}
if (!setup_certs(opt_srv_untrusted,
"untrusted certificates for mock server", ctx,
- (add_X509_stack_fn_t)OSSL_CMP_CTX_set1_untrusted_certs,
- NULL))
+ (add_X509_stack_fn_t)OSSL_CMP_CTX_set1_untrusted, NULL))
goto err;
if (opt_rsp_cert == NULL) {
static int setup_verification_ctx(OSSL_CMP_CTX *ctx)
{
if (!setup_certs(opt_untrusted, "untrusted certificates", ctx,
- (add_X509_stack_fn_t)OSSL_CMP_CTX_set1_untrusted_certs,
+ (add_X509_stack_fn_t)OSSL_CMP_CTX_set1_untrusted,
NULL))
goto err;
*/
static SSL_CTX *setup_ssl_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
{
- STACK_OF(X509) *untrusted_certs = OSSL_CMP_CTX_get0_untrusted_certs(ctx);
+ STACK_OF(X509) *untrusted_certs = OSSL_CMP_CTX_get0_untrusted(ctx);
EVP_PKEY *pkey = NULL;
X509_STORE *trust_store = NULL;
SSL_CTX *ssl_ctx;
/*-
* Callback fn validating that the new certificate can be verified, using
* ctx->certConf_cb_arg, which has been initialized using opt_out_trusted, and
- * ctx->untrusted_certs, which at this point already contains ctx->extraCertsIn.
+ * ctx->untrusted, which at this point already contains ctx->extraCertsIn.
* Returns 0 on acceptance, else a bit field reflecting PKIFailureInfo.
* Quoting from RFC 4210 section 5.1. Overall PKI Message:
* The extraCerts field can contain certificates that may be useful to
}
/* Get current list of non-trusted intermediate certs */
-STACK_OF(X509) *OSSL_CMP_CTX_get0_untrusted_certs(const OSSL_CMP_CTX *ctx)
+STACK_OF(X509) *OSSL_CMP_CTX_get0_untrusted(const OSSL_CMP_CTX *ctx)
{
if (ctx == NULL) {
CMPerr(0, CMP_R_NULL_ARGUMENT);
return NULL;
}
- return ctx->untrusted_certs;
+ return ctx->untrusted;
}
/*
* Set untrusted certificates for path construction in authentication of
* the CMP server and potentially others (TLS server, newly enrolled cert).
*/
-int OSSL_CMP_CTX_set1_untrusted_certs(OSSL_CMP_CTX *ctx, STACK_OF(X509) *certs)
+int OSSL_CMP_CTX_set1_untrusted(OSSL_CMP_CTX *ctx, STACK_OF(X509) *certs)
{
- STACK_OF(X509) *untrusted_certs;
+ STACK_OF(X509) *untrusted;
if (ctx == NULL) {
CMPerr(0, CMP_R_NULL_ARGUMENT);
return 0;
}
- if ((untrusted_certs = sk_X509_new_null()) == NULL)
+ if ((untrusted = sk_X509_new_null()) == NULL)
return 0;
- if (X509_add_certs(untrusted_certs, certs,
+ if (X509_add_certs(untrusted, certs,
X509_ADD_FLAG_UP_REF | X509_ADD_FLAG_NO_DUP) != 1)
goto err;
- sk_X509_pop_free(ctx->untrusted_certs, X509_free);
- ctx->untrusted_certs = untrusted_certs;
+ sk_X509_pop_free(ctx->untrusted, X509_free);
+ ctx->untrusted = untrusted;
return 1;
err:
- sk_X509_pop_free(untrusted_certs, X509_free);
+ sk_X509_pop_free(untrusted, X509_free);
return 0;
}
ctx->msg_timeout = 2 * 60;
- if ((ctx->untrusted_certs = sk_X509_new_null()) == NULL)
+ if ((ctx->untrusted = sk_X509_new_null()) == NULL)
goto err;
ctx->pbm_slen = 16;
X509_free(ctx->validatedSrvCert);
X509_NAME_free(ctx->expected_sender);
X509_STORE_free(ctx->trusted);
- sk_X509_pop_free(ctx->untrusted_certs, X509_free);
+ sk_X509_pop_free(ctx->untrusted, X509_free);
X509_free(ctx->cert);
EVP_PKEY_free(ctx->pkey);
return 0;
}
- if (ctx->untrusted_certs != NULL ?
