. OSSL_CMP_PKISTATUS *status;
  266. OSSL_CMP_PKIFREETEXT *statusString;
  267. OSSL_CMP_PKIFAILUREINFO *failInfo;
  268. } /* OSSL_CMP_PKISI */;
  269. /*-
  270. * RevReqContent ::= SEQUENCE OF RevDetails
  271. *
  272. * RevDetails ::= SEQUENCE {
  273. * certDetails CertTemplate,
  274. * crlEntryDetails Extensions OPTIONAL
  275. * }
  276. */
  277. struct ossl_cmp_revdetails_st {
  278. OSSL_CRMF_CERTTEMPLATE *certDetails;
  279. X509_EXTENSIONS *crlEntryDetails;
  280. } /* OSSL_CMP_REVDETAILS */;
  281. typedef struct ossl_cmp_revdetails_st OSSL_CMP_REVDETAILS;
  282. DECLARE_ASN1_FUNCTIONS(OSSL_CMP_REVDETAILS)
  283. DEFINE_STACK_OF(OSSL_CMP_REVDETAILS)
  284. /*-
  285. * RevRepContent ::= SEQUENCE {
  286. * status SEQUENCE SIZE (1..MAX) OF PKIStatusInfo,
  287. * -- in same order as was sent in RevReqContent
  288. * revCerts [0] SEQUENCE SIZE (1..MAX) OF CertId
  289. * OPTIONAL,
  290. * -- IDs for which revocation was requested
  291. * -- (same order as status)
  292. * crls [1] SEQUENCE SIZE (1..MAX) OF CertificateList
  293. * OPTIONAL
  294. * -- the resulting CRLs (there may be more than one)
  295. * }
  296. */
  297. struct ossl_cmp_revrepcontent_st {
  298. STACK_OF(OSSL_CMP_PKISI) *status;
  299. STACK_OF(OSSL_CRMF_CERTID) *revCerts;
  300. STACK_OF(X509_CRL) *crls;
  301. } /* OSSL_CMP_REVREPCONTENT */;
  302. DECLARE_ASN1_FUNCTIONS(OSSL_CMP_REVREPCONTENT)
  303. /*-
  304. * KeyRecRepContent ::= SEQUENCE {
  305. * status PKIStatusInfo,
  306. * newSigCert [0] Certificate OPTIONAL,
  307. * caCerts [1] SEQUENCE SIZE (1..MAX) OF
  308. * Certificate OPTIONAL,
  309. * keyPairHist [2] SEQUENCE SIZE (1..MAX) OF
  310. * CertifiedKeyPair OPTIONAL
  311. * }
  312. */
  313. typedef struct ossl_cmp_keyrecrepcontent_st {
  314. OSSL_CMP_PKISI *status;
  315. X509 *newSigCert;
  316. STACK_OF(X509) *caCerts;
  317. STACK_OF(OSSL_CMP_CERTIFIEDKEYPAIR) *keyPairHist;
  318. } OSSL_CMP_KEYRECREPCONTENT;
  319. DECLARE_ASN1_FUNCTIONS(OSSL_CMP_KEYRECREPCONTENT)
  320. /*-
  321. * ErrorMsgContent ::= SEQUENCE {
  322. * pKIStatusInfo PKIStatusInfo,
  323. * errorCode INTEGER OPTIONAL,
  324. * -- implementation-specific error codes
  325. * errorDetails PKIFreeText OPTIONAL
  326. * -- implementation-specific error details
  327. * }
  328. */
  329. typedef struct ossl_cmp_errormsgcontent_st {
  330. OSSL_CMP_PKISI *pKIStatusInfo;
  331. ASN1_INTEGER *errorCode;
  332. OSSL_CMP_PKIFREETEXT *errorDetails;
  333. } OSSL_CMP_ERRORMSGCONTENT;
  334. DECLARE_ASN1_FUNCTIONS(OSSL_CMP_ERRORMSGCONTENT)
  335. /*-
  336. * CertConfirmContent ::= SEQUENCE OF CertStatus
  337. *
  338. * CertStatus ::= SEQUENCE {
  339. * certHash OCTET STRING,
  340. * -- the hash of the certificate, using the same hash algorithm
  341. * -- as is used to create and verify the certificate signature
  342. * certReqId INTEGER,
  343. * -- to match this confirmation with the corresponding req/rep
  344. * statusInfo PKIStatusInfo OPTIONAL,
  345. * hashAlg [0] AlgorithmIdentifier OPTIONAL
  346. * }
  347. */
  348. struct ossl_cmp_certstatus_st {
  349. ASN1_OCTET_STRING *certHash;
  350. ASN1_INTEGER *certReqId;
  351. OSSL_CMP_PKISI *statusInfo;
  352. X509_ALGOR *hashAlg; /* 0 */
  353. } /* OSSL_CMP_CERTSTATUS */;
