]>
Commit | Line | Data |
---|---|---|
1 | =pod | |
2 | ||
3 | =head1 NAME | |
4 | ||
5 | OSSL_CRMF_MSG_set_validity, | |
6 | OSSL_CRMF_MSG_set_certReqId, | |
7 | OSSL_CRMF_CERTTEMPLATE_fill, | |
8 | OSSL_CRMF_MSG_set0_extensions, | |
9 | OSSL_CRMF_MSG_push0_extension, | |
10 | OSSL_CRMF_MSG_create_popo, | |
11 | OSSL_CRMF_MSGS_verify_popo | |
12 | - functions populating and verifying CRMF CertReqMsg structures | |
13 | ||
14 | =head1 SYNOPSIS | |
15 | ||
16 | #include <openssl/crmf.h> | |
17 | ||
18 | int OSSL_CRMF_MSG_set_validity(OSSL_CRMF_MSG *crm, time_t from, time_t to); | |
19 | ||
20 | int OSSL_CRMF_MSG_set_certReqId(OSSL_CRMF_MSG *crm, int rid); | |
21 | ||
22 | int OSSL_CRMF_CERTTEMPLATE_fill(OSSL_CRMF_CERTTEMPLATE *tmpl, | |
23 | EVP_PKEY *pubkey, | |
24 | const X509_NAME *subject, | |
25 | const X509_NAME *issuer, | |
26 | const ASN1_INTEGER *serial); | |
27 | ||
28 | int OSSL_CRMF_MSG_set0_extensions(OSSL_CRMF_MSG *crm, | |
29 | X509_EXTENSIONS *exts); | |
30 | ||
31 | int OSSL_CRMF_MSG_push0_extension(OSSL_CRMF_MSG *crm, | |
32 | const X509_EXTENSION *ext); | |
33 | ||
34 | int OSSL_CRMF_MSG_create_popo(OSSL_CRMF_MSG *crm, EVP_PKEY *pkey, | |
35 | int dgst, int ppmtd); | |
36 | ||
37 | int OSSL_CRMF_MSGS_verify_popo(const OSSL_CRMF_MSGS *reqs, | |
38 | int rid, int acceptRAVerified); | |
39 | ||
40 | =head1 DESCRIPTION | |
41 | ||
42 | OSSL_CRMF_MSG_set_validity() sets B<from> as notBefore and B<to> as notAfter | |
43 | as the validity in the certTemplate of B<crm>. | |
44 | ||
45 | OSSL_CRMF_MSG_set_certReqId() sets B<rid> as the certReqId of B<crm>. | |
46 | ||
47 | OSSL_CRMF_CERTTEMPLATE_fill() sets those fields of the certTemplate B<tmpl> | |
48 | for which non-NULL values are provided: B<pubkey>, B<subject>, B<issuer>, | |
49 | and/or B<serial>. | |
50 | On success the reference counter of the B<pubkey> (if given) is incremented, | |
51 | while the B<subject>, B<issuer>, and B<serial> structures (if given) are copied. | |
52 | ||
53 | OSSL_CRMF_MSG_set0_extensions() sets B<exts> as the extensions in the | |
54 | certTemplate of B<crm>. Frees any pre-existing ones and consumes B<exts>. | |
55 | ||
56 | OSSL_CRMF_MSG_push0_extension() pushes the X509 extension B<ext> to the | |
57 | extensions in the certTemplate of B<crm>. Consumes B<ext>. | |
58 | ||
59 | OSSL_CRMF_MSG_create_popo() creates and sets the Proof-of-Possession (POP) | |
60 | according to the method B<ppmtd> for B<pkey> to B<crm>. In case the method is | |
61 | OSSL_CRMF_POPO_SIGNATURE, POP is calculated using the B<dgst>. | |
62 | ||
63 | B<ppmtd> can be one of the following: | |
64 | ||
65 | =over 8 | |
66 | ||
67 | =item * OSSL_CRMF_POPO_NONE - RFC 4211, section 4, POP field omitted. | |
68 | CA/RA uses out-of-band method to verify POP. Note that servers may fail in this | |
69 | case, resulting for instance in HTTP error code 500 (Internal error). | |
70 | ||
71 | =item * OSSL_CRMF_POPO_RAVERIFIED - RFC 4211, section 4, explicit indication | |
72 | that the RA has already verified the POP. | |
73 | ||
74 | =item * OSSL_CRMF_POPO_SIGNATURE - RFC 4211, section 4.1, only case 3 supported | |
75 | so far. | |
76 | ||
77 | =item * OSSL_CRMF_POPO_KEYENC - RFC 4211, section 4.2, only indirect method | |
78 | (subsequentMessage/enccert) supported, | |
79 | challenge-response exchange (challengeResp) not yet supported. | |
80 | ||
81 | =item * OSSL_CRMF_POPO_KEYAGREE - RFC 4211, section 4.3, not yet supported. | |
82 | ||
83 | =back | |
84 | ||
85 | OSSL_CRMF_MSGS_verify_popo verifies the Proof-of-Possession of the request with | |
86 | the given B<rid> in the list of B<reqs>. Optionally accepts RAVerified. | |
87 | ||
88 | =head1 RETURN VALUES | |
89 | ||
90 | All functions return 1 on success, 0 on error. | |
91 | ||
92 | =head1 SEE ALSO | |
93 | ||
94 | RFC 4211 | |
95 | ||
96 | =head1 COPYRIGHT | |
97 | ||
98 | Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved. | |
99 | ||
100 | Licensed under the Apache License 2.0 (the "License"). You may not use | |
101 | this file except in compliance with the License. You can obtain a copy | |
102 | in the file LICENSE in the source distribution or at | |
103 | L<https://www.openssl.org/source/license.html>. | |
104 | ||
105 | =cut |