- !X509_add_certs(ctx->untrusted_certs, candidates,
+ if (ctx->untrusted != NULL ?
+ !X509_add_certs(ctx->untrusted, candidates,
X509_ADD_FLAG_UP_REF | X509_ADD_FLAG_NO_DUP) :
- !OSSL_CMP_CTX_set1_untrusted_certs(ctx, candidates))
+ !OSSL_CMP_CTX_set1_untrusted(ctx, candidates))
return 0;
ossl_cmp_debug(ctx, "trying to build chain for own CMP signer cert");
chain = ossl_cmp_build_cert_chain(ctx->libctx, ctx->propq, own_trusted,
- ctx->untrusted_certs, ctx->cert);
+ ctx->untrusted, ctx->cert);
if (chain == NULL) {
CMPerr(0, CMP_R_FAILED_BUILDING_OWN_CHAIN);
return 0;
X509 *validatedSrvCert; /* caches any already validated server cert */
X509_NAME *expected_sender; /* expected sender in header of response */
X509_STORE *trusted; /* trust store maybe w CRLs and cert verify callback */
- STACK_OF(X509) *untrusted_certs; /* untrusted (intermediate) certs */
+ STACK_OF(X509) *untrusted; /* untrusted (intermediate CA) certs */
int ignore_keyusage; /* ignore key usage entry when validating certs */
/*
* permitTAInExtraCertsForIR allows use of root certs in extracerts
| X509_ADD_FLAG_PREPEND))
return 0;
/* if we have untrusted certs, try to add intermediate certs */
- if (ctx->untrusted_certs != NULL) {
+ if (ctx->untrusted != NULL) {
STACK_OF(X509) *chain;
int res;
ossl_cmp_debug(ctx,
"trying to build chain for own CMP signer cert");
chain = ossl_cmp_build_cert_chain(ctx->libctx, ctx->propq, NULL,
- ctx->untrusted_certs, ctx->cert);
+ ctx->untrusted, ctx->cert);
res = X509_add_certs(msg->extraCerts, chain,
X509_ADD_FLAG_UP_REF | X509_ADD_FLAG_NO_DUP
| X509_ADD_FLAG_NO_SS);
/*
* will add ctx->cert followed, if possible, by its chain built
- * from ctx->untrusted_certs, and then ctx->extraCertsOut
+ * from ctx->untrusted, and then ctx->extraCertsOut
*/
} else {
CMPerr(0, CMP_R_MISSING_KEY_INPUT_FOR_CREATING_PROTECTION);
if ((csc = X509_STORE_CTX_new_with_libctx(ctx->libctx, ctx->propq)) == NULL
|| !X509_STORE_CTX_init(csc, trusted_store,
- cert, ctx->untrusted_certs))
+ cert, ctx->untrusted))
goto err;
valid = X509_verify_cert(csc) > 0;
}
/*-
- * Verify msg trying first ctx->untrusted_certs, which should include extraCerts
+ * Verify msg trying first ctx->untrusted, which should include extraCerts
* at its front, then trying the trusted certs in truststore (if any) of ctx.
* On success cache the found cert using ossl_cmp_ctx_set0_validatedSrvCert().
*/
if (check_msg_with_certs(ctx, msg->extraCerts, "extraCerts",
NULL, NULL, msg, mode_3gpp))
return 1;
- if (check_msg_with_certs(ctx, ctx->untrusted_certs, "untrusted certs",
+ if (check_msg_with_certs(ctx, ctx->untrusted, "untrusted certs",
msg->extraCerts, NULL, msg, mode_3gpp))
return 1;
ret = check_msg_with_certs(ctx, trusted,
mode_3gpp ? "self-issued extraCerts"
: "certs in trusted store",
- msg->extraCerts, ctx->untrusted_certs,
+ msg->extraCerts, ctx->untrusted,
msg, mode_3gpp);
sk_X509_pop_free(trusted, X509_free);
}
* Validate the protection of the given PKIMessage using either password-
* based mac (PBM) or a signature algorithm. In the case of signature algorithm,
* the sender certificate can have been pinned by providing it in ctx->srvCert,
- * else it is searched in msg->extraCerts, ctx->untrusted_certs, in ctx->trusted
+ * else it is searched in msg->extraCerts, ctx->untrusted, in ctx->trusted
* (in this order) and is path is validated against ctx->trusted.
* On success cache the found cert using ossl_cmp_ctx_set0_validatedSrvCert().