  354. DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CERTSTATUS)
  355. typedef STACK_OF(OSSL_CMP_CERTSTATUS) OSSL_CMP_CERTCONFIRMCONTENT;
  356. DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CERTCONFIRMCONTENT)
  357. /*-
  358. * CertResponse ::= SEQUENCE {
  359. * certReqId INTEGER,
  360. * -- to match this response with corresponding request (a value
  361. * -- of -1 is to be used if certReqId is not specified in the
  362. * -- corresponding request)
  363. * status PKIStatusInfo,
  364. * certifiedKeyPair CertifiedKeyPair OPTIONAL,
  365. * rspInfo OCTET STRING OPTIONAL
  366. * -- analogous to the id-regInfo-utf8Pairs string defined
  367. * -- for regInfo in CertReqMsg [CRMF]
  368. * }
  369. */
  370. struct ossl_cmp_certresponse_st {
  371. ASN1_INTEGER *certReqId;
  372. OSSL_CMP_PKISI *status;
  373. OSSL_CMP_CERTIFIEDKEYPAIR *certifiedKeyPair;
  374. ASN1_OCTET_STRING *rspInfo;
  375. } /* OSSL_CMP_CERTRESPONSE */;
  376. DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CERTRESPONSE)
  377. /*-
  378. * CertRepMessage ::= SEQUENCE {
  379. * caPubs [1] SEQUENCE SIZE (1..MAX) OF CMPCertificate
  380. * OPTIONAL,
  381. * response SEQUENCE OF CertResponse
  382. * }
  383. */
  384. struct ossl_cmp_certrepmessage_st {
  385. STACK_OF(X509) *caPubs;
  386. STACK_OF(OSSL_CMP_CERTRESPONSE) *response;
  387. } /* OSSL_CMP_CERTREPMESSAGE */;
  388. DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CERTREPMESSAGE)
  389. /*-
  390. * PollReqContent ::= SEQUENCE OF SEQUENCE {
  391. * certReqId INTEGER
  392. * }
  393. */
  394. typedef struct ossl_cmp_pollreq_st {
  395. ASN1_INTEGER *certReqId;
  396. } OSSL_CMP_POLLREQ;
  397. DECLARE_ASN1_FUNCTIONS(OSSL_CMP_POLLREQ)
  398. DEFINE_STACK_OF(OSSL_CMP_POLLREQ)
  399. typedef STACK_OF(OSSL_CMP_POLLREQ) OSSL_CMP_POLLREQCONTENT;
  400. DECLARE_ASN1_FUNCTIONS(OSSL_CMP_POLLREQCONTENT)
  401. /*-
  402. * PollRepContent ::= SEQUENCE OF SEQUENCE {
  403. * certReqId INTEGER,
  404. * checkAfter INTEGER, -- time in seconds
  405. * reason PKIFreeText OPTIONAL
  406. * }
  407. */
  408. struct ossl_cmp_pollrep_st {
  409. ASN1_INTEGER *certReqId;
  410. ASN1_INTEGER *checkAfter;
  411. OSSL_CMP_PKIFREETEXT *reason;
  412. } /* OSSL_CMP_POLLREP */;
  413. DECLARE_ASN1_FUNCTIONS(OSSL_CMP_POLLREP)
  414. DEFINE_STACK_OF(OSSL_CMP_POLLREP)
  415. DECLARE_ASN1_FUNCTIONS(OSSL_CMP_POLLREPCONTENT)
  416. /*-
  417. * PKIHeader ::= SEQUENCE {
  418. * pvno INTEGER { cmp1999(1), cmp2000(2), cmp2021(3) },
  419. * sender GeneralName,
  420. * -- identifies the sender
  421. * recipient GeneralName,
  422. * -- identifies the intended recipient
  423. * messageTime [0] GeneralizedTime OPTIONAL,
  424. * -- time of production of this message (used when sender
  425. * -- believes that the transport will be "suitable"; i.e.,
  426. * -- that the time will still be meaningful upon receipt)
  427. * protectionAlg [1] AlgorithmIdentifier OPTIONAL,
  428. * -- algorithm used for calculation of protection bits
  429. * senderKID [2] KeyIdentifier OPTIONAL,
  430. * recipKID [3] KeyIdentifier OPTIONAL,
  431. * -- to identify specific keys used for protection
  432. * transactionID [4] OCTET STRING OPTIONAL,
  433. * -- identifies the transaction; i.e., this will be the same in
