[thirdparty/openssl.git] / include / openssl / cmp.h

/*
 * Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved.
 * Copyright Nokia 2007-2019
 * Copyright Siemens AG 2015-2019
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

#ifndef OSSL_HEADER_CMP_H
# define OSSL_HEADER_CMP_H

# include <openssl/opensslconf.h>
# ifndef OPENSSL_NO_CMP

#  include <openssl/crmf.h>
#  include <openssl/cmperr.h>
#  include <openssl/cmp_util.h>

/* explicit #includes not strictly needed since implied by the above: */
#  include <openssl/ossl_typ.h>
#  include <openssl/safestack.h>
#  include <openssl/x509.h>
#  include <openssl/x509v3.h>

#  ifdef  __cplusplus
extern "C" {
#  endif

#  define OSSL_CMP_PVNO 2

/*-
 *   PKIFailureInfo ::= BIT STRING {
 *   -- since we can fail in more than one way!
 *   -- More codes may be added in the future if/when required.
 *       badAlg              (0),
 *       -- unrecognized or unsupported Algorithm Identifier
 *       badMessageCheck     (1),
 *       -- integrity check failed (e.g., signature did not verify)
 *       badRequest          (2),
 *       -- transaction not permitted or supported
 *       badTime             (3),
 *       -- messageTime was not sufficiently close to the system time,
 *       -- as defined by local policy
 *       badCertId           (4),
 *       -- no certificate could be found matching the provided criteria
 *       badDataFormat       (5),
 *       -- the data submitted has the wrong format
 *       wrongAuthority      (6),
 *       -- the authority indicated in the request is different from the
 *       -- one creating the response token
 *       incorrectData       (7),
 *       -- the requester's data is incorrect (for notary services)
 *       missingTimeStamp    (8),
 *       -- when the timestamp is missing but should be there
 *       -- (by policy)
 *       badPOP              (9),
 *       -- the proof-of-possession failed
 *       certRevoked         (10),
 *          -- the certificate has already been revoked
 *       certConfirmed       (11),
 *          -- the certificate has already been confirmed
 *       wrongIntegrity      (12),
 *          -- invalid integrity, password based instead of signature or
 *          -- vice versa
 *       badRecipientNonce   (13),
 *          -- invalid recipient nonce, either missing or wrong value
 *       timeNotAvailable    (14),
 *          -- the TSA's time source is not available
 *       unacceptedPolicy    (15),
 *          -- the requested TSA policy is not supported by the TSA.
 *       unacceptedExtension (16),
 *          -- the requested extension is not supported by the TSA.
 *       addInfoNotAvailable (17),
 *          -- the additional information requested could not be
 *          -- understood or is not available
 *       badSenderNonce      (18),
 *          -- invalid sender nonce, either missing or wrong size
 *       badCertTemplate     (19),
 *          -- invalid cert. template or missing mandatory information
 *       signerNotTrusted    (20),
 *          -- signer of the message unknown or not trusted
 *       transactionIdInUse  (21),
 *          -- the transaction identifier is already in use
 *       unsupportedVersion  (22),
 *          -- the version of the message is not supported
 *       notAuthorized       (23),
 *          -- the sender was not authorized to make the preceding
 *          -- request or perform the preceding action
 *       systemUnavail       (24),
 *       -- the request cannot be handled due to system unavailability
 *       systemFailure       (25),
 *       -- the request cannot be handled due to system failure
 *       duplicateCertReq    (26)
 *       -- certificate cannot be issued because a duplicate
 *       -- certificate already exists
 *   }
 */
#  define OSSL_CMP_PKIFAILUREINFO_badAlg 0
#  define OSSL_CMP_PKIFAILUREINFO_badMessageCheck 1
#  define OSSL_CMP_PKIFAILUREINFO_badRequest 2
#  define OSSL_CMP_PKIFAILUREINFO_badTime 3
#  define OSSL_CMP_PKIFAILUREINFO_badCertId 4
#  define OSSL_CMP_PKIFAILUREINFO_badDataFormat 5
#  define OSSL_CMP_PKIFAILUREINFO_wrongAuthority 6
#  define OSSL_CMP_PKIFAILUREINFO_incorrectData 7
#  define OSSL_CMP_PKIFAILUREINFO_missingTimeStamp 8
#  define OSSL_CMP_PKIFAILUREINFO_badPOP 9
#  define OSSL_CMP_PKIFAILUREINFO_certRevoked 10
#  define OSSL_CMP_PKIFAILUREINFO_certConfirmed 11
#  define OSSL_CMP_PKIFAILUREINFO_wrongIntegrity 12
#  define OSSL_CMP_PKIFAILUREINFO_badRecipientNonce 13
#  define OSSL_CMP_PKIFAILUREINFO_timeNotAvailable 14
#  define OSSL_CMP_PKIFAILUREINFO_unacceptedPolicy 15
#  define OSSL_CMP_PKIFAILUREINFO_unacceptedExtension 16
#  define OSSL_CMP_PKIFAILUREINFO_addInfoNotAvailable 17
#  define OSSL_CMP_PKIFAILUREINFO_badSenderNonce 18
#  define OSSL_CMP_PKIFAILUREINFO_badCertTemplate 19
#  define OSSL_CMP_PKIFAILUREINFO_signerNotTrusted 20
#  define OSSL_CMP_PKIFAILUREINFO_transactionIdInUse 21
#  define OSSL_CMP_PKIFAILUREINFO_unsupportedVersion 22
#  define OSSL_CMP_PKIFAILUREINFO_notAuthorized 23
#  define OSSL_CMP_PKIFAILUREINFO_systemUnavail 24
#  define OSSL_CMP_PKIFAILUREINFO_systemFailure 25
#  define OSSL_CMP_PKIFAILUREINFO_duplicateCertReq 26
#  define OSSL_CMP_PKIFAILUREINFO_MAX 26
#  define OSSL_CMP_PKIFAILUREINFO_MAX_BIT_PATTERN \
    ( (1<<(OSSL_CMP_PKIFAILUREINFO_MAX+1)) - 1)
#  if OSSL_CMP_PKIFAILUREINFO_MAX_BIT_PATTERN > INT_MAX
#   error  CMP_PKIFAILUREINFO_MAX bit pattern does not fit in type int
#  endif

