]>
Commit | Line | Data |
---|---|---|
8869ad4a | 1 | /* |
8020d79b | 2 | * Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved. |
8869ad4a AK |
3 | * Copyright Nokia 2007-2019 |
4 | * Copyright Siemens AG 2015-2019 | |
5 | * | |
6 | * Licensed under the Apache License 2.0 (the "License"). You may not use | |
7 | * this file except in compliance with the License. You can obtain a copy | |
8 | * in the file LICENSE in the source distribution or at | |
9 | * https://www.openssl.org/source/license.html | |
8869ad4a AK |
10 | */ |
11 | ||
ae4186b0 DMSP |
12 | #ifndef OSSL_CRYPTO_CMP_LOCAL_H |
13 | # define OSSL_CRYPTO_CMP_LOCAL_H | |
8869ad4a AK |
14 | |
15 | # include "internal/cryptlib.h" | |
16 | ||
17 | # include <openssl/cmp.h> | |
18 | # include <openssl/err.h> | |
19 | ||
20 | /* explicit #includes not strictly needed since implied by the above: */ | |
21 | # include <openssl/crmf.h> | |
50cd4768 | 22 | # include <openssl/types.h> |
8869ad4a AK |
23 | # include <openssl/safestack.h> |
24 | # include <openssl/x509.h> | |
25 | # include <openssl/x509v3.h> | |
daf1300b | 26 | # include "crypto/x509.h" |
8869ad4a | 27 | |
357bfe73 | 28 | # define IS_NULL_DN(name) (X509_NAME_get_entry(name, 0) == NULL) |
dd5fa5f5 | 29 | |
7960dbec DDO |
30 | /* |
31 | * this structure is used to store the context for CMP sessions | |
32 | */ | |
33 | struct ossl_cmp_ctx_st { | |
b4250010 | 34 | OSSL_LIB_CTX *libctx; |
32075a17 | 35 | char *propq; |
7e765f46 | 36 | OSSL_CMP_log_cb_t log_cb; /* log callback for error/debug/etc. output */ |
7960dbec DDO |
37 | OSSL_CMP_severity log_verbosity; /* level of verbosity of log output */ |
38 | ||
39 | /* message transfer */ | |
7e765f46 | 40 | OSSL_CMP_transfer_cb_t transfer_cb; /* default: OSSL_CMP_MSG_http_perform */ |
7960dbec DDO |
41 | void *transfer_cb_arg; /* allows to store optional argument to cb */ |
42 | /* HTTP-based transfer */ | |
19f97fe6 | 43 | OSSL_HTTP_REQ_CTX *http_ctx; |
7960dbec | 44 | char *serverPath; |
4b1fe471 | 45 | char *server; |
7960dbec | 46 | int serverPort; |
afe554c2 DDO |
47 | char *proxy; |
48 | char *no_proxy; | |
19f97fe6 | 49 | int keep_alive; /* persistent connection: 0=no, 1=prefer, 2=require */ |
7e765f46 DDO |
50 | int msg_timeout; /* max seconds to wait for each CMP message round trip */ |
51 | int total_timeout; /* max number of seconds an enrollment may take, incl. */ | |
3dbc5156 | 52 | /* attempts polling for a response if a 'waiting' PKIStatus is received */ |
7960dbec | 53 | time_t end_time; /* session start time + totaltimeout */ |
29f178bd | 54 | OSSL_HTTP_bio_cb_t http_cb; |
7960dbec DDO |
55 | void *http_cb_arg; /* allows to store optional argument to cb */ |
56 | ||
57 | /* server authentication */ | |
235595c4 DDO |
58 | /* |
59 | * unprotectedErrors may be set as workaround for broken server responses: | |
60 | * accept missing or invalid protection of regular error messages, negative | |
61 | * certificate responses (ip/cp/kup), revocation responses (rp), and PKIConf | |
62 | */ | |
63 | int unprotectedErrors; | |
7960dbec DDO |
64 | X509 *srvCert; /* certificate used to identify the server */ |
65 | X509 *validatedSrvCert; /* caches any already validated server cert */ | |
8cc86b81 | 66 | X509_NAME *expected_sender; /* expected sender in header of response */ |
7960dbec | 67 | X509_STORE *trusted; /* trust store maybe w CRLs and cert verify callback */ |
0b86eefd | 68 | STACK_OF(X509) *untrusted; /* untrusted (intermediate CA) certs */ |
7960dbec | 69 | int ignore_keyusage; /* ignore key usage entry when validating certs */ |
235595c4 DDO |
70 | /* |
71 | * permitTAInExtraCertsForIR allows use of root certs in extracerts | |
72 | * when validating message protection; this is used for 3GPP-style E.7 | |
73 | */ | |
74 | int permitTAInExtraCertsForIR; | |
7960dbec DDO |
75 | |
76 | /* client authentication */ | |
77 | int unprotectedSend; /* send unprotected PKI messages */ | |
63f1883d | 78 | X509 *cert; /* protection cert used to identify and sign for MSG_SIG_ALG */ |
a0745e2b | 79 | STACK_OF(X509) *chain; /* (cached) chain of protection cert including it */ |
63f1883d | 80 | EVP_PKEY *pkey; /* the key pair corresponding to cert */ |
1567a821 | 81 | ASN1_OCTET_STRING *referenceValue; /* optional username for MSG_MAC_ALG */ |
7960dbec DDO |
82 | ASN1_OCTET_STRING *secretValue; /* password/shared secret for MSG_MAC_ALG */ |
83 | /* PBMParameters for MSG_MAC_ALG */ | |
97e00da9 | 84 | size_t pbm_slen; /* salt length, currently fixed to 16 */ |
6d1f50b5 | 85 | EVP_MD *pbm_owf; /* one-way function (OWF), default: SHA256 */ |
97e00da9 | 86 | int pbm_itercnt; /* OWF iteration count, currently fixed to 500 */ |
7960dbec DDO |
87 | int pbm_mac; /* NID of MAC algorithm, default: HMAC-SHA1 as per RFC 4210 */ |
88 | ||
89 | /* CMP message header and extra certificates */ | |
90 | X509_NAME *recipient; /* to set in recipient in pkiheader */ | |
6d1f50b5 | 91 | EVP_MD *digest; /* digest used in MSG_SIG_ALG and POPO, default SHA256 */ |
7960dbec DDO |
92 | ASN1_OCTET_STRING *transactionID; /* the current transaction ID */ |
93 | ASN1_OCTET_STRING *senderNonce; /* last nonce sent */ | |
94 | ASN1_OCTET_STRING *recipNonce; /* last nonce received */ | |
4dde554c | 95 | ASN1_UTF8STRING *freeText; /* optional string to include each msg */ |
7960dbec DDO |
96 | STACK_OF(OSSL_CMP_ITAV) *geninfo_ITAVs; |
97 | int implicitConfirm; /* set implicitConfirm in IR/KUR/CR messages */ | |
98 | int disableConfirm; /* disable certConf in IR/KUR/CR for broken servers */ | |
99 | STACK_OF(X509) *extraCertsOut; /* to be included in request messages */ | |
100 | ||
101 | /* certificate template */ | |
102 | EVP_PKEY *newPkey; /* explicit new private/public key for cert enrollment */ | |
103 | int newPkey_priv; /* flag indicating if newPkey contains private key */ | |