  434. * -- corresponding request, response, certConf, and PKIConf
  435. * -- messages
  436. * senderNonce [5] OCTET STRING OPTIONAL,
  437. * recipNonce [6] OCTET STRING OPTIONAL,
  438. * -- nonces used to provide replay protection, senderNonce
  439. * -- is inserted by the creator of this message; recipNonce
  440. * -- is a nonce previously inserted in a related message by
  441. * -- the intended recipient of this message
  442. * freeText [7] PKIFreeText OPTIONAL,
  443. * -- this may be used to indicate context-specific instructions
  444. * -- (this field is intended for human consumption)
  445. * generalInfo [8] SEQUENCE SIZE (1..MAX) OF
  446. * InfoTypeAndValue OPTIONAL
  447. * -- this may be used to convey context-specific information
  448. * -- (this field not primarily intended for human consumption)
  449. * }
  450. */
  451. struct ossl_cmp_pkiheader_st {
  452. ASN1_INTEGER *pvno;
  453. GENERAL_NAME *sender;
  454. GENERAL_NAME *recipient;
  455. ASN1_GENERALIZEDTIME *messageTime; /* 0 */
  456. X509_ALGOR *protectionAlg; /* 1 */
  457. ASN1_OCTET_STRING *senderKID; /* 2 */
  458. ASN1_OCTET_STRING *recipKID; /* 3 */
  459. ASN1_OCTET_STRING *transactionID; /* 4 */
  460. ASN1_OCTET_STRING *senderNonce; /* 5 */
  461. ASN1_OCTET_STRING *recipNonce; /* 6 */
  462. OSSL_CMP_PKIFREETEXT *freeText; /* 7 */
  463. STACK_OF(OSSL_CMP_ITAV) *generalInfo; /* 8 */
  464. } /* OSSL_CMP_PKIHEADER */;
  465. typedef STACK_OF(OSSL_CMP_CHALLENGE) OSSL_CMP_POPODECKEYCHALLCONTENT;
  466. DECLARE_ASN1_FUNCTIONS(OSSL_CMP_POPODECKEYCHALLCONTENT)
  467. typedef STACK_OF(ASN1_INTEGER) OSSL_CMP_POPODECKEYRESPCONTENT;
  468. DECLARE_ASN1_FUNCTIONS(OSSL_CMP_POPODECKEYRESPCONTENT)
  469. typedef STACK_OF(OSSL_CMP_REVDETAILS) OSSL_CMP_REVREQCONTENT;
  470. DECLARE_ASN1_FUNCTIONS(OSSL_CMP_REVREQCONTENT)
  471. typedef STACK_OF(X509_CRL) OSSL_CMP_CRLANNCONTENT;
  472. DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CRLANNCONTENT)
  473. typedef STACK_OF(OSSL_CMP_ITAV) OSSL_CMP_GENMSGCONTENT;
  474. DECLARE_ASN1_FUNCTIONS(OSSL_CMP_GENMSGCONTENT)
  475. typedef STACK_OF(OSSL_CMP_ITAV) OSSL_CMP_GENREPCONTENT;
  476. DECLARE_ASN1_FUNCTIONS(OSSL_CMP_GENREPCONTENT)
  477. /*-
  478. * PKIBody ::= CHOICE { -- message-specific body elements
  479. * ir [0] CertReqMessages, --Initialization Request
  480. * ip [1] CertRepMessage, --Initialization Response
  481. * cr [2] CertReqMessages, --Certification Request
  482. * cp [3] CertRepMessage, --Certification Response
  483. * p10cr [4] CertificationRequest, --imported from [PKCS10]
  484. * popdecc [5] POPODecKeyChallContent, --pop Challenge
  485. * popdecr [6] POPODecKeyRespContent, --pop Response
  486. * kur [7] CertReqMessages, --Key Update Request
  487. * kup [8] CertRepMessage, --Key Update Response
  488. * krr [9] CertReqMessages, --Key Recovery Request
  489. * krp [10] KeyRecRepContent, --Key Recovery Response
  490. * rr [11] RevReqContent, --Revocation Request
  491. * rp [12] RevRepContent, --Revocation Response
  492. * ccr [13] CertReqMessages, --Cross-Cert. Request
  493. * ccp [14] CertRepMessage, --Cross-Cert. Response
  494. * ckuann [15] CAKeyUpdAnnContent, --CA Key Update Ann.
  495. * cann [16] CertAnnContent, --Certificate Ann.
  496. * rann [17] RevAnnContent, --Revocation Ann.