typedef ASN1_BIT_STRING OSSL_CMP_PKIFAILUREINFO;

#  define OSSL_CMP_CTX_FAILINFO_badAlg (1 << 0)
#  define OSSL_CMP_CTX_FAILINFO_badMessageCheck (1 << 1)
#  define OSSL_CMP_CTX_FAILINFO_badRequest (1 << 2)
#  define OSSL_CMP_CTX_FAILINFO_badTime (1 << 3)
#  define OSSL_CMP_CTX_FAILINFO_badCertId (1 << 4)
#  define OSSL_CMP_CTX_FAILINFO_badDataFormat (1 << 5)
#  define OSSL_CMP_CTX_FAILINFO_wrongAuthority (1 << 6)
#  define OSSL_CMP_CTX_FAILINFO_incorrectData (1 << 7)
#  define OSSL_CMP_CTX_FAILINFO_missingTimeStamp (1 << 8)
#  define OSSL_CMP_CTX_FAILINFO_badPOP (1 << 9)
#  define OSSL_CMP_CTX_FAILINFO_certRevoked (1 << 10)
#  define OSSL_CMP_CTX_FAILINFO_certConfirmed (1 << 11)
#  define OSSL_CMP_CTX_FAILINFO_wrongIntegrity (1 << 12)
#  define OSSL_CMP_CTX_FAILINFO_badRecipientNonce (1 << 13)
#  define OSSL_CMP_CTX_FAILINFO_timeNotAvailable (1 << 14)
#  define OSSL_CMP_CTX_FAILINFO_unacceptedPolicy (1 << 15)
#  define OSSL_CMP_CTX_FAILINFO_unacceptedExtension (1 << 16)
#  define OSSL_CMP_CTX_FAILINFO_addInfoNotAvailable (1 << 17)
#  define OSSL_CMP_CTX_FAILINFO_badSenderNonce (1 << 18)
#  define OSSL_CMP_CTX_FAILINFO_badCertTemplate (1 << 19)
#  define OSSL_CMP_CTX_FAILINFO_signerNotTrusted (1 << 20)
#  define OSSL_CMP_CTX_FAILINFO_transactionIdInUse (1 << 21)
#  define OSSL_CMP_CTX_FAILINFO_unsupportedVersion (1 << 22)
#  define OSSL_CMP_CTX_FAILINFO_notAuthorized (1 << 23)
#  define OSSL_CMP_CTX_FAILINFO_systemUnavail (1 << 24)
#  define OSSL_CMP_CTX_FAILINFO_systemFailure (1 << 25)
#  define OSSL_CMP_CTX_FAILINFO_duplicateCertReq (1 << 26)

/*-
 *   PKIStatus ::= INTEGER {
 *       accepted                (0),
 *       -- you got exactly what you asked for
 *       grantedWithMods        (1),
 *       -- you got something like what you asked for; the
 *       -- requester is responsible for ascertaining the differences
 *       rejection              (2),
 *       -- you don't get it, more information elsewhere in the message
 *       waiting                (3),
 *       -- the request body part has not yet been processed; expect to
 *       -- hear more later (note: proper handling of this status
 *       -- response MAY use the polling req/rep PKIMessages specified
 *       -- in Section 5.3.22; alternatively, polling in the underlying
 *       -- transport layer MAY have some utility in this regard)
 *       revocationWarning      (4),
 *       -- this message contains a warning that a revocation is
 *       -- imminent
 *       revocationNotification (5),
 *       -- notification that a revocation has occurred
 *       keyUpdateWarning       (6)
 *       -- update already done for the oldCertId specified in
 *       -- CertReqMsg
 *   }
 */
#  define OSSL_CMP_PKISTATUS_accepted 0
#  define OSSL_CMP_PKISTATUS_grantedWithMods 1
#  define OSSL_CMP_PKISTATUS_rejection 2
#  define OSSL_CMP_PKISTATUS_waiting 3
#  define OSSL_CMP_PKISTATUS_revocationWarning 4
#  define OSSL_CMP_PKISTATUS_revocationNotification 5
#  define OSSL_CMP_PKISTATUS_keyUpdateWarning 6

typedef ASN1_INTEGER OSSL_CMP_PKISTATUS;
DECLARE_ASN1_ITEM(OSSL_CMP_PKISTATUS)