104 | X509_NAME *issuer; /* issuer name to used in cert template */ | |
105 | int days; /* Number of days new certificates are asked to be valid for */ | |
8cc86b81 | 106 | X509_NAME *subjectName; /* subject name to be used in cert template */ |
7960dbec DDO |
107 | STACK_OF(GENERAL_NAME) *subjectAltNames; /* to add to the cert template */ |
108 | int SubjectAltName_nodefault; | |
109 | int setSubjectAltNameCritical; | |
110 | X509_EXTENSIONS *reqExtensions; /* exts to be added to cert template */ | |
111 | CERTIFICATEPOLICIES *policies; /* policies to be included in extensions */ | |
112 | int setPoliciesCritical; | |
113 | int popoMethod; /* Proof-of-possession mechanism; default: signature */ | |
114 | X509 *oldCert; /* cert to be updated (via KUR) or to be revoked (via RR) */ | |
115 | X509_REQ *p10CSR; /* for P10CR: PKCS#10 CSR to be sent */ | |
116 | ||
117 | /* misc body contents */ | |
118 | int revocationReason; /* revocation reason code to be included in RR */ | |
119 | STACK_OF(OSSL_CMP_ITAV) *genm_ITAVs; /* content of general message */ | |
120 | ||
084d3afd | 121 | /* result returned in responses, so far supporting only one certResponse */ |
7960dbec | 122 | int status; /* PKIStatus of last received IP/CP/KUP/RP/error or -1 */ |
7960dbec DDO |
123 | OSSL_CMP_PKIFREETEXT *statusString; /* of last IP/CP/KUP/RP/error */ |
124 | int failInfoCode; /* failInfoCode of last received IP/CP/KUP/error, or -1 */ | |
7960dbec | 125 | X509 *newCert; /* newly enrolled cert received from the CA */ |
39082af2 | 126 | STACK_OF(X509) *newChain; /* chain of newly enrolled cert received */ |
7960dbec DDO |
127 | STACK_OF(X509) *caPubs; /* CA certs received from server (in IP message) */ |
128 | STACK_OF(X509) *extraCertsIn; /* extraCerts received from server */ | |
129 | ||
130 | /* certificate confirmation */ | |
7e765f46 | 131 | OSSL_CMP_certConf_cb_t certConf_cb; /* callback for app checking new cert */ |
7960dbec DDO |
132 | void *certConf_cb_arg; /* allows to store an argument individual to cb */ |
133 | } /* OSSL_CMP_CTX */; | |
134 | ||
8869ad4a AK |
135 | /* |
136 | * ########################################################################## | |
137 | * ASN.1 DECLARATIONS | |
138 | * ########################################################################## | |
139 | */ | |
140 | ||
141 | /*- | |
142 | * RevAnnContent ::= SEQUENCE { | |
143 | * status PKIStatus, | |
144 | * certId CertId, | |
145 | * willBeRevokedAt GeneralizedTime, | |
146 | * badSinceDate GeneralizedTime, | |
147 | * crlDetails Extensions OPTIONAL | |
148 | * -- extra CRL details (e.g., crl number, reason, location, etc.) | |
149 | * } | |
150 | */ | |
7960dbec | 151 | typedef struct ossl_cmp_revanncontent_st { |
8869ad4a AK |
152 | ASN1_INTEGER *status; |
153 | OSSL_CRMF_CERTID *certId; | |
154 | ASN1_GENERALIZEDTIME *willBeRevokedAt; | |
155 | ASN1_GENERALIZEDTIME *badSinceDate; | |
156 | X509_EXTENSIONS *crlDetails; | |
157 | } OSSL_CMP_REVANNCONTENT; | |
158 | DECLARE_ASN1_FUNCTIONS(OSSL_CMP_REVANNCONTENT) | |
159 | ||
160 | /*- | |
161 | * Challenge ::= SEQUENCE { | |
162 | * owf AlgorithmIdentifier OPTIONAL, | |
163 | * | |
164 | * -- MUST be present in the first Challenge; MAY be omitted in | |
165 | * -- any subsequent Challenge in POPODecKeyChallContent (if | |
166 | * -- omitted, then the owf used in the immediately preceding | |
167 | * -- Challenge is to be used). | |
168 | * | |
169 | * witness OCTET STRING, | |
170 | * -- the result of applying the one-way function (owf) to a | |
171 | * -- randomly-generated INTEGER, A. [Note that a different | |
172 | * -- INTEGER MUST be used for each Challenge.] | |
173 | * challenge OCTET STRING | |
174 | * -- the encryption (under the public key for which the cert. | |
175 | * -- request is being made) of Rand, where Rand is specified as | |
176 | * -- Rand ::= SEQUENCE { | |
177 | * -- int INTEGER, | |
178 | * -- - the randomly-generated INTEGER A (above) | |
179 | * -- sender GeneralName | |
180 | * -- - the sender's name (as included in PKIHeader) | |
181 | * -- } | |
182 | * } | |
183 | */ | |
7960dbec | 184 | typedef struct ossl_cmp_challenge_st { |
8869ad4a AK |
185 | X509_ALGOR *owf; |
186 | ASN1_OCTET_STRING *witness; | |
187 | ASN1_OCTET_STRING *challenge; | |
188 | } OSSL_CMP_CHALLENGE; | |
189 | DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CHALLENGE) | |
190 | ||
191 | /*- | |
192 | * CAKeyUpdAnnContent ::= SEQUENCE { | |
193 | * oldWithNew Certificate, | |
194 | * newWithOld Certificate, | |
195 | * newWithNew Certificate | |
196 | * } | |
197 | */ | |
7960dbec | 198 | typedef struct ossl_cmp_cakeyupdanncontent_st { |
8869ad4a AK |
199 | X509 *oldWithNew; |
200 | X509 *newWithOld; | |
201 | X509 *newWithNew; | |
202 | } OSSL_CMP_CAKEYUPDANNCONTENT; | |
203 | DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CAKEYUPDANNCONTENT) | |
204 | ||
205 | /*- | |
206 | * declared already here as it will be used in OSSL_CMP_MSG (nested) and | |
207 | * infoType and infoValue | |
208 | */ | |
209 | typedef STACK_OF(OSSL_CMP_MSG) OSSL_CMP_MSGS; | |
210 | DECLARE_ASN1_FUNCTIONS(OSSL_CMP_MSGS) | |
211 | ||
212 | /*- | |
213 | * InfoTypeAndValue ::= SEQUENCE { | |
214 | * infoType OBJECT IDENTIFIER, | |
215 | * infoValue ANY DEFINED BY infoType OPTIONAL | |
216 | * } | |
217 | */ | |
7960dbec | 218 | struct ossl_cmp_itav_st { |
8869ad4a AK |
219 | ASN1_OBJECT *infoType; |
220 | union { | |
221 | char *ptr; | |
222 | /* NID_id_it_caProtEncCert - CA Protocol Encryption Certificate */ | |
223 | X509 *caProtEncCert; | |
224 | /* NID_id_it_signKeyPairTypes - Signing Key Pair Types */ | |
225 | STACK_OF(X509_ALGOR) *signKeyPairTypes; | |
226 | /* NID_id_it_encKeyPairTypes - Encryption/Key Agreement Key Pair Types */ | |