*
/*-
* Check received message (i.e., response by server or request from client)
- * Any msg->extraCerts are prepended to ctx->untrusted_certs.
+ * Any msg->extraCerts are prepended to ctx->untrusted.
*
* Ensures that:
* its sender is of appropriate type (curently only X509_NAME) and
* extraCerts because they do not belong to the protected msg part anyway.
* For efficiency, the extraCerts are prepended so they get used first.
*/
- if (!X509_add_certs(ctx->untrusted_certs, msg->extraCerts,
+ if (!X509_add_certs(ctx->untrusted, msg->extraCerts,
/* this allows self-signed certs */
X509_ADD_FLAG_UP_REF | X509_ADD_FLAG_NO_DUP
| X509_ADD_FLAG_PREPEND))
* the peer does not need to send them again in the same transaction.
* For efficiency, the extraCerts are prepended so they get used first.
*/
- if (!X509_add_certs(ctx->untrusted_certs, msg->extraCerts,
+ if (!X509_add_certs(ctx->untrusted, msg->extraCerts,
/* this allows self-signed certs */
X509_ADD_FLAG_UP_REF | X509_ADD_FLAG_NO_DUP
| X509_ADD_FLAG_PREPEND))
OSSL_CMP_CTX_set1_expected_sender,
OSSL_CMP_CTX_set0_trustedStore,
OSSL_CMP_CTX_get0_trustedStore,
-OSSL_CMP_CTX_set1_untrusted_certs,
-OSSL_CMP_CTX_get0_untrusted_certs,
+OSSL_CMP_CTX_set1_untrusted,
+OSSL_CMP_CTX_get0_untrusted,
OSSL_CMP_CTX_set1_cert,
OSSL_CMP_CTX_build_cert_chain,
OSSL_CMP_CTX_set1_pkey,
const X509_NAME *name);
int OSSL_CMP_CTX_set0_trustedStore(OSSL_CMP_CTX *ctx, X509_STORE *store);
X509_STORE *OSSL_CMP_CTX_get0_trustedStore(const OSSL_CMP_CTX *ctx);
- int OSSL_CMP_CTX_set1_untrusted_certs(OSSL_CMP_CTX *ctx,
- STACK_OF(X509) *certs);
- STACK_OF(X509) *OSSL_CMP_CTX_get0_untrusted_certs(const OSSL_CMP_CTX *ctx);
+ int OSSL_CMP_CTX_set1_untrusted(OSSL_CMP_CTX *ctx, STACK_OF(X509) *certs);
+ STACK_OF(X509) *OSSL_CMP_CTX_get0_untrusted(const OSSL_CMP_CTX *ctx);
/* client authentication: */
int OSSL_CMP_CTX_set1_cert(OSSL_CMP_CTX *ctx, X509 *cert);
OSSL_CMP_CTX_get0_trustedStore() returns a pointer to the currently set
certificate store containing trusted cert etc., or an empty store if unset.
-OSSL_CMP_CTX_set1_untrusted_certs() sets up a list of non-trusted certificates
+OSSL_CMP_CTX_set1_untrusted() sets up a list of non-trusted certificates
of intermediate CAs that may be useful for path construction for the CMP client
certificate, for the TLS client certificate (if any), when verifying
the CMP server certificate, and when verifying newly enrolled certificates.
The reference counts of those certificates handled successfully are increased.
-OSSL_CMP_CTX_get0_untrusted_certs(OSSL_CMP_CTX *ctx) returns a pointer to the
+OSSL_CMP_CTX_get0_untrusted(OSSL_CMP_CTX *ctx) returns a pointer to the
list of untrusted certs, which may be empty if unset.
OSSL_CMP_CTX_set1_cert() sets the certificate used for CMP message protection.
OSSL_CMP_CTX_get_http_cb_arg(),
OSSL_CMP_CTX_get_transfer_cb_arg(),
OSSL_CMP_CTX_get0_trustedStore(),
-OSSL_CMP_CTX_get0_untrusted_certs(),
+OSSL_CMP_CTX_get0_untrusted(),
OSSL_CMP_CTX_get0_newPkey(),
OSSL_CMP_CTX_get_certConf_cb_arg(),
OSSL_CMP_CTX_get0_statusString(),
is preferably the one provided by a call to L<OSSL_CMP_CTX_set1_srvCert(3)>.