#  define OSSL_CMP_CERTORENCCERT_CERTIFICATE 0
#  define OSSL_CMP_CERTORENCCERT_ENCRYPTEDCERT 1

/* data type declarations */
typedef struct ossl_cmp_ctx_st OSSL_CMP_CTX;
typedef struct ossl_cmp_pkiheader_st OSSL_CMP_PKIHEADER;
DECLARE_ASN1_FUNCTIONS(OSSL_CMP_PKIHEADER)
typedef struct ossl_cmp_msg_st OSSL_CMP_MSG;
DECLARE_ASN1_ENCODE_FUNCTIONS(OSSL_CMP_MSG, OSSL_CMP_MSG, OSSL_CMP_MSG)
typedef struct ossl_cmp_certstatus_st OSSL_CMP_CERTSTATUS;
DEFINE_STACK_OF(OSSL_CMP_CERTSTATUS)
typedef struct ossl_cmp_itav_st OSSL_CMP_ITAV;
DEFINE_STACK_OF(OSSL_CMP_ITAV)
typedef struct ossl_cmp_revrepcontent_st OSSL_CMP_REVREPCONTENT;
typedef struct ossl_cmp_pkisi_st OSSL_CMP_PKISI;
DEFINE_STACK_OF(OSSL_CMP_PKISI)
typedef struct ossl_cmp_certrepmessage_st OSSL_CMP_CERTREPMESSAGE;
DEFINE_STACK_OF(OSSL_CMP_CERTREPMESSAGE)
typedef struct ossl_cmp_pollrep_st OSSL_CMP_POLLREP;
typedef STACK_OF(OSSL_CMP_POLLREP) OSSL_CMP_POLLREPCONTENT;
typedef struct ossl_cmp_certresponse_st OSSL_CMP_CERTRESPONSE;
DEFINE_STACK_OF(OSSL_CMP_CERTRESPONSE)
typedef STACK_OF(ASN1_UTF8STRING) OSSL_CMP_PKIFREETEXT;

/*
 * function DECLARATIONS
 */

/* from cmp_asn.c */
OSSL_CMP_ITAV *OSSL_CMP_ITAV_create(ASN1_OBJECT *type, ASN1_TYPE *value);
void OSSL_CMP_ITAV_set0(OSSL_CMP_ITAV *itav, ASN1_OBJECT *type,
                        ASN1_TYPE *value);
ASN1_OBJECT *OSSL_CMP_ITAV_get0_type(const OSSL_CMP_ITAV *itav);
ASN1_TYPE *OSSL_CMP_ITAV_get0_value(const OSSL_CMP_ITAV *itav);
int OSSL_CMP_ITAV_push0_stack_item(STACK_OF(OSSL_CMP_ITAV) **itav_sk_p,
                                   OSSL_CMP_ITAV *itav);
void OSSL_CMP_ITAV_free(OSSL_CMP_ITAV *itav);
void OSSL_CMP_MSG_free(OSSL_CMP_MSG *msg);