  497. * crlann [18] CRLAnnContent, --CRL Announcement
  498. * pkiconf [19] PKIConfirmContent, --Confirmation
  499. * nested [20] NestedMessageContent, --Nested Message
  500. * genm [21] GenMsgContent, --General Message
  501. * genp [22] GenRepContent, --General Response
  502. * error [23] ErrorMsgContent, --Error Message
  503. * certConf [24] CertConfirmContent, --Certificate confirm
  504. * pollReq [25] PollReqContent, --Polling request
  505. * pollRep [26] PollRepContent --Polling response
  506. * }
  507. */
  508. typedef struct ossl_cmp_pkibody_st {
  509. int type;
  510. union {
  511. OSSL_CRMF_MSGS *ir; /* 0 */
  512. OSSL_CMP_CERTREPMESSAGE *ip; /* 1 */
  513. OSSL_CRMF_MSGS *cr; /* 2 */
  514. OSSL_CMP_CERTREPMESSAGE *cp; /* 3 */
  515. /*-
  516. * p10cr [4] CertificationRequest, --imported from [PKCS10]
  517. *
  518. * PKCS10_CERTIFICATIONREQUEST is effectively X509_REQ
  519. * so it is used directly
  520. */
  521. X509_REQ *p10cr; /* 4 */
  522. /*-
  523. * popdecc [5] POPODecKeyChallContent, --pop Challenge
  524. *
  525. * POPODecKeyChallContent ::= SEQUENCE OF Challenge
  526. */
  527. OSSL_CMP_POPODECKEYCHALLCONTENT *popdecc; /* 5 */
  528. /*-
  529. * popdecr [6] POPODecKeyRespContent, --pop Response
  530. *
  531. * POPODecKeyRespContent ::= SEQUENCE OF INTEGER
  532. */
  533. OSSL_CMP_POPODECKEYRESPCONTENT *popdecr; /* 6 */
  534. OSSL_CRMF_MSGS *kur; /* 7 */
  535. OSSL_CMP_CERTREPMESSAGE *kup; /* 8 */
  536. OSSL_CRMF_MSGS *krr; /* 9 */
  537. /*-
  538. * krp [10] KeyRecRepContent, --Key Recovery Response
  539. */
  540. OSSL_CMP_KEYRECREPCONTENT *krp; /* 10 */
  541. /*-
  542. * rr [11] RevReqContent, --Revocation Request
  543. */
  544. OSSL_CMP_REVREQCONTENT *rr; /* 11 */
  545. /*-
  546. * rp [12] RevRepContent, --Revocation Response
  547. */
  548. OSSL_CMP_REVREPCONTENT *rp; /* 12 */
  549. /*-
  550. * ccr [13] CertReqMessages, --Cross-Cert. Request
  551. */
  552. OSSL_CRMF_MSGS *ccr; /* 13 */
  553. /*-
  554. * ccp [14] CertRepMessage, --Cross-Cert. Response
  555. */
  556. OSSL_CMP_CERTREPMESSAGE *ccp; /* 14 */
  557. /*-
  558. * ckuann [15] CAKeyUpdAnnContent, --CA Key Update Ann.
  559. */
  560. OSSL_CMP_CAKEYUPDANNCONTENT *ckuann; /* 15 */
  561. /*-
  562. * cann [16] CertAnnContent, --Certificate Ann.
  563. * OSSL_CMP_CMPCERTIFICATE is effectively X509 so it is used directly
  564. */
  565. X509 *cann; /* 16 */
  566. /*-
  567. * rann [17] RevAnnContent, --Revocation Ann.
  568. */
  569. OSSL_CMP_REVANNCONTENT *rann; /* 17 */
  570. /*-
  571. * crlann [18] CRLAnnContent, --CRL Announcement
  572. * CRLAnnContent ::= SEQUENCE OF CertificateList
  573. */
  574. OSSL_CMP_CRLANNCONTENT *crlann; /* 18 */
  575. /*-
  576. * PKIConfirmContent ::= NULL
  577. * pkiconf [19] PKIConfirmContent, --Confirmation
  578. * OSSL_CMP_PKICONFIRMCONTENT would be only a typedef of ASN1_NULL
  579. * OSSL_CMP_CONFIRMCONTENT *pkiconf;
  580. *
  581. * NOTE: this should ASN1_NULL according to the RFC
  582. * but there might be a struct in it when sent from faulty servers...
  583. */
  584. ASN1_TYPE *pkiconf; /* 19 */
  585. /*-
  586. * nested [20] NestedMessageContent, --Nested Message
  587. * NestedMessageContent ::= PKIMessages
  588. */
  589. OSSL_CMP_MSGS *nested; /* 20 */
  590. /*-
  591. * genm [21] GenMsgContent, --General Message
  592. * GenMsgContent ::= SEQUENCE OF InfoTypeAndValue
  593. */
  594. OSSL_CMP_GENMSGCONTENT *genm; /* 21 */
  595. /*-
  596. * genp [22] GenRepContent, --General Response
  597. * GenRepContent ::= SEQUENCE OF InfoTypeAndValue
  598. */
