[thirdparty/openssl.git] / doc / man3 / OSSL_CRMF_MSG_set_validity.pod

=pod

=head1 NAME

OSSL_CRMF_MSG_set_validity,
OSSL_CRMF_MSG_set_certReqId,
OSSL_CRMF_CERTTEMPLATE_fill,
OSSL_CRMF_MSG_set0_extensions,
OSSL_CRMF_MSG_push0_extension,
OSSL_CRMF_MSG_create_popo,
OSSL_CRMF_MSGS_verify_popo
- functions populating and verifying CRMF CertReqMsg structures

=head1 SYNOPSIS

 #include <openssl/crmf.h>

 int OSSL_CRMF_MSG_set_validity(OSSL_CRMF_MSG *crm, time_t from, time_t to);

 int OSSL_CRMF_MSG_set_certReqId(OSSL_CRMF_MSG *crm, int rid);

 int OSSL_CRMF_CERTTEMPLATE_fill(OSSL_CRMF_CERTTEMPLATE *tmpl,
                                 EVP_PKEY *pubkey,
                                 const X509_NAME *subject,
                                 const X509_NAME *issuer,
                                 const ASN1_INTEGER *serial);

 int OSSL_CRMF_MSG_set0_extensions(OSSL_CRMF_MSG *crm,
                                   X509_EXTENSIONS *exts);

 int OSSL_CRMF_MSG_push0_extension(OSSL_CRMF_MSG *crm,
                                   const X509_EXTENSION *ext);

 int OSSL_CRMF_MSG_create_popo(OSSL_CRMF_MSG *crm, EVP_PKEY *pkey,
                               int dgst, int ppmtd);

 int OSSL_CRMF_MSGS_verify_popo(const OSSL_CRMF_MSGS *reqs,
                                int rid, int acceptRAVerified);

=head1 DESCRIPTION

OSSL_CRMF_MSG_set_validity() sets B<from> as notBefore and B<to> as notAfter
as the validity in the certTemplate of B<crm>.

OSSL_CRMF_MSG_set_certReqId() sets B<rid> as the certReqId of B<crm>.

OSSL_CRMF_CERTTEMPLATE_fill() sets those fields of the certTemplate B<tmpl>
for which non-NULL values are provided: B<pubkey>, B<subject>, B<issuer>,
and/or B<serial>.
On success the reference counter of the B<pubkey> (if given) is incremented,
while the B<subject>, B<issuer>, and B<serial> structures (if given) are copied.

OSSL_CRMF_MSG_set0_extensions() sets B<exts> as the extensions in the
certTemplate of B<crm>. Frees any pre-existing ones and consumes B<exts>.

OSSL_CRMF_MSG_push0_extension() pushes the X509 extension B<ext> to the
extensions in the certTemplate of B<crm>.  Consumes B<ext>.

OSSL_CRMF_MSG_create_popo() creates and sets the Proof-of-Possession (POP)
according to the method B<ppmtd> for B<pkey> to B<crm>. In case the method is
OSSL_CRMF_POPO_SIGNATURE, POP is calculated using the B<dgst>.

B<ppmtd> can be one of the following:

=over 8

=item * OSSL_CRMF_POPO_NONE       - RFC 4211, section 4, POP field omitted.
CA/RA uses out-of-band method to verify POP. Note that servers may fail in this
case, resulting for instance in HTTP error code 500 (Internal error).

=item * OSSL_CRMF_POPO_RAVERIFIED - RFC 4211, section 4, explicit indication
that the RA has already verified the POP.

=item * OSSL_CRMF_POPO_SIGNATURE  - RFC 4211, section 4.1, only case 3 supported
so far.

=item * OSSL_CRMF_POPO_KEYENC     - RFC 4211, section 4.2, only indirect method
(subsequentMessage/enccert) supported,
challenge-response exchange (challengeResp) not yet supported.

=item * OSSL_CRMF_POPO_KEYAGREE   - RFC 4211, section 4.3, not yet supported.

=back

OSSL_CRMF_MSGS_verify_popo verifies the Proof-of-Possession of the request with
the given B<rid> in the list of B<reqs>. Optionally accepts RAVerified.

=head1 RETURN VALUES

All functions return 1 on success, 0 on error.

=head1 SEE ALSO

RFC 4211

=head1 COPYRIGHT

Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved.

Licensed under the Apache License 2.0 (the "License").  You may not use
this file except in compliance with the License.  You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.