If no such sender cert has been pinned then candidate sender certificates are
taken from the list of certificates received in the C<msg> extraCerts, then any
-certificates provided before via L<OSSL_CMP_CTX_set1_untrusted_certs(3)>, and
+certificates provided before via L<OSSL_CMP_CTX_set1_untrusted(3)>, and
then all trusted certificates provided via L<OSSL_CMP_CTX_set0_trustedStore(3)>,
where a candidate is acceptable only if has not expired, its subject DN matches
the C<msg> sender DN (as far as present), and its subject key identifier
int OSSL_CMP_CTX_set1_expected_sender(OSSL_CMP_CTX *ctx, const X509_NAME *name);
int OSSL_CMP_CTX_set0_trustedStore(OSSL_CMP_CTX *ctx, X509_STORE *store);
X509_STORE *OSSL_CMP_CTX_get0_trustedStore(const OSSL_CMP_CTX *ctx);
-int OSSL_CMP_CTX_set1_untrusted_certs(OSSL_CMP_CTX *ctx, STACK_OF(X509) *certs);
-STACK_OF(X509) *OSSL_CMP_CTX_get0_untrusted_certs(const OSSL_CMP_CTX *ctx);
+int OSSL_CMP_CTX_set1_untrusted(OSSL_CMP_CTX *ctx, STACK_OF(X509) *certs);
+STACK_OF(X509) *OSSL_CMP_CTX_get0_untrusted(const OSSL_CMP_CTX *ctx);
/* client authentication: */
int OSSL_CMP_CTX_set1_cert(OSSL_CMP_CTX *ctx, X509 *cert);
int OSSL_CMP_CTX_build_cert_chain(OSSL_CMP_CTX *ctx, X509_STORE *own_trusted,
DEFINE_SET_GET_BASE_TEST(OSSL_CMP_CTX, set0, get0, 0, trustedStore,
X509_STORE *, NULL,
DEFAULT_STORE, X509_STORE_new_1(), X509_STORE_free)
-DEFINE_SET_GET_SK_X509_TEST(OSSL_CMP, CTX, 1, 0, untrusted_certs)
+DEFINE_SET_GET_SK_X509_TEST(OSSL_CMP, CTX, 1, 0, untrusted)
DEFINE_SET_TEST(OSSL_CMP, CTX, 1, 0, cert, X509)
DEFINE_SET_TEST(OSSL_CMP, CTX, 1, 0, pkey, EVP_PKEY)
ADD_TEST(test_CTX_set0_get0_validatedSrvCert);
ADD_TEST(test_CTX_set1_get0_expected_sender);
ADD_TEST(test_CTX_set0_get0_trustedStore);
- ADD_TEST(test_CTX_set1_get0_untrusted_certs);
+ ADD_TEST(test_CTX_set1_get0_untrusted);
/* client authentication: */
ADD_TEST(test_CTX_set1_get0_cert);
ADD_TEST(test_CTX_set1_get0_pkey);
static int add_untrusted(OSSL_CMP_CTX *ctx, X509 *cert)
{
- return X509_add_cert(OSSL_CMP_CTX_get0_untrusted_certs(ctx), cert,
+ return X509_add_cert(OSSL_CMP_CTX_get0_untrusted(ctx), cert,
X509_ADD_FLAG_UP_REF);
}
OSSL_CMP_CTX_set1_expected_sender ? 3_0_0 EXIST::FUNCTION:CMP
OSSL_CMP_CTX_set0_trustedStore ? 3_0_0 EXIST::FUNCTION:CMP
OSSL_CMP_CTX_get0_trustedStore ? 3_0_0 EXIST::FUNCTION:CMP
-OSSL_CMP_CTX_set1_untrusted_certs ? 3_0_0 EXIST::FUNCTION:CMP
-OSSL_CMP_CTX_get0_untrusted_certs ? 3_0_0 EXIST::FUNCTION:CMP
+OSSL_CMP_CTX_set1_untrusted ? 3_0_0 EXIST::FUNCTION:CMP
+OSSL_CMP_CTX_get0_untrusted ? 3_0_0 EXIST::FUNCTION:CMP
OSSL_CMP_CTX_set1_cert ? 3_0_0 EXIST::FUNCTION:CMP
OSSL_CMP_CTX_set1_pkey ? 3_0_0 EXIST::FUNCTION:CMP
OSSL_CMP_CTX_build_cert_chain ? 3_0_0 EXIST::FUNCTION:CMP