  599. OSSL_CMP_GENREPCONTENT *genp; /* 22 */
  600. /*-
  601. * error [23] ErrorMsgContent, --Error Message
  602. */
  603. OSSL_CMP_ERRORMSGCONTENT *error; /* 23 */
  604. /*-
  605. * certConf [24] CertConfirmContent, --Certificate confirm
  606. */
  607. OSSL_CMP_CERTCONFIRMCONTENT *certConf; /* 24 */
  608. /*-
  609. * pollReq [25] PollReqContent, --Polling request
  610. */
  611. OSSL_CMP_POLLREQCONTENT *pollReq; /* 25 */
  612. /*-
  613. * pollRep [26] PollRepContent --Polling response
  614. */
  615. OSSL_CMP_POLLREPCONTENT *pollRep; /* 26 */
  616. } value;
  617. } OSSL_CMP_PKIBODY;
  618. DECLARE_ASN1_FUNCTIONS(OSSL_CMP_PKIBODY)
  619. /*-
  620. * PKIProtection ::= BIT STRING
  621. *
  622. * PKIMessages ::= SEQUENCE SIZE (1..MAX) OF PKIMessage
  623. *
  624. * PKIMessage ::= SEQUENCE {
  625. * header PKIHeader,
  626. * body PKIBody,
  627. * protection [0] PKIProtection OPTIONAL,
  628. * extraCerts [1] SEQUENCE SIZE (1..MAX) OF CMPCertificate
  629. * OPTIONAL
  630. * }
  631. */
  632. struct ossl_cmp_msg_st {
  633. OSSL_CMP_PKIHEADER *header;
  634. OSSL_CMP_PKIBODY *body;
  635. ASN1_BIT_STRING *protection; /* 0 */
  636. /* OSSL_CMP_CMPCERTIFICATE is effectively X509 so it is used directly */
  637. STACK_OF(X509) *extraCerts; /* 1 */
  638. OSSL_LIB_CTX *libctx;
  639. char *propq;
  640. } /* OSSL_CMP_MSG */;
  641. OSSL_CMP_MSG *OSSL_CMP_MSG_new(OSSL_LIB_CTX *libctx, const char *propq);
  642. void OSSL_CMP_MSG_free(OSSL_CMP_MSG *msg);
  643. /*-
  644. * ProtectedPart ::= SEQUENCE {
  645. * header PKIHeader,
  646. * body PKIBody
  647. * }
  648. */
  649. typedef struct ossl_cmp_protectedpart_st {
  650. OSSL_CMP_PKIHEADER *header;
  651. OSSL_CMP_PKIBODY *body;
  652. } OSSL_CMP_PROTECTEDPART;
  653. DECLARE_ASN1_FUNCTIONS(OSSL_CMP_PROTECTEDPART)
  654. /*-
  655. * this is not defined here as it is already in CRMF:
  656. * id-PasswordBasedMac OBJECT IDENTIFIER ::= {1 2 840 113533 7 66 13}
  657. * PBMParameter ::= SEQUENCE {
  658. * salt OCTET STRING,
  659. * -- note: implementations MAY wish to limit acceptable sizes
  660. * -- of this string to values appropriate for their environment
  661. * -- in order to reduce the risk of denial-of-service attacks
  662. * owf AlgorithmIdentifier,
  663. * -- AlgId for a One-Way Function (SHA-1 recommended)
  664. * iterationCount INTEGER,
  665. * -- number of times the OWF is applied
  666. * -- note: implementations MAY wish to limit acceptable sizes
  667. * -- of this integer to values appropriate for their environment
  668. * -- in order to reduce the risk of denial-of-service attacks
  669. * mac AlgorithmIdentifier
  670. * -- the MAC AlgId (e.g., DES-MAC, Triple-DES-MAC [PKCS11],
  671. * } -- or HMAC [RFC2104, RFC2202])
  672. */
  673. /*-
  674. * id-DHBasedMac OBJECT IDENTIFIER ::= {1 2 840 113533 7 66 30}
  675. * DHBMParameter ::= SEQUENCE {
  676. * owf AlgorithmIdentifier,
  677. * -- AlgId for a One-Way Function (SHA-1 recommended)
  678. * mac AlgorithmIdentifier
  679. * -- the MAC AlgId (e.g., DES-MAC, Triple-DES-MAC [PKCS11],
  680. * } -- or HMAC [RFC2104, RFC2202])
  681. */
  682. /*-
  683. * The following is not cared for, because it is described in section 5.2.5
  684. * that this is beyond the scope of CMP
  685. * OOBCert ::= CMPCertificate
  686. *
  687. * OOBCertHash ::= SEQUENCE {
  688. * hashAlg [0] AlgorithmIdentifier OPTIONAL,
  689. * certId [1] CertId OPTIONAL,
  690. * hashVal BIT STRING
  691. * -- hashVal is calculated over the DER encoding of the
  692. * -- self-signed certificate with the identifier certID.