227 | STACK_OF(X509_ALGOR) *encKeyPairTypes; | |
228 | /* NID_id_it_preferredSymmAlg - Preferred Symmetric Algorithm */ | |
229 | X509_ALGOR *preferredSymmAlg; | |
230 | /* NID_id_it_caKeyUpdateInfo - Updated CA Key Pair */ | |
231 | OSSL_CMP_CAKEYUPDANNCONTENT *caKeyUpdateInfo; | |
232 | /* NID_id_it_currentCRL - CRL */ | |
233 | X509_CRL *currentCRL; | |
234 | /* NID_id_it_unsupportedOIDs - Unsupported Object Identifiers */ | |
235 | STACK_OF(ASN1_OBJECT) *unsupportedOIDs; | |
236 | /* NID_id_it_keyPairParamReq - Key Pair Parameters Request */ | |
237 | ASN1_OBJECT *keyPairParamReq; | |
238 | /* NID_id_it_keyPairParamRep - Key Pair Parameters Response */ | |
239 | X509_ALGOR *keyPairParamRep; | |
240 | /* NID_id_it_revPassphrase - Revocation Passphrase */ | |
241 | OSSL_CRMF_ENCRYPTEDVALUE *revPassphrase; | |
242 | /* NID_id_it_implicitConfirm - ImplicitConfirm */ | |
243 | ASN1_NULL *implicitConfirm; | |
244 | /* NID_id_it_confirmWaitTime - ConfirmWaitTime */ | |
245 | ASN1_GENERALIZEDTIME *confirmWaitTime; | |
246 | /* NID_id_it_origPKIMessage - origPKIMessage */ | |
247 | OSSL_CMP_MSGS *origPKIMessage; | |
248 | /* NID_id_it_suppLangTags - Supported Language Tags */ | |
249 | STACK_OF(ASN1_UTF8STRING) *suppLangTagsValue; | |
d477484d DDO |
250 | /* NID_id_it_caCerts - CA Certificates */ |
251 | STACK_OF(X509) *caCerts; | |
8869ad4a AK |
252 | /* this is to be used for so far undeclared objects */ |
253 | ASN1_TYPE *other; | |
254 | } infoValue; | |
255 | } /* OSSL_CMP_ITAV */; | |
256 | DECLARE_ASN1_FUNCTIONS(OSSL_CMP_ITAV) | |
8869ad4a | 257 | |
7960dbec | 258 | typedef struct ossl_cmp_certorenccert_st { |
8869ad4a AK |
259 | int type; |
260 | union { | |
261 | X509 *certificate; | |
262 | OSSL_CRMF_ENCRYPTEDVALUE *encryptedCert; | |
263 | } value; | |
264 | } OSSL_CMP_CERTORENCCERT; | |
265 | DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CERTORENCCERT) | |
266 | ||
267 | /*- | |
268 | * CertifiedKeyPair ::= SEQUENCE { | |
269 | * certOrEncCert CertOrEncCert, | |
270 | * privateKey [0] EncryptedValue OPTIONAL, | |
271 | * -- see [CRMF] for comment on encoding | |
272 | * publicationInfo [1] PKIPublicationInfo OPTIONAL | |
273 | * } | |
274 | */ | |
7960dbec | 275 | typedef struct ossl_cmp_certifiedkeypair_st { |
8869ad4a AK |
276 | OSSL_CMP_CERTORENCCERT *certOrEncCert; |
277 | OSSL_CRMF_ENCRYPTEDVALUE *privateKey; | |
278 | OSSL_CRMF_PKIPUBLICATIONINFO *publicationInfo; | |
279 | } OSSL_CMP_CERTIFIEDKEYPAIR; | |
280 | DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CERTIFIEDKEYPAIR) | |
281 | ||
282 | /*- | |
283 | * PKIStatusInfo ::= SEQUENCE { | |
284 | * status PKIStatus, | |
285 | * statusString PKIFreeText OPTIONAL, | |
286 | * failInfo PKIFailureInfo OPTIONAL | |
287 | * } | |
288 | */ | |
7960dbec | 289 | struct ossl_cmp_pkisi_st { |
8869ad4a AK |
290 | OSSL_CMP_PKISTATUS *status; |
291 | OSSL_CMP_PKIFREETEXT *statusString; | |
292 | OSSL_CMP_PKIFAILUREINFO *failInfo; | |
293 | } /* OSSL_CMP_PKISI */; | |
8869ad4a AK |
294 | |
295 | /*- | |
296 | * RevReqContent ::= SEQUENCE OF RevDetails | |
297 | * | |
298 | * RevDetails ::= SEQUENCE { | |
299 | * certDetails CertTemplate, | |
300 | * crlEntryDetails Extensions OPTIONAL | |
301 | * } | |
302 | */ | |
62dcd2aa | 303 | struct ossl_cmp_revdetails_st { |
8869ad4a AK |
304 | OSSL_CRMF_CERTTEMPLATE *certDetails; |
305 | X509_EXTENSIONS *crlEntryDetails; | |
62dcd2aa DDO |
306 | } /* OSSL_CMP_REVDETAILS */; |
307 | typedef struct ossl_cmp_revdetails_st OSSL_CMP_REVDETAILS; | |
8869ad4a AK |
308 | DECLARE_ASN1_FUNCTIONS(OSSL_CMP_REVDETAILS) |
309 | DEFINE_STACK_OF(OSSL_CMP_REVDETAILS) | |
310 | ||
311 | /*- | |
312 | * RevRepContent ::= SEQUENCE { | |
313 | * status SEQUENCE SIZE (1..MAX) OF PKIStatusInfo, | |
314 | * -- in same order as was sent in RevReqContent | |
315 | * revCerts [0] SEQUENCE SIZE (1..MAX) OF CertId | |
316 | * OPTIONAL, | |
317 | * -- IDs for which revocation was requested | |
318 | * -- (same order as status) | |
319 | * crls [1] SEQUENCE SIZE (1..MAX) OF CertificateList | |
320 | * OPTIONAL | |
321 | * -- the resulting CRLs (there may be more than one) | |
322 | * } | |
323 | */ | |
7960dbec | 324 | struct ossl_cmp_revrepcontent_st { |
8869ad4a AK |
325 | STACK_OF(OSSL_CMP_PKISI) *status; |
326 | STACK_OF(OSSL_CRMF_CERTID) *revCerts; | |
327 | STACK_OF(X509_CRL) *crls; | |
328 | } /* OSSL_CMP_REVREPCONTENT */; | |
329 | DECLARE_ASN1_FUNCTIONS(OSSL_CMP_REVREPCONTENT) | |
330 | ||
331 | /*- | |
332 | * KeyRecRepContent ::= SEQUENCE { | |
333 | * status PKIStatusInfo, | |
334 | * newSigCert [0] Certificate OPTIONAL, | |
335 | * caCerts [1] SEQUENCE SIZE (1..MAX) OF | |
336 | * Certificate OPTIONAL, | |
337 | * keyPairHist [2] SEQUENCE SIZE (1..MAX) OF | |
338 | * CertifiedKeyPair OPTIONAL | |
339 | * } | |
340 | */ | |
7960dbec | 341 | typedef struct ossl_cmp_keyrecrepcontent_st { |
8869ad4a AK |
342 | OSSL_CMP_PKISI *status; |
343 | X509 *newSigCert; | |
344 | STACK_OF(X509) *caCerts; | |
345 | STACK_OF(OSSL_CMP_CERTIFIEDKEYPAIR) *keyPairHist; | |
346 | } OSSL_CMP_KEYRECREPCONTENT; | |
347 | DECLARE_ASN1_FUNCTIONS(OSSL_CMP_KEYRECREPCONTENT) | |
348 | ||
349 | /*- | |
350 | * ErrorMsgContent ::= SEQUENCE { | |
351 | * pKIStatusInfo PKIStatusInfo, | |
352 | * errorCode INTEGER OPTIONAL, | |
353 | * -- implementation-specific error codes | |
354 | * errorDetails PKIFreeText OPTIONAL | |
355 | * -- implementation-specific error details | |
356 | * } | |
357 | */ | |
7960dbec | 358 | typedef struct ossl_cmp_errormsgcontent_st { |
8869ad4a AK |
359 | OSSL_CMP_PKISI *pKIStatusInfo; |
360 | ASN1_INTEGER *errorCode; | |
361 | OSSL_CMP_PKIFREETEXT *errorDetails; | |
362 | } OSSL_CMP_ERRORMSGCONTENT; | |
363 | DECLARE_ASN1_FUNCTIONS(OSSL_CMP_ERRORMSGCONTENT) | |
364 | ||
365 | /*- | |