/* from cmp_ctx.c */
OSSL_CMP_CTX *OSSL_CMP_CTX_new(void);
void OSSL_CMP_CTX_free(OSSL_CMP_CTX *ctx);
int OSSL_CMP_CTX_reinit(OSSL_CMP_CTX *ctx);
/* various CMP options: */
#  define OSSL_CMP_OPT_LOG_VERBOSITY 0
#  define OSSL_CMP_OPT_MSGTIMEOUT 1
#  define OSSL_CMP_OPT_TOTALTIMEOUT 2
#  define OSSL_CMP_OPT_VALIDITYDAYS 3
#  define OSSL_CMP_OPT_SUBJECTALTNAME_NODEFAULT 4
#  define OSSL_CMP_OPT_SUBJECTALTNAME_CRITICAL 5
#  define OSSL_CMP_OPT_POLICIES_CRITICAL 6
#  define OSSL_CMP_OPT_POPOMETHOD 7
#  define OSSL_CMP_OPT_DIGEST_ALGNID 8
#  define OSSL_CMP_OPT_OWF_ALGNID 9
#  define OSSL_CMP_OPT_MAC_ALGNID 10
#  define OSSL_CMP_OPT_REVOCATION_REASON 11
#  define OSSL_CMP_OPT_IMPLICITCONFIRM 12
#  define OSSL_CMP_OPT_DISABLECONFIRM 13
#  define OSSL_CMP_OPT_UNPROTECTED_SEND 14
#  define OSSL_CMP_OPT_UNPROTECTED_ERRORS 15
#  define OSSL_CMP_OPT_IGNORE_KEYUSAGE 16
#  define OSSL_CMP_OPT_PERMIT_TA_IN_EXTRACERTS_FOR_IR 17
int OSSL_CMP_CTX_set_option(OSSL_CMP_CTX *ctx, int opt, int val);
int OSSL_CMP_CTX_get_option(const OSSL_CMP_CTX *ctx, int opt);
/* CMP-specific callback for logging and outputting the error queue: */
int OSSL_CMP_CTX_set_log_cb(OSSL_CMP_CTX *ctx, OSSL_cmp_log_cb_t cb);
#define OSSL_CMP_CTX_set_log_verbosity(ctx, level) \
    OSSL_CMP_CTX_set_option(ctx, OSSL_CMP_OPT_LOG_VERBOSITY, level)
void OSSL_CMP_CTX_print_errors(OSSL_CMP_CTX *ctx);
/* message transfer: */
int OSSL_CMP_CTX_set1_serverPath(OSSL_CMP_CTX *ctx, const char *path);
int OSSL_CMP_CTX_set1_serverName(OSSL_CMP_CTX *ctx, const char *name);
int OSSL_CMP_CTX_set_serverPort(OSSL_CMP_CTX *ctx, int port);
int OSSL_CMP_CTX_set1_proxyName(OSSL_CMP_CTX *ctx, const char *name);
int OSSL_CMP_CTX_set_proxyPort(OSSL_CMP_CTX *ctx, int port);
#  define OSSL_CMP_DEFAULT_PORT 80
typedef BIO *(*OSSL_cmp_http_cb_t) (OSSL_CMP_CTX *ctx, BIO *hbio,
                                    unsigned long detail);
int OSSL_CMP_CTX_set_http_cb(OSSL_CMP_CTX *ctx, OSSL_cmp_http_cb_t cb);
int OSSL_CMP_CTX_set_http_cb_arg(OSSL_CMP_CTX *ctx, void *arg);
void *OSSL_CMP_CTX_get_http_cb_arg(const OSSL_CMP_CTX *ctx);
typedef int (*OSSL_cmp_transfer_cb_t) (OSSL_CMP_CTX *ctx,
                                       const OSSL_CMP_MSG *req,
                                       OSSL_CMP_MSG **res);
int OSSL_CMP_CTX_set_transfer_cb(OSSL_CMP_CTX *ctx, OSSL_cmp_transfer_cb_t cb);
int OSSL_CMP_CTX_set_transfer_cb_arg(OSSL_CMP_CTX *ctx, void *arg);
void *OSSL_CMP_CTX_get_transfer_cb_arg(const OSSL_CMP_CTX *ctx);
/* server authentication: */
int OSSL_CMP_CTX_set1_srvCert(OSSL_CMP_CTX *ctx, X509 *cert);
int OSSL_CMP_CTX_set1_expected_sender(OSSL_CMP_CTX *ctx, const X509_NAME *name);
int OSSL_CMP_CTX_set0_trustedStore(OSSL_CMP_CTX *ctx, X509_STORE *store);
X509_STORE *OSSL_CMP_CTX_get0_trustedStore(const OSSL_CMP_CTX *ctx);
int OSSL_CMP_CTX_set1_untrusted_certs(OSSL_CMP_CTX *ctx, STACK_OF(X509) *certs);
STACK_OF(X509) *OSSL_CMP_CTX_get0_untrusted_certs(const OSSL_CMP_CTX *ctx);
/* client authentication: */
int OSSL_CMP_CTX_set1_clCert(OSSL_CMP_CTX *ctx, X509 *cert);
int OSSL_CMP_CTX_set1_pkey(OSSL_CMP_CTX *ctx, EVP_PKEY *pkey);
int OSSL_CMP_CTX_set1_referenceValue(OSSL_CMP_CTX *ctx,
                                     const unsigned char *ref, int len);
int OSSL_CMP_CTX_set1_secretValue(OSSL_CMP_CTX *ctx, const unsigned char *sec,
                                  const int len);
/* CMP message header and extra certificates: */
int OSSL_CMP_CTX_set1_recipient(OSSL_CMP_CTX *ctx, const X509_NAME *name);
int OSSL_CMP_CTX_push0_geninfo_ITAV(OSSL_CMP_CTX *ctx, OSSL_CMP_ITAV *itav);
int OSSL_CMP_CTX_set1_extraCertsOut(OSSL_CMP_CTX *ctx,
                                    STACK_OF(X509) *extraCertsOut);
/* certificate template: */
int OSSL_CMP_CTX_set0_newPkey(OSSL_CMP_CTX *ctx, int priv, EVP_PKEY *pkey);
EVP_PKEY *OSSL_CMP_CTX_get0_newPkey(const OSSL_CMP_CTX *ctx, int priv);
int OSSL_CMP_CTX_set1_issuer(OSSL_CMP_CTX *ctx, const X509_NAME *name);
int OSSL_CMP_CTX_set1_subjectName(OSSL_CMP_CTX *ctx, const X509_NAME *name);
int OSSL_CMP_CTX_push1_subjectAltName(OSSL_CMP_CTX *ctx, const GENERAL_NAME *name);
int OSSL_CMP_CTX_set0_reqExtensions(OSSL_CMP_CTX *ctx, X509_EXTENSIONS *exts);
int OSSL_CMP_CTX_reqExtensions_have_SAN(OSSL_CMP_CTX *ctx);
int OSSL_CMP_CTX_push0_policy(OSSL_CMP_CTX *ctx, POLICYINFO *pinfo);
int OSSL_CMP_CTX_set1_oldCert(OSSL_CMP_CTX *ctx, X509 *cert);
int OSSL_CMP_CTX_set1_p10CSR(OSSL_CMP_CTX *ctx, const X509_REQ *csr);
/* misc body contents: */
int OSSL_CMP_CTX_push0_genm_ITAV(OSSL_CMP_CTX *ctx, OSSL_CMP_ITAV *itav);
/* certificate confirmation: */
typedef int (*OSSL_cmp_certConf_cb_t) (OSSL_CMP_CTX *ctx, X509 *cert,
                                       int fail_info, const char **txt);
int OSSL_CMP_CTX_set_certConf_cb(OSSL_CMP_CTX *ctx, OSSL_cmp_certConf_cb_t cb);
int OSSL_CMP_CTX_set_certConf_cb_arg(OSSL_CMP_CTX *ctx, void *arg);
void *OSSL_CMP_CTX_get_certConf_cb_arg(const OSSL_CMP_CTX *ctx);
/* result fetching: */
int OSSL_CMP_CTX_get_status(const OSSL_CMP_CTX *ctx);
OSSL_CMP_PKIFREETEXT *OSSL_CMP_CTX_get0_statusString(const OSSL_CMP_CTX *ctx);
int OSSL_CMP_CTX_get_failInfoCode(const OSSL_CMP_CTX *ctx);
#  define OSSL_CMP_PKISI_BUFLEN 1024
X509 *OSSL_CMP_CTX_get0_newCert(const OSSL_CMP_CTX *ctx);
STACK_OF(X509) *OSSL_CMP_CTX_get1_caPubs(const OSSL_CMP_CTX *ctx);
STACK_OF(X509) *OSSL_CMP_CTX_get1_extraCertsIn(const OSSL_CMP_CTX *ctx);
/* support application-level CMP debugging in cmp.c: */
int OSSL_CMP_CTX_set1_transactionID(OSSL_CMP_CTX *ctx,
                                    const ASN1_OCTET_STRING *id);
int OSSL_CMP_CTX_set1_senderNonce(OSSL_CMP_CTX *ctx,
                                  const ASN1_OCTET_STRING *nonce);