  693. * }
  694. */
  695. /* from cmp_asn.c */
  696. int ossl_cmp_asn1_get_int(const ASN1_INTEGER *a);
  697. /* from cmp_util.c */
  698. const char *ossl_cmp_log_parse_metadata(const char *buf,
  699. OSSL_CMP_severity *level, char **func,
  700. char **file, int *line);
  701. # define ossl_cmp_add_error_data(txt) ERR_add_error_txt(" : ", txt)
  702. # define ossl_cmp_add_error_line(txt) ERR_add_error_txt("\n", txt)
  703. /* The two functions manipulating X509_STORE could be generally useful */
  704. int ossl_cmp_X509_STORE_add1_certs(X509_STORE *store, STACK_OF(X509) *certs,
  705. int only_self_issued);
  706. STACK_OF(X509) *ossl_cmp_X509_STORE_get1_certs(X509_STORE *store);
  707. int ossl_cmp_sk_ASN1_UTF8STRING_push_str(STACK_OF(ASN1_UTF8STRING) *sk,
  708. const char *text, int len);
  709. int ossl_cmp_asn1_octet_string_set1(ASN1_OCTET_STRING **tgt,
  710. const ASN1_OCTET_STRING *src);
  711. int ossl_cmp_asn1_octet_string_set1_bytes(ASN1_OCTET_STRING **tgt,
  712. const unsigned char *bytes, int len);
  713. /* from cmp_ctx.c */
  714. int ossl_cmp_print_log(OSSL_CMP_severity level, const OSSL_CMP_CTX *ctx,
  715. const char *func, const char *file, int line,
  716. const char *level_str, const char *format, ...);
  717. # define ossl_cmp_log(level, ctx, msg) \
  718. ossl_cmp_print_log(OSSL_CMP_LOG_##level, ctx, OPENSSL_FUNC, OPENSSL_FILE, \
  719. OPENSSL_LINE, #level, "%s", msg)
  720. # define ossl_cmp_log1(level, ctx, fmt, arg1) \
  721. ossl_cmp_print_log(OSSL_CMP_LOG_##level, ctx, OPENSSL_FUNC, OPENSSL_FILE, \
  722. OPENSSL_LINE, #level, fmt, arg1)
  723. # define ossl_cmp_log2(level, ctx, fmt, arg1, arg2) \
  724. ossl_cmp_print_log(OSSL_CMP_LOG_##level, ctx, OPENSSL_FUNC, OPENSSL_FILE, \
  725. OPENSSL_LINE, #level, fmt, arg1, arg2)
  726. # define ossl_cmp_log3(level, ctx, fmt, arg1, arg2, arg3) \
  727. ossl_cmp_print_log(OSSL_CMP_LOG_##level, ctx, OPENSSL_FUNC, OPENSSL_FILE, \
  728. OPENSSL_LINE, #level, fmt, arg1, arg2, arg3)
  729. # define ossl_cmp_log4(level, ctx, fmt, arg1, arg2, arg3, arg4) \
  730. ossl_cmp_print_log(OSSL_CMP_LOG_##level, ctx, OPENSSL_FUNC, OPENSSL_FILE, \
  731. OPENSSL_LINE, #level, fmt, arg1, arg2, arg3, arg4)
  732. # define OSSL_CMP_LOG_ERROR OSSL_CMP_LOG_ERR
  733. # define OSSL_CMP_LOG_WARN OSSL_CMP_LOG_WARNING
  734. # define ossl_cmp_alert(ctx, msg) ossl_cmp_log(ALERT, ctx, msg)
  735. # define ossl_cmp_err(ctx, msg) ossl_cmp_log(ERROR, ctx, msg)
  736. # define ossl_cmp_warn(ctx, msg) ossl_cmp_log(WARN, ctx, msg)
  737. # define ossl_cmp_info(ctx, msg) ossl_cmp_log(INFO, ctx, msg)
  738. # define ossl_cmp_debug(ctx, msg) ossl_cmp_log(DEBUG, ctx, msg)
  739. # define ossl_cmp_trace(ctx, msg) ossl_cmp_log(TRACE, ctx, msg)
  740. int ossl_cmp_ctx_set1_validatedSrvCert(OSSL_CMP_CTX *ctx, X509 *cert);
  741. int ossl_cmp_ctx_set_status(OSSL_CMP_CTX *ctx, int status);
  742. int ossl_cmp_ctx_set0_statusString(OSSL_CMP_CTX *ctx,
  743. OSSL_CMP_PKIFREETEXT *text);
  744. int ossl_cmp_ctx_set_failInfoCode(OSSL_CMP_CTX *ctx, int fail_info);
  745. int ossl_cmp_ctx_set0_newCert(OSSL_CMP_CTX *ctx, X509 *cert);
  746. int ossl_cmp_ctx_set1_newChain(OSSL_CMP_CTX *ctx, STACK_OF(X509) *newChain);
  747. int ossl_cmp_ctx_set1_caPubs(OSSL_CMP_CTX *ctx, STACK_OF(X509) *caPubs);
  748. int ossl_cmp_ctx_set1_extraCertsIn(OSSL_CMP_CTX *ctx,
  749. STACK_OF(X509) *extraCertsIn);
  750. int ossl_cmp_ctx_set1_recipNonce(OSSL_CMP_CTX *ctx,
  751. const ASN1_OCTET_STRING *nonce);
  752. /* from cmp_status.c */
  753. int ossl_cmp_pkisi_get_status(const OSSL_CMP_PKISI *si);