=cut
Commit	Line	Data
2a3b52ea DO	1	=pod
	2
	3	=head1 NAME
	4
	5	OSSL_CRMF_MSG_set_validity,
	6	OSSL_CRMF_MSG_set_certReqId,
	7	OSSL_CRMF_CERTTEMPLATE_fill,
	8	OSSL_CRMF_MSG_set0_extensions,
	9	OSSL_CRMF_MSG_push0_extension,
	10	OSSL_CRMF_MSG_create_popo,
	11	OSSL_CRMF_MSGS_verify_popo
	12	- functions populating and verifying CRMF CertReqMsg structures
	13
	14	=head1 SYNOPSIS
	15
	16	#include <openssl/crmf.h>
	17
	18	int OSSL_CRMF_MSG_set_validity(OSSL_CRMF_MSG *crm, time_t from, time_t to);
	19
a61b7f2f	20	int OSSL_CRMF_MSG_set_certReqId(OSSL_CRMF_MSG *crm, int rid);
2a3b52ea DO	21
2a3b52ea DO	22	int OSSL_CRMF_CERTTEMPLATE_fill(OSSL_CRMF_CERTTEMPLATE *tmpl,
a61b7f2f	23	EVP_PKEY *pubkey,
2a3b52ea DO	24	const X509_NAME *subject,
	25	const X509_NAME *issuer,
	26	const ASN1_INTEGER *serial);
	27
	28	int OSSL_CRMF_MSG_set0_extensions(OSSL_CRMF_MSG *crm,
	29	X509_EXTENSIONS *exts);
	30
	31	int OSSL_CRMF_MSG_push0_extension(OSSL_CRMF_MSG *crm,
	32	const X509_EXTENSION *ext);
	33
a61b7f2f	34	int OSSL_CRMF_MSG_create_popo(OSSL_CRMF_MSG crm, EVP_PKEY pkey,
2a3b52ea DO	35	int dgst, int ppmtd);
	36
	37	int OSSL_CRMF_MSGS_verify_popo(const OSSL_CRMF_MSGS *reqs,
	38	int rid, int acceptRAVerified);
	39
	40	=head1 DESCRIPTION
	41
	42	OSSL_CRMF_MSG_set_validity() sets B<from> as notBefore and B<to> as notAfter
	43	as the validity in the certTemplate of B<crm>.
	44
	45	OSSL_CRMF_MSG_set_certReqId() sets B<rid> as the certReqId of B<crm>.
	46
	47	OSSL_CRMF_CERTTEMPLATE_fill() sets those fields of the certTemplate B<tmpl>
	48	for which non-NULL values are provided: B<pubkey>, B<subject>, B<issuer>,
a61b7f2f DO	49	and/or B<serial>.
	50	On success the reference counter of the B<pubkey> (if given) is incremented,
	51	while the B<subject>, B<issuer>, and B<serial> structures (if given) are copied.
2a3b52ea DO	52
2a3b52ea DO	53	OSSL_CRMF_MSG_set0_extensions() sets B<exts> as the extensions in the
a61b7f2f	54	certTemplate of B<crm>. Frees any pre-existing ones and consumes B<exts>.
2a3b52ea DO	55
	56	OSSL_CRMF_MSG_push0_extension() pushes the X509 extension B<ext> to the
	57	extensions in the certTemplate of B<crm>. Consumes B<ext>.
	58
	59	OSSL_CRMF_MSG_create_popo() creates and sets the Proof-of-Possession (POP)
	60	according to the method B<ppmtd> for B<pkey> to B<crm>. In case the method is
	61	OSSL_CRMF_POPO_SIGNATURE, POP is calculated using the B<dgst>.
	62
	63	B<ppmtd> can be one of the following:
	64
	65	=over 8
	66
	67	=item * OSSL_CRMF_POPO_NONE - RFC 4211, section 4, POP field omitted.
	68	CA/RA uses out-of-band method to verify POP. Note that servers may fail in this
	69	case, resulting for instance in HTTP error code 500 (Internal error).
	70
	71	=item * OSSL_CRMF_POPO_RAVERIFIED - RFC 4211, section 4, explicit indication
	72	that the RA has already verified the POP.
	73
	74	=item * OSSL_CRMF_POPO_SIGNATURE - RFC 4211, section 4.1, only case 3 supported
	75	so far.
	76
	77	=item * OSSL_CRMF_POPO_KEYENC - RFC 4211, section 4.2, only indirect method
	78	(subsequentMessage/enccert) supported,
	79	challenge-response exchange (challengeResp) not yet supported.
	80
	81	=item * OSSL_CRMF_POPO_KEYAGREE - RFC 4211, section 4.3, not yet supported.
	82
	83	=back
	84
	85	OSSL_CRMF_MSGS_verify_popo verifies the Proof-of-Possession of the request with
	86	the given B<rid> in the list of B<reqs>. Optionally accepts RAVerified.
	87
	88	=head1 RETURN VALUES
	89
	90	All functions return 1 on success, 0 on error.
	91
	92	=head1 SEE ALSO
	93
	94	RFC 4211
	95
	96	=head1 COPYRIGHT
	97
8869ad4a	98	Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved.
2a3b52ea	99
ce9b9964	100	Licensed under the Apache License 2.0 (the "License"). You may not use
2a3b52ea DO	101	this file except in compliance with the License. You can obtain a copy
	102	in the file LICENSE in the source distribution or at
	103	L<https://www.openssl.org/source/license.html>.
	104
	105	=cut