#   ifdef  __cplusplus
}
#   endif
# endif /* !defined OPENSSL_NO_CMP */
#endif /* !defined OSSL_HEADER_CMP_H */
Commit	Line	Data
7960dbec	1	/*
8869ad4a AK	2	* Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved.
	3	* Copyright Nokia 2007-2019
	4	* Copyright Siemens AG 2015-2019
	5	*
	6	* Licensed under the Apache License 2.0 (the "License"). You may not use
	7	* this file except in compliance with the License. You can obtain a copy
	8	* in the file LICENSE in the source distribution or at
	9	* https://www.openssl.org/source/license.html
8869ad4a AK	10	*/
	11
	12	#ifndef OSSL_HEADER_CMP_H
	13	# define OSSL_HEADER_CMP_H
	14
	15	# include <openssl/opensslconf.h>
	16	# ifndef OPENSSL_NO_CMP
	17
	18	# include <openssl/crmf.h>
	19	# include <openssl/cmperr.h>
7960dbec	20	# include <openssl/cmp_util.h>
8869ad4a AK	21
	22	/* explicit #includes not strictly needed since implied by the above: */
	23	# include <openssl/ossl_typ.h>
	24	# include <openssl/safestack.h>
	25	# include <openssl/x509.h>
	26	# include <openssl/x509v3.h>
	27
	28	# ifdef __cplusplus
	29	extern "C" {
	30	# endif
	31
	32	# define OSSL_CMP_PVNO 2
	33
	34	/*-
	35	* PKIFailureInfo ::= BIT STRING {
	36	* -- since we can fail in more than one way!
	37	* -- More codes may be added in the future if/when required.
	38	* badAlg (0),
	39	* -- unrecognized or unsupported Algorithm Identifier
	40	* badMessageCheck (1),
	41	* -- integrity check failed (e.g., signature did not verify)
	42	* badRequest (2),
	43	* -- transaction not permitted or supported
	44	* badTime (3),
	45	* -- messageTime was not sufficiently close to the system time,
	46	* -- as defined by local policy
	47	* badCertId (4),
	48	* -- no certificate could be found matching the provided criteria
	49	* badDataFormat (5),
	50	* -- the data submitted has the wrong format
	51	* wrongAuthority (6),
	52	* -- the authority indicated in the request is different from the
	53	* -- one creating the response token
	54	* incorrectData (7),
	55	* -- the requester's data is incorrect (for notary services)
	56	* missingTimeStamp (8),
	57	* -- when the timestamp is missing but should be there
	58	* -- (by policy)
	59	* badPOP (9),
	60	* -- the proof-of-possession failed
	61	* certRevoked (10),
	62	* -- the certificate has already been revoked
	63	* certConfirmed (11),
	64	* -- the certificate has already been confirmed
	65	* wrongIntegrity (12),
	66	* -- invalid integrity, password based instead of signature or
	67	* -- vice versa
	68	* badRecipientNonce (13),
	69	* -- invalid recipient nonce, either missing or wrong value
	70	* timeNotAvailable (14),
	71	* -- the TSA's time source is not available
	72	* unacceptedPolicy (15),
	73	* -- the requested TSA policy is not supported by the TSA.
	74	* unacceptedExtension (16),
	75	* -- the requested extension is not supported by the TSA.
	76	* addInfoNotAvailable (17),
	77	* -- the additional information requested could not be
	78	* -- understood or is not available
	79	* badSenderNonce (18),
	80	* -- invalid sender nonce, either missing or wrong size
	81	* badCertTemplate (19),
	82	* -- invalid cert. template or missing mandatory information
	83	* signerNotTrusted (20),
	84	* -- signer of the message unknown or not trusted
85	* transactionIdInUse (21),
86	* -- the transaction identifier is already in use
87	* unsupportedVersion (22),
88	* -- the version of the message is not supported
89	* notAuthorized (23),