  754. const char *ossl_cmp_PKIStatus_to_string(int status);
  755. OSSL_CMP_PKIFREETEXT *ossl_cmp_pkisi_get0_statusString(const OSSL_CMP_PKISI *s);
  756. int ossl_cmp_pkisi_get_pkifailureinfo(const OSSL_CMP_PKISI *si);
  757. int ossl_cmp_pkisi_check_pkifailureinfo(const OSSL_CMP_PKISI *si, int index);
  758. /* from cmp_hdr.c */
  759. int ossl_cmp_hdr_set_pvno(OSSL_CMP_PKIHEADER *hdr, int pvno);
  760. int ossl_cmp_hdr_get_pvno(const OSSL_CMP_PKIHEADER *hdr);
  761. int ossl_cmp_hdr_get_protection_nid(const OSSL_CMP_PKIHEADER *hdr);
  762. ASN1_OCTET_STRING *ossl_cmp_hdr_get0_senderNonce(const OSSL_CMP_PKIHEADER *hdr);
  763. int ossl_cmp_general_name_is_NULL_DN(GENERAL_NAME *name);
  764. int ossl_cmp_hdr_set1_sender(OSSL_CMP_PKIHEADER *hdr, const X509_NAME *nm);
  765. int ossl_cmp_hdr_set1_recipient(OSSL_CMP_PKIHEADER *hdr, const X509_NAME *nm);
  766. int ossl_cmp_hdr_update_messageTime(OSSL_CMP_PKIHEADER *hdr);
  767. int ossl_cmp_hdr_set1_senderKID(OSSL_CMP_PKIHEADER *hdr,
  768. const ASN1_OCTET_STRING *senderKID);
  769. int ossl_cmp_hdr_push0_freeText(OSSL_CMP_PKIHEADER *hdr, ASN1_UTF8STRING *text);
  770. int ossl_cmp_hdr_push1_freeText(OSSL_CMP_PKIHEADER *hdr, ASN1_UTF8STRING *text);
  771. int ossl_cmp_hdr_generalInfo_push0_item(OSSL_CMP_PKIHEADER *hdr,
  772. OSSL_CMP_ITAV *itav);
  773. int ossl_cmp_hdr_generalInfo_push1_items(OSSL_CMP_PKIHEADER *hdr,
  774. const STACK_OF(OSSL_CMP_ITAV) *itavs);
  775. int ossl_cmp_hdr_set_implicitConfirm(OSSL_CMP_PKIHEADER *hdr);
  776. int ossl_cmp_hdr_has_implicitConfirm(const OSSL_CMP_PKIHEADER *hdr);
  777. # define OSSL_CMP_TRANSACTIONID_LENGTH 16
  778. # define OSSL_CMP_SENDERNONCE_LENGTH 16
  779. int ossl_cmp_hdr_set_transactionID(OSSL_CMP_CTX *ctx, OSSL_CMP_PKIHEADER *hdr);
  780. int ossl_cmp_hdr_init(OSSL_CMP_CTX *ctx, OSSL_CMP_PKIHEADER *hdr);
  781. /* from cmp_msg.c */
  782. /* OSSL_CMP_MSG bodytype ASN.1 choice IDs */
  783. # define OSSL_CMP_PKIBODY_IR 0
  784. # define OSSL_CMP_PKIBODY_IP 1
  785. # define OSSL_CMP_PKIBODY_CR 2
  786. # define OSSL_CMP_PKIBODY_CP 3
  787. # define OSSL_CMP_PKIBODY_P10CR 4
  788. # define OSSL_CMP_PKIBODY_POPDECC 5
  789. # define OSSL_CMP_PKIBODY_POPDECR 6
  790. # define OSSL_CMP_PKIBODY_KUR 7
  791. # define OSSL_CMP_PKIBODY_KUP 8
  792. # define OSSL_CMP_PKIBODY_KRR 9
  793. # define OSSL_CMP_PKIBODY_KRP 10
  794. # define OSSL_CMP_PKIBODY_RR 11
  795. # define OSSL_CMP_PKIBODY_RP 12
  796. # define OSSL_CMP_PKIBODY_CCR 13
  797. # define OSSL_CMP_PKIBODY_CCP 14
  798. # define OSSL_CMP_PKIBODY_CKUANN 15
  799. # define OSSL_CMP_PKIBODY_CANN 16
  800. # define OSSL_CMP_PKIBODY_RANN 17
  801. # define OSSL_CMP_PKIBODY_CRLANN 18
  802. # define OSSL_CMP_PKIBODY_PKICONF 19
  803. # define OSSL_CMP_PKIBODY_NESTED 20
  804. # define OSSL_CMP_PKIBODY_GENM 21
  805. # define OSSL_CMP_PKIBODY_GENP 22
  806. # define OSSL_CMP_PKIBODY_ERROR 23
  807. # define OSSL_CMP_PKIBODY_CERTCONF 24
  808. # define OSSL_CMP_PKIBODY_POLLREQ 25
  809. # define OSSL_CMP_PKIBODY_POLLREP 26
  810. # define OSSL_CMP_PKIBODY_TYPE_MAX OSSL_CMP_PKIBODY_POLLREP
  811. /* certReqId for the first - and so far only - certificate request */
  812. # define OSSL_CMP_CERTREQID 0
  813. /* sequence id for the first - and so far only - revocation request */
  814. # define OSSL_CMP_REVREQSID 0
  815. int ossl_cmp_msg_set0_libctx(OSSL_CMP_MSG *msg, OSSL_LIB_CTX *libctx,
  816. const char *propq);
  817. const char *ossl_cmp_bodytype_to_string(int type);
  818. int ossl_cmp_msg_set_bodytype(OSSL_CMP_MSG *msg, int type);