366 | * CertConfirmContent ::= SEQUENCE OF CertStatus | |
367 | * | |
368 | * CertStatus ::= SEQUENCE { | |
369 | * certHash OCTET STRING, | |
370 | * -- the hash of the certificate, using the same hash algorithm | |
371 | * -- as is used to create and verify the certificate signature | |
372 | * certReqId INTEGER, | |
373 | * -- to match this confirmation with the corresponding req/rep | |
74107c44 DDO |
374 | * statusInfo PKIStatusInfo OPTIONAL, |
375 | * hashAlg [0] AlgorithmIdentifier OPTIONAL | |
8869ad4a AK |
376 | * } |
377 | */ | |
7960dbec | 378 | struct ossl_cmp_certstatus_st { |
8869ad4a AK |
379 | ASN1_OCTET_STRING *certHash; |
380 | ASN1_INTEGER *certReqId; | |
381 | OSSL_CMP_PKISI *statusInfo; | |
74107c44 | 382 | X509_ALGOR *hashAlg; /* 0 */ |
8869ad4a AK |
383 | } /* OSSL_CMP_CERTSTATUS */; |
384 | DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CERTSTATUS) | |
8869ad4a AK |
385 | typedef STACK_OF(OSSL_CMP_CERTSTATUS) OSSL_CMP_CERTCONFIRMCONTENT; |
386 | DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CERTCONFIRMCONTENT) | |
387 | ||
388 | /*- | |
389 | * CertResponse ::= SEQUENCE { | |
390 | * certReqId INTEGER, | |
391 | * -- to match this response with corresponding request (a value | |
392 | * -- of -1 is to be used if certReqId is not specified in the | |
393 | * -- corresponding request) | |
394 | * status PKIStatusInfo, | |
395 | * certifiedKeyPair CertifiedKeyPair OPTIONAL, | |
396 | * rspInfo OCTET STRING OPTIONAL | |
397 | * -- analogous to the id-regInfo-utf8Pairs string defined | |
398 | * -- for regInfo in CertReqMsg [CRMF] | |
399 | * } | |
400 | */ | |
7960dbec | 401 | struct ossl_cmp_certresponse_st { |
8869ad4a AK |
402 | ASN1_INTEGER *certReqId; |
403 | OSSL_CMP_PKISI *status; | |
404 | OSSL_CMP_CERTIFIEDKEYPAIR *certifiedKeyPair; | |
405 | ASN1_OCTET_STRING *rspInfo; | |
406 | } /* OSSL_CMP_CERTRESPONSE */; | |
407 | DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CERTRESPONSE) | |
408 | ||
409 | /*- | |
410 | * CertRepMessage ::= SEQUENCE { | |
411 | * caPubs [1] SEQUENCE SIZE (1..MAX) OF CMPCertificate | |
412 | * OPTIONAL, | |
413 | * response SEQUENCE OF CertResponse | |
414 | * } | |
415 | */ | |
7960dbec | 416 | struct ossl_cmp_certrepmessage_st { |
8869ad4a AK |
417 | STACK_OF(X509) *caPubs; |
418 | STACK_OF(OSSL_CMP_CERTRESPONSE) *response; | |
419 | } /* OSSL_CMP_CERTREPMESSAGE */; | |
420 | DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CERTREPMESSAGE) | |
421 | ||
422 | /*- | |
423 | * PollReqContent ::= SEQUENCE OF SEQUENCE { | |
424 | * certReqId INTEGER | |
425 | * } | |
426 | */ | |
7960dbec | 427 | typedef struct ossl_cmp_pollreq_st { |
8869ad4a AK |
428 | ASN1_INTEGER *certReqId; |
429 | } OSSL_CMP_POLLREQ; | |
430 | DECLARE_ASN1_FUNCTIONS(OSSL_CMP_POLLREQ) | |
431 | DEFINE_STACK_OF(OSSL_CMP_POLLREQ) | |
432 | typedef STACK_OF(OSSL_CMP_POLLREQ) OSSL_CMP_POLLREQCONTENT; | |
433 | DECLARE_ASN1_FUNCTIONS(OSSL_CMP_POLLREQCONTENT) | |
434 | ||
435 | /*- | |
436 | * PollRepContent ::= SEQUENCE OF SEQUENCE { | |
437 | * certReqId INTEGER, | |
438 | * checkAfter INTEGER, -- time in seconds | |
439 | * reason PKIFreeText OPTIONAL | |
440 | * } | |
441 | */ | |
7960dbec | 442 | struct ossl_cmp_pollrep_st { |
8869ad4a AK |
443 | ASN1_INTEGER *certReqId; |
444 | ASN1_INTEGER *checkAfter; | |
445 | OSSL_CMP_PKIFREETEXT *reason; | |
446 | } /* OSSL_CMP_POLLREP */; | |
447 | DECLARE_ASN1_FUNCTIONS(OSSL_CMP_POLLREP) | |
448 | DEFINE_STACK_OF(OSSL_CMP_POLLREP) | |
449 | DECLARE_ASN1_FUNCTIONS(OSSL_CMP_POLLREPCONTENT) | |
450 | ||
451 | /*- | |
452 | * PKIHeader ::= SEQUENCE { | |
c4ad4e5b | 453 | * pvno INTEGER { cmp1999(1), cmp2000(2), cmp2021(3) }, |
8869ad4a AK |
454 | * sender GeneralName, |
455 | * -- identifies the sender | |
456 | * recipient GeneralName, | |
457 | * -- identifies the intended recipient | |
458 | * messageTime [0] GeneralizedTime OPTIONAL, | |
459 | * -- time of production of this message (used when sender | |
460 | * -- believes that the transport will be "suitable"; i.e., | |
461 | * -- that the time will still be meaningful upon receipt) | |
462 | * protectionAlg [1] AlgorithmIdentifier OPTIONAL, | |
463 | * -- algorithm used for calculation of protection bits | |
464 | * senderKID [2] KeyIdentifier OPTIONAL, | |
465 | * recipKID [3] KeyIdentifier OPTIONAL, | |
466 | * -- to identify specific keys used for protection | |
467 | * transactionID [4] OCTET STRING OPTIONAL, | |
468 | * -- identifies the transaction; i.e., this will be the same in | |
469 | * -- corresponding request, response, certConf, and PKIConf | |
470 | * -- messages | |
471 | * senderNonce [5] OCTET STRING OPTIONAL, | |
472 | * recipNonce [6] OCTET STRING OPTIONAL, | |
473 | * -- nonces used to provide replay protection, senderNonce | |
474 | * -- is inserted by the creator of this message; recipNonce | |
475 | * -- is a nonce previously inserted in a related message by | |
476 | * -- the intended recipient of this message | |
477 | * freeText [7] PKIFreeText OPTIONAL, | |
478 | * -- this may be used to indicate context-specific instructions | |
479 | * -- (this field is intended for human consumption) | |
480 | * generalInfo [8] SEQUENCE SIZE (1..MAX) OF | |
481 | * InfoTypeAndValue OPTIONAL | |
482 | * -- this may be used to convey context-specific information | |
483 | * -- (this field not primarily intended for human consumption) | |
484 | * } | |
485 | */ | |
7960dbec | 486 | struct ossl_cmp_pkiheader_st { |
8869ad4a AK |
487 | ASN1_INTEGER *pvno; |
488 | GENERAL_NAME *sender; | |
489 | GENERAL_NAME *recipient; | |
490 | ASN1_GENERALIZEDTIME *messageTime; /* 0 */ | |
491 | X509_ALGOR *protectionAlg; /* 1 */ | |
492 | ASN1_OCTET_STRING *senderKID; /* 2 */ | |
493 | ASN1_OCTET_STRING *recipKID; /* 3 */ | |