90	* -- the sender was not authorized to make the preceding
91	* -- request or perform the preceding action
92	* systemUnavail (24),
93	* -- the request cannot be handled due to system unavailability
94	* systemFailure (25),
95	* -- the request cannot be handled due to system failure
96	* duplicateCertReq (26)
97	* -- certificate cannot be issued because a duplicate
98	* -- certificate already exists
99	* }
100	*/
101	# define OSSL_CMP_PKIFAILUREINFO_badAlg 0
102	# define OSSL_CMP_PKIFAILUREINFO_badMessageCheck 1
103	# define OSSL_CMP_PKIFAILUREINFO_badRequest 2
104	# define OSSL_CMP_PKIFAILUREINFO_badTime 3
105	# define OSSL_CMP_PKIFAILUREINFO_badCertId 4
106	# define OSSL_CMP_PKIFAILUREINFO_badDataFormat 5
107	# define OSSL_CMP_PKIFAILUREINFO_wrongAuthority 6
108	# define OSSL_CMP_PKIFAILUREINFO_incorrectData 7
109	# define OSSL_CMP_PKIFAILUREINFO_missingTimeStamp 8
110	# define OSSL_CMP_PKIFAILUREINFO_badPOP 9
111	# define OSSL_CMP_PKIFAILUREINFO_certRevoked 10
112	# define OSSL_CMP_PKIFAILUREINFO_certConfirmed 11
113	# define OSSL_CMP_PKIFAILUREINFO_wrongIntegrity 12
114	# define OSSL_CMP_PKIFAILUREINFO_badRecipientNonce 13
115	# define OSSL_CMP_PKIFAILUREINFO_timeNotAvailable 14
116	# define OSSL_CMP_PKIFAILUREINFO_unacceptedPolicy 15
117	# define OSSL_CMP_PKIFAILUREINFO_unacceptedExtension 16
118	# define OSSL_CMP_PKIFAILUREINFO_addInfoNotAvailable 17
119	# define OSSL_CMP_PKIFAILUREINFO_badSenderNonce 18
120	# define OSSL_CMP_PKIFAILUREINFO_badCertTemplate 19
121	# define OSSL_CMP_PKIFAILUREINFO_signerNotTrusted 20
122	# define OSSL_CMP_PKIFAILUREINFO_transactionIdInUse 21
123	# define OSSL_CMP_PKIFAILUREINFO_unsupportedVersion 22
124	# define OSSL_CMP_PKIFAILUREINFO_notAuthorized 23
125	# define OSSL_CMP_PKIFAILUREINFO_systemUnavail 24
126	# define OSSL_CMP_PKIFAILUREINFO_systemFailure 25
127	# define OSSL_CMP_PKIFAILUREINFO_duplicateCertReq 26
128	# define OSSL_CMP_PKIFAILUREINFO_MAX 26
129	# define OSSL_CMP_PKIFAILUREINFO_MAX_BIT_PATTERN \
130	( (1<<(OSSL_CMP_PKIFAILUREINFO_MAX+1)) - 1)
131	# if OSSL_CMP_PKIFAILUREINFO_MAX_BIT_PATTERN > INT_MAX
132	# error CMP_PKIFAILUREINFO_MAX bit pattern does not fit in type int
133	# endif
134
135	typedef ASN1_BIT_STRING OSSL_CMP_PKIFAILUREINFO;
136
137	# define OSSL_CMP_CTX_FAILINFO_badAlg (1 << 0)
138	# define OSSL_CMP_CTX_FAILINFO_badMessageCheck (1 << 1)
139	# define OSSL_CMP_CTX_FAILINFO_badRequest (1 << 2)
140	# define OSSL_CMP_CTX_FAILINFO_badTime (1 << 3)
141	# define OSSL_CMP_CTX_FAILINFO_badCertId (1 << 4)
142	# define OSSL_CMP_CTX_FAILINFO_badDataFormat (1 << 5)
143	# define OSSL_CMP_CTX_FAILINFO_wrongAuthority (1 << 6)
144	# define OSSL_CMP_CTX_FAILINFO_incorrectData (1 << 7)
145	# define OSSL_CMP_CTX_FAILINFO_missingTimeStamp (1 << 8)
146	# define OSSL_CMP_CTX_FAILINFO_badPOP (1 << 9)
147	# define OSSL_CMP_CTX_FAILINFO_certRevoked (1 << 10)
148	# define OSSL_CMP_CTX_FAILINFO_certConfirmed (1 << 11)
149	# define OSSL_CMP_CTX_FAILINFO_wrongIntegrity (1 << 12)
150	# define OSSL_CMP_CTX_FAILINFO_badRecipientNonce (1 << 13)
151	# define OSSL_CMP_CTX_FAILINFO_timeNotAvailable (1 << 14)
152	# define OSSL_CMP_CTX_FAILINFO_unacceptedPolicy (1 << 15)
153	# define OSSL_CMP_CTX_FAILINFO_unacceptedExtension (1 << 16)
154	# define OSSL_CMP_CTX_FAILINFO_addInfoNotAvailable (1 << 17)
155	# define OSSL_CMP_CTX_FAILINFO_badSenderNonce (1 << 18)
156	# define OSSL_CMP_CTX_FAILINFO_badCertTemplate (1 << 19)