  819. OSSL_CMP_MSG *ossl_cmp_msg_create(OSSL_CMP_CTX *ctx, int bodytype);
  820. OSSL_CMP_MSG *ossl_cmp_certreq_new(OSSL_CMP_CTX *ctx, int bodytype,
  821. const OSSL_CRMF_MSG *crm);
  822. OSSL_CMP_MSG *ossl_cmp_certrep_new(OSSL_CMP_CTX *ctx, int bodytype,
  823. int certReqId, const OSSL_CMP_PKISI *si,
  824. X509 *cert, const X509 *encryption_recip,
  825. STACK_OF(X509) *chain, STACK_OF(X509) *caPubs,
  826. int unprotectedErrors);
  827. OSSL_CMP_MSG *ossl_cmp_rr_new(OSSL_CMP_CTX *ctx);
  828. OSSL_CMP_MSG *ossl_cmp_rp_new(OSSL_CMP_CTX *ctx, const OSSL_CMP_PKISI *si,
  829. const OSSL_CRMF_CERTID *cid,
  830. int unprotectedErrors);
  831. OSSL_CMP_MSG *ossl_cmp_pkiconf_new(OSSL_CMP_CTX *ctx);
  832. OSSL_CMP_MSG *ossl_cmp_pollRep_new(OSSL_CMP_CTX *ctx, int crid,
  833. int64_t poll_after);
  834. int ossl_cmp_msg_gen_push0_ITAV(OSSL_CMP_MSG *msg, OSSL_CMP_ITAV *itav);
  835. int ossl_cmp_msg_gen_push1_ITAVs(OSSL_CMP_MSG *msg,
  836. const STACK_OF(OSSL_CMP_ITAV) *itavs);
  837. OSSL_CMP_MSG *ossl_cmp_genm_new(OSSL_CMP_CTX *ctx);
  838. OSSL_CMP_MSG *ossl_cmp_genp_new(OSSL_CMP_CTX *ctx,
  839. const STACK_OF(OSSL_CMP_ITAV) *itavs);
  840. OSSL_CMP_MSG *ossl_cmp_error_new(OSSL_CMP_CTX *ctx, const OSSL_CMP_PKISI *si,
  841. int64_t errorCode, const char *details,
  842. int unprotected);
  843. int ossl_cmp_certstatus_set0_certHash(OSSL_CMP_CERTSTATUS *certStatus,
  844. ASN1_OCTET_STRING *hash);
  845. OSSL_CMP_MSG *ossl_cmp_certConf_new(OSSL_CMP_CTX *ctx, int fail_info,
  846. const char *text);
  847. OSSL_CMP_MSG *ossl_cmp_pollReq_new(OSSL_CMP_CTX *ctx, int crid);
  848. OSSL_CMP_MSG *ossl_cmp_pollRep_new(OSSL_CMP_CTX *ctx, int crid,
  849. int64_t poll_after);
  850. OSSL_CMP_PKISI *
  851. ossl_cmp_revrepcontent_get_pkisi(OSSL_CMP_REVREPCONTENT *rrep, int rsid);
  852. OSSL_CRMF_CERTID *ossl_cmp_revrepcontent_get_CertId(OSSL_CMP_REVREPCONTENT *rc,
  853. int rsid);
  854. OSSL_CMP_POLLREP *
  855. ossl_cmp_pollrepcontent_get0_pollrep(const OSSL_CMP_POLLREPCONTENT *prc,
  856. int rid);
  857. OSSL_CMP_CERTRESPONSE *
  858. ossl_cmp_certrepmessage_get0_certresponse(const OSSL_CMP_CERTREPMESSAGE *crm,
  859. int rid);
  860. X509 *ossl_cmp_certresponse_get1_cert(const OSSL_CMP_CERTRESPONSE *crep,
  861. const OSSL_CMP_CTX *ctx, EVP_PKEY *pkey);
  862. OSSL_CMP_MSG *ossl_cmp_msg_load(const char *file);
  863. /* from cmp_protect.c */
  864. int ossl_cmp_msg_add_extraCerts(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg);
  865. ASN1_BIT_STRING *ossl_cmp_calc_protection(const OSSL_CMP_CTX *ctx,
  866. const OSSL_CMP_MSG *msg);
  867. int ossl_cmp_msg_protect(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg);
  868. /* from cmp_vfy.c */
  869. typedef int (*ossl_cmp_allow_unprotected_cb_t)(const OSSL_CMP_CTX *ctx,
  870. const OSSL_CMP_MSG *msg,
  871. int invalid_protection, int arg);
  872. int ossl_cmp_msg_check_update(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *msg,
  873. ossl_cmp_allow_unprotected_cb_t cb, int cb_arg);
  874. int ossl_cmp_msg_check_received(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *msg,
  875. ossl_cmp_allow_unprotected_cb_t cb, int cb_arg);
  876. int ossl_cmp_verify_popo(const OSSL_CMP_CTX *ctx,
  877. const OSSL_CMP_MSG *msg, int accept_RAVerified);
  878. /* from cmp_client.c */
  879. int ossl_cmp_exchange_certConf(OSSL_CMP_CTX *ctx, int fail_info,
  880. const char *txt);
  881. int ossl_cmp_exchange_error(OSSL_CMP_CTX *ctx, int status, int fail_info,
  882. const char *txt, int errorCode, const char *detail);
  883. #endif /* !defined(OSSL_CRYPTO_CMP_LOCAL_H) */