494 | ASN1_OCTET_STRING *transactionID; /* 4 */ | |
495 | ASN1_OCTET_STRING *senderNonce; /* 5 */ | |
496 | ASN1_OCTET_STRING *recipNonce; /* 6 */ | |
497 | OSSL_CMP_PKIFREETEXT *freeText; /* 7 */ | |
498 | STACK_OF(OSSL_CMP_ITAV) *generalInfo; /* 8 */ | |
499 | } /* OSSL_CMP_PKIHEADER */; | |
500 | ||
501 | typedef STACK_OF(OSSL_CMP_CHALLENGE) OSSL_CMP_POPODECKEYCHALLCONTENT; | |
502 | DECLARE_ASN1_FUNCTIONS(OSSL_CMP_POPODECKEYCHALLCONTENT) | |
503 | typedef STACK_OF(ASN1_INTEGER) OSSL_CMP_POPODECKEYRESPCONTENT; | |
504 | DECLARE_ASN1_FUNCTIONS(OSSL_CMP_POPODECKEYRESPCONTENT) | |
505 | typedef STACK_OF(OSSL_CMP_REVDETAILS) OSSL_CMP_REVREQCONTENT; | |
506 | DECLARE_ASN1_FUNCTIONS(OSSL_CMP_REVREQCONTENT) | |
507 | typedef STACK_OF(X509_CRL) OSSL_CMP_CRLANNCONTENT; | |
508 | DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CRLANNCONTENT) | |
509 | typedef STACK_OF(OSSL_CMP_ITAV) OSSL_CMP_GENMSGCONTENT; | |
510 | DECLARE_ASN1_FUNCTIONS(OSSL_CMP_GENMSGCONTENT) | |
511 | typedef STACK_OF(OSSL_CMP_ITAV) OSSL_CMP_GENREPCONTENT; | |
512 | DECLARE_ASN1_FUNCTIONS(OSSL_CMP_GENREPCONTENT) | |
513 | ||
514 | /*- | |
515 | * PKIBody ::= CHOICE { -- message-specific body elements | |
516 | * ir [0] CertReqMessages, --Initialization Request | |
517 | * ip [1] CertRepMessage, --Initialization Response | |
518 | * cr [2] CertReqMessages, --Certification Request | |
519 | * cp [3] CertRepMessage, --Certification Response | |
520 | * p10cr [4] CertificationRequest, --imported from [PKCS10] | |
521 | * popdecc [5] POPODecKeyChallContent, --pop Challenge | |
522 | * popdecr [6] POPODecKeyRespContent, --pop Response | |
523 | * kur [7] CertReqMessages, --Key Update Request | |
524 | * kup [8] CertRepMessage, --Key Update Response | |
525 | * krr [9] CertReqMessages, --Key Recovery Request | |
526 | * krp [10] KeyRecRepContent, --Key Recovery Response | |
527 | * rr [11] RevReqContent, --Revocation Request | |
528 | * rp [12] RevRepContent, --Revocation Response | |
529 | * ccr [13] CertReqMessages, --Cross-Cert. Request | |
530 | * ccp [14] CertRepMessage, --Cross-Cert. Response | |
531 | * ckuann [15] CAKeyUpdAnnContent, --CA Key Update Ann. | |
532 | * cann [16] CertAnnContent, --Certificate Ann. | |
533 | * rann [17] RevAnnContent, --Revocation Ann. | |
534 | * crlann [18] CRLAnnContent, --CRL Announcement | |
535 | * pkiconf [19] PKIConfirmContent, --Confirmation | |
536 | * nested [20] NestedMessageContent, --Nested Message | |
537 | * genm [21] GenMsgContent, --General Message | |
538 | * genp [22] GenRepContent, --General Response | |
539 | * error [23] ErrorMsgContent, --Error Message | |
540 | * certConf [24] CertConfirmContent, --Certificate confirm | |
541 | * pollReq [25] PollReqContent, --Polling request | |
542 | * pollRep [26] PollRepContent --Polling response | |
3dbc5156 | 543 | * } |
8869ad4a | 544 | */ |
7960dbec | 545 | typedef struct ossl_cmp_pkibody_st { |
8869ad4a AK |
546 | int type; |
547 | union { | |
548 | OSSL_CRMF_MSGS *ir; /* 0 */ | |
549 | OSSL_CMP_CERTREPMESSAGE *ip; /* 1 */ | |
550 | OSSL_CRMF_MSGS *cr; /* 2 */ | |
551 | OSSL_CMP_CERTREPMESSAGE *cp; /* 3 */ | |
235595c4 DDO |
552 | /*- |
553 | * p10cr [4] CertificationRequest, --imported from [PKCS10] | |
554 | * | |
8869ad4a AK |
555 | * PKCS10_CERTIFICATIONREQUEST is effectively X509_REQ |
556 | * so it is used directly | |
557 | */ | |
558 | X509_REQ *p10cr; /* 4 */ | |
235595c4 DDO |
559 | /*- |
560 | * popdecc [5] POPODecKeyChallContent, --pop Challenge | |
561 | * | |
562 | * POPODecKeyChallContent ::= SEQUENCE OF Challenge | |
563 | */ | |
8869ad4a | 564 | OSSL_CMP_POPODECKEYCHALLCONTENT *popdecc; /* 5 */ |
235595c4 DDO |
565 | /*- |
566 | * popdecr [6] POPODecKeyRespContent, --pop Response | |
567 | * | |
568 | * POPODecKeyRespContent ::= SEQUENCE OF INTEGER | |
569 | */ | |
8869ad4a AK |
570 | OSSL_CMP_POPODECKEYRESPCONTENT *popdecr; /* 6 */ |
571 | OSSL_CRMF_MSGS *kur; /* 7 */ | |
572 | OSSL_CMP_CERTREPMESSAGE *kup; /* 8 */ | |
573 | OSSL_CRMF_MSGS *krr; /* 9 */ | |
574 | ||
235595c4 DDO |
575 | /*- |
576 | * krp [10] KeyRecRepContent, --Key Recovery Response | |
577 | */ | |
8869ad4a | 578 | OSSL_CMP_KEYRECREPCONTENT *krp; /* 10 */ |
235595c4 DDO |
579 | /*- |
580 | * rr [11] RevReqContent, --Revocation Request | |
581 | */ | |
8869ad4a | 582 | OSSL_CMP_REVREQCONTENT *rr; /* 11 */ |
235595c4 DDO |
583 | /*- |
584 | * rp [12] RevRepContent, --Revocation Response | |
585 | */ | |
8869ad4a | 586 | OSSL_CMP_REVREPCONTENT *rp; /* 12 */ |
235595c4 DDO |
587 | /*- |
588 | * ccr [13] CertReqMessages, --Cross-Cert. Request | |
589 | */ | |
8869ad4a | 590 | OSSL_CRMF_MSGS *ccr; /* 13 */ |
235595c4 DDO |
591 | /*- |
592 | * ccp [14] CertRepMessage, --Cross-Cert. Response | |
593 | */ | |
8869ad4a | 594 | OSSL_CMP_CERTREPMESSAGE *ccp; /* 14 */ |
235595c4 DDO |
595 | /*- |
596 | * ckuann [15] CAKeyUpdAnnContent, --CA Key Update Ann. | |
597 | */ | |
8869ad4a | 598 | OSSL_CMP_CAKEYUPDANNCONTENT *ckuann; /* 15 */ |
235595c4 DDO |
599 | /*- |
600 | * cann [16] CertAnnContent, --Certificate Ann. | |
601 | * OSSL_CMP_CMPCERTIFICATE is effectively X509 so it is used directly | |
602 | */ | |
603 | X509 *cann; /* 16 */ | |
604 | /*- | |
605 | * rann [17] RevAnnContent, --Revocation Ann. | |
606 | */ | |
8869ad4a | 607 | OSSL_CMP_REVANNCONTENT *rann; /* 17 */ |
235595c4 DDO |
608 | /*- |
609 | * crlann [18] CRLAnnContent, --CRL Announcement | |
610 | * CRLAnnContent ::= SEQUENCE OF CertificateList | |
611 | */ | |
612 | OSSL_CMP_CRLANNCONTENT *crlann; /* 18 */ | |
613 | /*- | |
614 | * PKIConfirmContent ::= NULL | |
615 | * pkiconf [19] PKIConfirmContent, --Confirmation | |
616 | * OSSL_CMP_PKICONFIRMCONTENT would be only a typedef of ASN1_NULL | |
617 | * OSSL_CMP_CONFIRMCONTENT *pkiconf; | |
618 | * | |
8869ad4a AK |