157	# define OSSL_CMP_CTX_FAILINFO_signerNotTrusted (1 << 20)
158	# define OSSL_CMP_CTX_FAILINFO_transactionIdInUse (1 << 21)
159	# define OSSL_CMP_CTX_FAILINFO_unsupportedVersion (1 << 22)
160	# define OSSL_CMP_CTX_FAILINFO_notAuthorized (1 << 23)
161	# define OSSL_CMP_CTX_FAILINFO_systemUnavail (1 << 24)
162	# define OSSL_CMP_CTX_FAILINFO_systemFailure (1 << 25)
163	# define OSSL_CMP_CTX_FAILINFO_duplicateCertReq (1 << 26)
164
165	/*-
166	* PKIStatus ::= INTEGER {
167	* accepted (0),
168	* -- you got exactly what you asked for
169	* grantedWithMods (1),
170	* -- you got something like what you asked for; the
171	* -- requester is responsible for ascertaining the differences
172	* rejection (2),
173	* -- you don't get it, more information elsewhere in the message
174	* waiting (3),
175	* -- the request body part has not yet been processed; expect to
176	* -- hear more later (note: proper handling of this status
177	* -- response MAY use the polling req/rep PKIMessages specified
178	* -- in Section 5.3.22; alternatively, polling in the underlying
179	* -- transport layer MAY have some utility in this regard)
180	* revocationWarning (4),
181	* -- this message contains a warning that a revocation is
182	* -- imminent
183	* revocationNotification (5),
184	* -- notification that a revocation has occurred
185	* keyUpdateWarning (6)
186	* -- update already done for the oldCertId specified in
187	* -- CertReqMsg
188	* }
189	*/
190	# define OSSL_CMP_PKISTATUS_accepted 0
191	# define OSSL_CMP_PKISTATUS_grantedWithMods 1
192	# define OSSL_CMP_PKISTATUS_rejection 2
193	# define OSSL_CMP_PKISTATUS_waiting 3
194	# define OSSL_CMP_PKISTATUS_revocationWarning 4
195	# define OSSL_CMP_PKISTATUS_revocationNotification 5
196	# define OSSL_CMP_PKISTATUS_keyUpdateWarning 6
197
198	typedef ASN1_INTEGER OSSL_CMP_PKISTATUS;
199	DECLARE_ASN1_ITEM(OSSL_CMP_PKISTATUS)
200
201	# define OSSL_CMP_CERTORENCCERT_CERTIFICATE 0
202	# define OSSL_CMP_CERTORENCCERT_ENCRYPTEDCERT 1
203
204	/* data type declarations */
7960dbec DDO	205	typedef struct ossl_cmp_ctx_st OSSL_CMP_CTX;
7960dbec DDO	206	typedef struct ossl_cmp_pkiheader_st OSSL_CMP_PKIHEADER;
8869ad4a	207	DECLARE_ASN1_FUNCTIONS(OSSL_CMP_PKIHEADER)
7960dbec	208	typedef struct ossl_cmp_msg_st OSSL_CMP_MSG;
8869ad4a	209	DECLARE_ASN1_ENCODE_FUNCTIONS(OSSL_CMP_MSG, OSSL_CMP_MSG, OSSL_CMP_MSG)
7960dbec	210	typedef struct ossl_cmp_certstatus_st OSSL_CMP_CERTSTATUS;
8869ad4a	211	DEFINE_STACK_OF(OSSL_CMP_CERTSTATUS)
7960dbec	212	typedef struct ossl_cmp_itav_st OSSL_CMP_ITAV;
8869ad4a	213	DEFINE_STACK_OF(OSSL_CMP_ITAV)
7960dbec DDO	214	typedef struct ossl_cmp_revrepcontent_st OSSL_CMP_REVREPCONTENT;
7960dbec DDO	215	typedef struct ossl_cmp_pkisi_st OSSL_CMP_PKISI;
8869ad4a	216	DEFINE_STACK_OF(OSSL_CMP_PKISI)
7960dbec	217	typedef struct ossl_cmp_certrepmessage_st OSSL_CMP_CERTREPMESSAGE;
8869ad4a	218	DEFINE_STACK_OF(OSSL_CMP_CERTREPMESSAGE)
7960dbec	219	typedef struct ossl_cmp_pollrep_st OSSL_CMP_POLLREP;
8869ad4a	220	typedef STACK_OF(OSSL_CMP_POLLREP) OSSL_CMP_POLLREPCONTENT;
7960dbec	221	typedef struct ossl_cmp_certresponse_st OSSL_CMP_CERTRESPONSE;
8869ad4a AK	222	DEFINE_STACK_OF(OSSL_CMP_CERTRESPONSE)
	223	typedef STACK_OF(ASN1_UTF8STRING) OSSL_CMP_PKIFREETEXT;
	224
7960dbec DDO	225	/*
	226	* function DECLARATIONS
	227	*/
	228
8869ad4a AK	229	/* from cmp_asn.c */
	230	OSSL_CMP_ITAV OSSL_CMP_ITAV_create(ASN1_OBJECT type, ASN1_TYPE *value);
	231	void OSSL_CMP_ITAV_set0(OSSL_CMP_ITAV itav, ASN1_OBJECT type,