619 | * NOTE: this should ASN1_NULL according to the RFC |
620 | * but there might be a struct in it when sent from faulty servers... | |
621 | */ | |
622 | ASN1_TYPE *pkiconf; /* 19 */ | |
235595c4 DDO |
623 | /*- |
624 | * nested [20] NestedMessageContent, --Nested Message | |
625 | * NestedMessageContent ::= PKIMessages | |
626 | */ | |
8869ad4a | 627 | OSSL_CMP_MSGS *nested; /* 20 */ |
235595c4 DDO |
628 | /*- |
629 | * genm [21] GenMsgContent, --General Message | |
630 | * GenMsgContent ::= SEQUENCE OF InfoTypeAndValue | |
631 | */ | |
8869ad4a | 632 | OSSL_CMP_GENMSGCONTENT *genm; /* 21 */ |
235595c4 DDO |
633 | /*- |
634 | * genp [22] GenRepContent, --General Response | |
635 | * GenRepContent ::= SEQUENCE OF InfoTypeAndValue | |
636 | */ | |
8869ad4a | 637 | OSSL_CMP_GENREPCONTENT *genp; /* 22 */ |
235595c4 DDO |
638 | /*- |
639 | * error [23] ErrorMsgContent, --Error Message | |
640 | */ | |
8869ad4a | 641 | OSSL_CMP_ERRORMSGCONTENT *error; /* 23 */ |
235595c4 DDO |
642 | /*- |
643 | * certConf [24] CertConfirmContent, --Certificate confirm | |
644 | */ | |
8869ad4a | 645 | OSSL_CMP_CERTCONFIRMCONTENT *certConf; /* 24 */ |
235595c4 DDO |
646 | /*- |
647 | * pollReq [25] PollReqContent, --Polling request | |
648 | */ | |
649 | OSSL_CMP_POLLREQCONTENT *pollReq; /* 25 */ | |
650 | /*- | |
651 | * pollRep [26] PollRepContent --Polling response | |
652 | */ | |
653 | OSSL_CMP_POLLREPCONTENT *pollRep; /* 26 */ | |
8869ad4a AK |
654 | } value; |
655 | } OSSL_CMP_PKIBODY; | |
656 | DECLARE_ASN1_FUNCTIONS(OSSL_CMP_PKIBODY) | |
657 | ||
658 | /*- | |
659 | * PKIProtection ::= BIT STRING | |
660 | * | |
661 | * PKIMessages ::= SEQUENCE SIZE (1..MAX) OF PKIMessage | |
662 | * | |
663 | * PKIMessage ::= SEQUENCE { | |
664 | * header PKIHeader, | |
665 | * body PKIBody, | |
666 | * protection [0] PKIProtection OPTIONAL, | |
667 | * extraCerts [1] SEQUENCE SIZE (1..MAX) OF CMPCertificate | |
668 | * OPTIONAL | |
669 | * } | |
670 | */ | |
7960dbec | 671 | struct ossl_cmp_msg_st { |
8869ad4a AK |
672 | OSSL_CMP_PKIHEADER *header; |
673 | OSSL_CMP_PKIBODY *body; | |
674 | ASN1_BIT_STRING *protection; /* 0 */ | |
675 | /* OSSL_CMP_CMPCERTIFICATE is effectively X509 so it is used directly */ | |
676 | STACK_OF(X509) *extraCerts; /* 1 */ | |
c6313780 MC |
677 | OSSL_LIB_CTX *libctx; |
678 | char *propq; | |
8869ad4a | 679 | } /* OSSL_CMP_MSG */; |
c6313780 MC |
680 | OSSL_CMP_MSG *OSSL_CMP_MSG_new(OSSL_LIB_CTX *libctx, const char *propq); |
681 | void OSSL_CMP_MSG_free(OSSL_CMP_MSG *msg); | |
8869ad4a AK |
682 | |
683 | /*- | |
684 | * ProtectedPart ::= SEQUENCE { | |
685 | * header PKIHeader, | |
686 | * body PKIBody | |
687 | * } | |
688 | */ | |
642f60d8 | 689 | typedef struct ossl_cmp_protectedpart_st { |
8869ad4a AK |
690 | OSSL_CMP_PKIHEADER *header; |
691 | OSSL_CMP_PKIBODY *body; | |
642f60d8 DDO |
692 | } OSSL_CMP_PROTECTEDPART; |
693 | DECLARE_ASN1_FUNCTIONS(OSSL_CMP_PROTECTEDPART) | |
8869ad4a AK |
694 | |
695 | /*- | |
696 | * this is not defined here as it is already in CRMF: | |
697 | * id-PasswordBasedMac OBJECT IDENTIFIER ::= {1 2 840 113533 7 66 13} | |
698 | * PBMParameter ::= SEQUENCE { | |
699 | * salt OCTET STRING, | |
700 | * -- note: implementations MAY wish to limit acceptable sizes | |
701 | * -- of this string to values appropriate for their environment | |
702 | * -- in order to reduce the risk of denial-of-service attacks | |
703 | * owf AlgorithmIdentifier, | |
704 | * -- AlgId for a One-Way Function (SHA-1 recommended) | |
705 | * iterationCount INTEGER, | |
706 | * -- number of times the OWF is applied | |
707 | * -- note: implementations MAY wish to limit acceptable sizes | |
708 | * -- of this integer to values appropriate for their environment | |
709 | * -- in order to reduce the risk of denial-of-service attacks | |
710 | * mac AlgorithmIdentifier | |
711 | * -- the MAC AlgId (e.g., DES-MAC, Triple-DES-MAC [PKCS11], | |
712 | * } -- or HMAC [RFC2104, RFC2202]) | |
713 | */ | |
714 | /*- | |
084d3afd | 715 | * Not supported: |
8869ad4a AK |
716 | * id-DHBasedMac OBJECT IDENTIFIER ::= {1 2 840 113533 7 66 30} |
717 | * DHBMParameter ::= SEQUENCE { | |
718 | * owf AlgorithmIdentifier, | |
719 | * -- AlgId for a One-Way Function (SHA-1 recommended) | |
720 | * mac AlgorithmIdentifier | |
721 | * -- the MAC AlgId (e.g., DES-MAC, Triple-DES-MAC [PKCS11], | |
722 | * } -- or HMAC [RFC2104, RFC2202]) | |
723 | */ | |
724 | /*- | |
725 | * The following is not cared for, because it is described in section 5.2.5 | |
726 | * that this is beyond the scope of CMP | |
727 | * OOBCert ::= CMPCertificate | |
728 | * | |
729 | * OOBCertHash ::= SEQUENCE { | |
730 | * hashAlg [0] AlgorithmIdentifier OPTIONAL, | |
731 | * certId [1] CertId OPTIONAL, | |
732 | * hashVal BIT STRING | |
733 | * -- hashVal is calculated over the DER encoding of the | |
734 | * -- self-signed certificate with the identifier certID. | |
735 | * } | |
736 | */ | |
737 | ||
7960dbec DDO |
738 | /* from cmp_asn.c */ |
739 | int ossl_cmp_asn1_get_int(const ASN1_INTEGER *a); | |
740 | ||
741 | /* from cmp_util.c */ | |
742 | const char *ossl_cmp_log_parse_metadata(const char *buf, | |
743 | OSSL_CMP_severity *level, char **func, | |
744 | char **file, int *line); | |
31b28ad9 DDO |
745 | # define ossl_cmp_add_error_data(txt) ERR_add_error_txt(" : ", txt) |
746 | # define ossl_cmp_add_error_line(txt) ERR_add_error_txt("\n", txt) | |
eeccc237 | 747 | /* The two functions manipulating X509_STORE could be generally useful */ |
7960dbec | 748 | int ossl_cmp_X509_STORE_add1_certs(X509_STORE *store, STACK_OF(X509) *certs, |
235595c4 | 749 | int only_self_issued); |
62dcd2aa DDO |
750 | STACK_OF(X509) *ossl_cmp_X509_STORE_get1_certs(X509_STORE *store); |
751 | int ossl_cmp_sk_ASN1_UTF8STRING_push_str(STACK_OF(ASN1_UTF8STRING) *sk, | |
95f8c1e1 | 752 | const char *text, int len); |
7960dbec DDO |
753 | int ossl_cmp_asn1_octet_string_set1(ASN1_OCTET_STRING **tgt, |
754 | const ASN1_OCTET_STRING *src); | |
755 | int ossl_cmp_asn1_octet_string_set1_bytes(ASN1_OCTET_STRING **tgt, | |
756 | const unsigned char *bytes, int len); | |
7960dbec DDO |
757 | |
758 | /* from cmp_ctx.c */ | |
ebf30069 DDO |
759 | int ossl_cmp_print_log(OSSL_CMP_severity level, const OSSL_CMP_CTX *ctx, |
760 | const char *func, const char *file, int line, | |
761 | const char *level_str, const char *format, ...); | |
762 | # define ossl_cmp_log(level, ctx, msg) \ | |
763 | ossl_cmp_print_log(OSSL_CMP_LOG_##level, ctx, OPENSSL_FUNC, OPENSSL_FILE, \ | |
764 | OPENSSL_LINE, #level, "%s", msg) | |
765 | # define ossl_cmp_log1(level, ctx, fmt, arg1) \ | |
766 | ossl_cmp_print_log(OSSL_CMP_LOG_##level, ctx, OPENSSL_FUNC, OPENSSL_FILE, \ | |
767 | OPENSSL_LINE, #level, fmt, arg1) | |
768 | # define ossl_cmp_log2(level, ctx, fmt, arg1, arg2) \ | |
769 | ossl_cmp_print_log(OSSL_CMP_LOG_##level, ctx, OPENSSL_FUNC, OPENSSL_FILE, \ | |
770 | OPENSSL_LINE, #level, fmt, arg1, arg2) | |
771 | # define ossl_cmp_log3(level, ctx, fmt, arg1, arg2, arg3) \ | |
772 | ossl_cmp_print_log(OSSL_CMP_LOG_##level, ctx, OPENSSL_FUNC, OPENSSL_FILE, \ | |
773 | OPENSSL_LINE, #level, fmt, arg1, arg2, arg3) | |
774 | # define ossl_cmp_log4(level, ctx, fmt, arg1, arg2, arg3, arg4) \ | |
775 | ossl_cmp_print_log(OSSL_CMP_LOG_##level, ctx, OPENSSL_FUNC, OPENSSL_FILE, \ | |
776 | OPENSSL_LINE, #level, fmt, arg1, arg2, arg3, arg4) | |
777 | # define OSSL_CMP_LOG_ERROR OSSL_CMP_LOG_ERR | |
778 | # define OSSL_CMP_LOG_WARN OSSL_CMP_LOG_WARNING | |
779 | # define ossl_cmp_alert(ctx, msg) ossl_cmp_log(ALERT, ctx, msg) | |
780 | # define ossl_cmp_err(ctx, msg) ossl_cmp_log(ERROR, ctx, msg) | |
781 | # define ossl_cmp_warn(ctx, msg) ossl_cmp_log(WARN, ctx, msg) | |
782 | # define ossl_cmp_info(ctx, msg) ossl_cmp_log(INFO, ctx, msg) | |
783 | # define ossl_cmp_debug(ctx, msg) ossl_cmp_log(DEBUG, ctx, msg) | |
dd5fa5f5 | 784 | # define ossl_cmp_trace(ctx, msg) ossl_cmp_log(TRACE, ctx, msg) |
b6fbef11 | 785 | int ossl_cmp_ctx_set1_validatedSrvCert(OSSL_CMP_CTX *ctx, X509 *cert); |
7960dbec DDO |
786 | int ossl_cmp_ctx_set_status(OSSL_CMP_CTX *ctx, int status); |
787 | int ossl_cmp_ctx_set0_statusString(OSSL_CMP_CTX *ctx, | |
788 | OSSL_CMP_PKIFREETEXT *text); | |
789 | int ossl_cmp_ctx_set_failInfoCode(OSSL_CMP_CTX *ctx, int fail_info); | |
790 | int ossl_cmp_ctx_set0_newCert(OSSL_CMP_CTX *ctx, X509 *cert); | |
39082af2 | 791 | int ossl_cmp_ctx_set1_newChain(OSSL_CMP_CTX *ctx, STACK_OF(X509) *newChain); |
7960dbec DDO |
792 | int ossl_cmp_ctx_set1_caPubs(OSSL_CMP_CTX *ctx, STACK_OF(X509) *caPubs); |
793 | int ossl_cmp_ctx_set1_extraCertsIn(OSSL_CMP_CTX *ctx, | |
794 | STACK_OF(X509) *extraCertsIn); | |
795 | int ossl_cmp_ctx_set1_recipNonce(OSSL_CMP_CTX *ctx, | |
796 | const ASN1_OCTET_STRING *nonce); | |
e0f1ec3b | 797 | EVP_PKEY *ossl_cmp_ctx_get0_newPubkey(const OSSL_CMP_CTX *ctx); |
7960dbec | 798 | |
4dde554c | 799 | /* from cmp_status.c */ |
62dcd2aa | 800 | int ossl_cmp_pkisi_get_status(const OSSL_CMP_PKISI *si); |
4dde554c | 801 | const char *ossl_cmp_PKIStatus_to_string(int status); |
143be474 | 802 | OSSL_CMP_PKIFREETEXT *ossl_cmp_pkisi_get0_statusString(const OSSL_CMP_PKISI *s); |
4dde554c | 803 | int ossl_cmp_pkisi_get_pkifailureinfo(const OSSL_CMP_PKISI *si); |
62dcd2aa | 804 | int ossl_cmp_pkisi_check_pkifailureinfo(const OSSL_CMP_PKISI *si, int index); |
4dde554c DDO |
805 | |
806 | /* from cmp_hdr.c */ | |
807 | int ossl_cmp_hdr_set_pvno(OSSL_CMP_PKIHEADER *hdr, int pvno); | |
808 | int ossl_cmp_hdr_get_pvno(const OSSL_CMP_PKIHEADER *hdr); | |
12bbcee2 | 809 | int ossl_cmp_hdr_get_protection_nid(const OSSL_CMP_PKIHEADER *hdr); |
4dde554c | 810 | ASN1_OCTET_STRING *ossl_cmp_hdr_get0_senderNonce(const OSSL_CMP_PKIHEADER *hdr); |
cfca56df | 811 | int ossl_cmp_general_name_is_NULL_DN(GENERAL_NAME *name); |
4dde554c DDO |
812 | int ossl_cmp_hdr_set1_sender(OSSL_CMP_PKIHEADER *hdr, const X509_NAME *nm); |
813 | int ossl_cmp_hdr_set1_recipient(OSSL_CMP_PKIHEADER *hdr, const X509_NAME *nm); | |
814 | int ossl_cmp_hdr_update_messageTime(OSSL_CMP_PKIHEADER *hdr); | |
815 | int ossl_cmp_hdr_set1_senderKID(OSSL_CMP_PKIHEADER *hdr, | |
816 | const ASN1_OCTET_STRING *senderKID); | |
4dde554c DDO |
817 | int ossl_cmp_hdr_push0_freeText(OSSL_CMP_PKIHEADER *hdr, ASN1_UTF8STRING *text); |
818 | int ossl_cmp_hdr_push1_freeText(OSSL_CMP_PKIHEADER *hdr, ASN1_UTF8STRING *text); | |
819 | int ossl_cmp_hdr_generalInfo_push0_item(OSSL_CMP_PKIHEADER *hdr, | |
820 | OSSL_CMP_ITAV *itav); | |
821 | int ossl_cmp_hdr_generalInfo_push1_items(OSSL_CMP_PKIHEADER *hdr, | |
62dcd2aa | 822 | const STACK_OF(OSSL_CMP_ITAV) *itavs); |
4dde554c | 823 | int ossl_cmp_hdr_set_implicitConfirm(OSSL_CMP_PKIHEADER *hdr); |
62dcd2aa | 824 | int ossl_cmp_hdr_has_implicitConfirm(const OSSL_CMP_PKIHEADER *hdr); |
4dde554c DDO |
825 | # define OSSL_CMP_TRANSACTIONID_LENGTH 16 |
826 | # define OSSL_CMP_SENDERNONCE_LENGTH 16 | |
143be474 | 827 | int ossl_cmp_hdr_set_transactionID(OSSL_CMP_CTX *ctx, OSSL_CMP_PKIHEADER *hdr); |
4dde554c | 828 | int ossl_cmp_hdr_init(OSSL_CMP_CTX *ctx, OSSL_CMP_PKIHEADER *hdr); |
7960dbec | 829 | |
3dbc5156 DDO |
830 | /* from cmp_msg.c */ |
831 | /* OSSL_CMP_MSG bodytype ASN.1 choice IDs */ | |
832 | # define OSSL_CMP_PKIBODY_IR 0 | |
833 | # define OSSL_CMP_PKIBODY_IP 1 | |
834 | # define OSSL_CMP_PKIBODY_CR 2 | |
835 | # define OSSL_CMP_PKIBODY_CP 3 | |
836 | # define OSSL_CMP_PKIBODY_P10CR 4 | |
837 | # define OSSL_CMP_PKIBODY_POPDECC 5 | |
838 | # define OSSL_CMP_PKIBODY_POPDECR 6 | |
839 | # define OSSL_CMP_PKIBODY_KUR 7 | |
840 | # define OSSL_CMP_PKIBODY_KUP 8 | |
841 | # define OSSL_CMP_PKIBODY_KRR 9 | |
842 | # define OSSL_CMP_PKIBODY_KRP 10 | |
843 | # define OSSL_CMP_PKIBODY_RR 11 | |
844 | # define OSSL_CMP_PKIBODY_RP 12 | |
845 | # define OSSL_CMP_PKIBODY_CCR 13 | |
846 | # define OSSL_CMP_PKIBODY_CCP 14 | |
847 | # define OSSL_CMP_PKIBODY_CKUANN 15 | |
848 | # define OSSL_CMP_PKIBODY_CANN 16 | |
849 | # define OSSL_CMP_PKIBODY_RANN 17 | |
850 | # define OSSL_CMP_PKIBODY_CRLANN 18 | |
851 | # define OSSL_CMP_PKIBODY_PKICONF 19 | |
852 | # define OSSL_CMP_PKIBODY_NESTED 20 | |
853 | # define OSSL_CMP_PKIBODY_GENM 21 | |
854 | # define OSSL_CMP_PKIBODY_GENP 22 | |
855 | # define OSSL_CMP_PKIBODY_ERROR 23 | |
856 | # define OSSL_CMP_PKIBODY_CERTCONF 24 | |
857 | # define OSSL_CMP_PKIBODY_POLLREQ 25 | |
858 | # define OSSL_CMP_PKIBODY_POLLREP 26 | |
859 | # define OSSL_CMP_PKIBODY_TYPE_MAX OSSL_CMP_PKIBODY_POLLREP | |
62dcd2aa | 860 | /* certReqId for the first - and so far only - certificate request */ |
25b18e62 DDO |
861 | # define OSSL_CMP_CERTREQID 0 |
862 | # define OSSL_CMP_CERTREQID_NONE -1 | |
863 | # define OSSL_CMP_CERTREQID_INVALID -2 | |
62dcd2aa DDO |
864 | /* sequence id for the first - and so far only - revocation request */ |
865 | # define OSSL_CMP_REVREQSID 0 | |
c6313780 MC |
866 | int ossl_cmp_msg_set0_libctx(OSSL_CMP_MSG *msg, OSSL_LIB_CTX *libctx, |
867 | const char *propq); | |
3dbc5156 DDO |
868 | const char *ossl_cmp_bodytype_to_string(int type); |
869 | int ossl_cmp_msg_set_bodytype(OSSL_CMP_MSG *msg, int type); | |
3dbc5156 | 870 | OSSL_CMP_MSG *ossl_cmp_msg_create(OSSL_CMP_CTX *ctx, int bodytype); |
299e0f1e DDO |
871 | OSSL_CMP_MSG *ossl_cmp_certreq_new(OSSL_CMP_CTX *ctx, int bodytype, |
872 | const OSSL_CRMF_MSG *crm); | |
873 | OSSL_CMP_MSG *ossl_cmp_certrep_new(OSSL_CMP_CTX *ctx, int bodytype, | |
7b3990e3 DDO |
874 | int certReqId, const OSSL_CMP_PKISI *si, |
875 | X509 *cert, const X509 *encryption_recip, | |
876 | STACK_OF(X509) *chain, STACK_OF(X509) *caPubs, | |
3dbc5156 DDO |
877 | int unprotectedErrors); |
878 | OSSL_CMP_MSG *ossl_cmp_rr_new(OSSL_CMP_CTX *ctx); | |
7b3990e3 DDO |
879 | OSSL_CMP_MSG *ossl_cmp_rp_new(OSSL_CMP_CTX *ctx, const OSSL_CMP_PKISI *si, |
880 | const OSSL_CRMF_CERTID *cid, | |
881 | int unprotectedErrors); | |
3dbc5156 | 882 | OSSL_CMP_MSG *ossl_cmp_pkiconf_new(OSSL_CMP_CTX *ctx); |
62dcd2aa DDO |
883 | OSSL_CMP_MSG *ossl_cmp_pollRep_new(OSSL_CMP_CTX *ctx, int crid, |
884 | int64_t poll_after); | |
3dbc5156 DDO |
885 | int ossl_cmp_msg_gen_push0_ITAV(OSSL_CMP_MSG *msg, OSSL_CMP_ITAV *itav); |
886 | int ossl_cmp_msg_gen_push1_ITAVs(OSSL_CMP_MSG *msg, | |
62dcd2aa | 887 | const STACK_OF(OSSL_CMP_ITAV) *itavs); |
3dbc5156 | 888 | OSSL_CMP_MSG *ossl_cmp_genm_new(OSSL_CMP_CTX *ctx); |
62dcd2aa DDO |
889 | OSSL_CMP_MSG *ossl_cmp_genp_new(OSSL_CMP_CTX *ctx, |
890 | const STACK_OF(OSSL_CMP_ITAV) *itavs); | |
7b3990e3 | 891 | OSSL_CMP_MSG *ossl_cmp_error_new(OSSL_CMP_CTX *ctx, const OSSL_CMP_PKISI *si, |
991519ae | 892 | int64_t errorCode, const char *details, |
7b3990e3 | 893 | int unprotected); |
62dcd2aa DDO |
894 | int ossl_cmp_certstatus_set0_certHash(OSSL_CMP_CERTSTATUS *certStatus, |
895 | ASN1_OCTET_STRING *hash); | |
25b18e62 DDO |
896 | OSSL_CMP_MSG *ossl_cmp_certConf_new(OSSL_CMP_CTX *ctx, int certReqId, |
897 | int fail_info, const char *text); | |
3dbc5156 DDO |
898 | OSSL_CMP_MSG *ossl_cmp_pollReq_new(OSSL_CMP_CTX *ctx, int crid); |
899 | OSSL_CMP_MSG *ossl_cmp_pollRep_new(OSSL_CMP_CTX *ctx, int crid, | |
900 | int64_t poll_after); | |
901 | OSSL_CMP_PKISI * | |
62dcd2aa | 902 | ossl_cmp_revrepcontent_get_pkisi(OSSL_CMP_REVREPCONTENT *rrep, int rsid); |
143be474 | 903 | OSSL_CRMF_CERTID *ossl_cmp_revrepcontent_get_CertId(OSSL_CMP_REVREPCONTENT *rc, |
235595c4 | 904 | int rsid); |
3dbc5156 DDO |
905 | OSSL_CMP_POLLREP * |
906 | ossl_cmp_pollrepcontent_get0_pollrep(const OSSL_CMP_POLLREPCONTENT *prc, | |
907 | int rid); | |
908 | OSSL_CMP_CERTRESPONSE * | |
143be474 | 909 | ossl_cmp_certrepmessage_get0_certresponse(const OSSL_CMP_CERTREPMESSAGE *crm, |
3dbc5156 | 910 | int rid); |
e0f1ec3b DDO |
911 | X509 *ossl_cmp_certresponse_get1_cert(const OSSL_CMP_CTX *ctx, |
912 | const OSSL_CMP_CERTRESPONSE *crep); | |
6d1f50b5 | 913 | OSSL_CMP_MSG *ossl_cmp_msg_load(const char *file); |
3dbc5156 DDO |
914 | |
915 | /* from cmp_protect.c */ | |
3dbc5156 | 916 | int ossl_cmp_msg_add_extraCerts(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg); |
6d1f50b5 DDO |
917 | ASN1_BIT_STRING *ossl_cmp_calc_protection(const OSSL_CMP_CTX *ctx, |
918 | const OSSL_CMP_MSG *msg); | |
3dbc5156 DDO |
919 | int ossl_cmp_msg_protect(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg); |
920 | ||
31b28ad9 DDO |
921 | /* from cmp_vfy.c */ |
922 | typedef int (*ossl_cmp_allow_unprotected_cb_t)(const OSSL_CMP_CTX *ctx, | |
923 | const OSSL_CMP_MSG *msg, | |
924 | int invalid_protection, int arg); | |
430efff1 DDO |
925 | int ossl_cmp_msg_check_update(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *msg, |
926 | ossl_cmp_allow_unprotected_cb_t cb, int cb_arg); | |
6d1f50b5 DDO |
927 | int ossl_cmp_msg_check_received(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *msg, |
928 | ossl_cmp_allow_unprotected_cb_t cb, int cb_arg); | |
929 | int ossl_cmp_verify_popo(const OSSL_CMP_CTX *ctx, | |
930 | const OSSL_CMP_MSG *msg, int accept_RAVerified); | |
31b28ad9 | 931 | |
7e765f46 | 932 | /* from cmp_client.c */ |
25b18e62 DDO |
933 | int ossl_cmp_exchange_certConf(OSSL_CMP_CTX *ctx, int certReqId, |
934 | int fail_info, const char *txt); | |
7e765f46 | 935 | int ossl_cmp_exchange_error(OSSL_CMP_CTX *ctx, int status, int fail_info, |
143be474 | 936 | const char *txt, int errorCode, const char *detail); |
7e765f46 | 937 | |
62dcd2aa | 938 | #endif /* !defined(OSSL_CRYPTO_CMP_LOCAL_H) */ |