	232	ASN1_TYPE *value);
	233	ASN1_OBJECT OSSL_CMP_ITAV_get0_type(const OSSL_CMP_ITAV itav);
	234	ASN1_TYPE OSSL_CMP_ITAV_get0_value(const OSSL_CMP_ITAV itav);
	235	int OSSL_CMP_ITAV_push0_stack_item(STACK_OF(OSSL_CMP_ITAV) **itav_sk_p,
	236	OSSL_CMP_ITAV *itav);
	237	void OSSL_CMP_ITAV_free(OSSL_CMP_ITAV *itav);
	238	void OSSL_CMP_MSG_free(OSSL_CMP_MSG *msg);
7960dbec DDO	239
	240	/* from cmp_ctx.c */
	241	OSSL_CMP_CTX *OSSL_CMP_CTX_new(void);
	242	void OSSL_CMP_CTX_free(OSSL_CMP_CTX *ctx);
	243	int OSSL_CMP_CTX_reinit(OSSL_CMP_CTX *ctx);
	244	/* various CMP options: */
	245	# define OSSL_CMP_OPT_LOG_VERBOSITY 0
	246	# define OSSL_CMP_OPT_MSGTIMEOUT 1
	247	# define OSSL_CMP_OPT_TOTALTIMEOUT 2
	248	# define OSSL_CMP_OPT_VALIDITYDAYS 3
	249	# define OSSL_CMP_OPT_SUBJECTALTNAME_NODEFAULT 4
	250	# define OSSL_CMP_OPT_SUBJECTALTNAME_CRITICAL 5
	251	# define OSSL_CMP_OPT_POLICIES_CRITICAL 6
	252	# define OSSL_CMP_OPT_POPOMETHOD 7
	253	# define OSSL_CMP_OPT_DIGEST_ALGNID 8
	254	# define OSSL_CMP_OPT_OWF_ALGNID 9
	255	# define OSSL_CMP_OPT_MAC_ALGNID 10
	256	# define OSSL_CMP_OPT_REVOCATION_REASON 11
	257	# define OSSL_CMP_OPT_IMPLICITCONFIRM 12
	258	# define OSSL_CMP_OPT_DISABLECONFIRM 13
	259	# define OSSL_CMP_OPT_UNPROTECTED_SEND 14
	260	# define OSSL_CMP_OPT_UNPROTECTED_ERRORS 15
	261	# define OSSL_CMP_OPT_IGNORE_KEYUSAGE 16
	262	# define OSSL_CMP_OPT_PERMIT_TA_IN_EXTRACERTS_FOR_IR 17
	263	int OSSL_CMP_CTX_set_option(OSSL_CMP_CTX *ctx, int opt, int val);
	264	int OSSL_CMP_CTX_get_option(const OSSL_CMP_CTX *ctx, int opt);
	265	/* CMP-specific callback for logging and outputting the error queue: */
	266	int OSSL_CMP_CTX_set_log_cb(OSSL_CMP_CTX *ctx, OSSL_cmp_log_cb_t cb);
	267	#define OSSL_CMP_CTX_set_log_verbosity(ctx, level) \
	268	OSSL_CMP_CTX_set_option(ctx, OSSL_CMP_OPT_LOG_VERBOSITY, level)
	269	void OSSL_CMP_CTX_print_errors(OSSL_CMP_CTX *ctx);
	270	/* message transfer: */
	271	int OSSL_CMP_CTX_set1_serverPath(OSSL_CMP_CTX ctx, const char path);
	272	int OSSL_CMP_CTX_set1_serverName(OSSL_CMP_CTX ctx, const char name);
	273	int OSSL_CMP_CTX_set_serverPort(OSSL_CMP_CTX *ctx, int port);
	274	int OSSL_CMP_CTX_set1_proxyName(OSSL_CMP_CTX ctx, const char name);
	275	int OSSL_CMP_CTX_set_proxyPort(OSSL_CMP_CTX *ctx, int port);
	276	# define OSSL_CMP_DEFAULT_PORT 80
	277	typedef BIO (OSSL_cmp_http_cb_t) (OSSL_CMP_CTX ctx, BIO hbio,
	278	unsigned long detail);
	279	int OSSL_CMP_CTX_set_http_cb(OSSL_CMP_CTX *ctx, OSSL_cmp_http_cb_t cb);
	280	int OSSL_CMP_CTX_set_http_cb_arg(OSSL_CMP_CTX ctx, void arg);
	281	void OSSL_CMP_CTX_get_http_cb_arg(const OSSL_CMP_CTX ctx);
	282	typedef int (OSSL_cmp_transfer_cb_t) (OSSL_CMP_CTX ctx,
	283	const OSSL_CMP_MSG *req,
	284	OSSL_CMP_MSG **res);
	285	int OSSL_CMP_CTX_set_transfer_cb(OSSL_CMP_CTX *ctx, OSSL_cmp_transfer_cb_t cb);
	286	int OSSL_CMP_CTX_set_transfer_cb_arg(OSSL_CMP_CTX ctx, void arg);
	287	void OSSL_CMP_CTX_get_transfer_cb_arg(const OSSL_CMP_CTX ctx);
	288	/* server authentication: */
	289	int OSSL_CMP_CTX_set1_srvCert(OSSL_CMP_CTX ctx, X509 cert);
	290	int OSSL_CMP_CTX_set1_expected_sender(OSSL_CMP_CTX ctx, const X509_NAME name);
	291	int OSSL_CMP_CTX_set0_trustedStore(OSSL_CMP_CTX ctx, X509_STORE store);
	292	X509_STORE OSSL_CMP_CTX_get0_trustedStore(const OSSL_CMP_CTX ctx);
	293	int OSSL_CMP_CTX_set1_untrusted_certs(OSSL_CMP_CTX ctx, STACK_OF(X509) certs);
	294	STACK_OF(X509) OSSL_CMP_CTX_get0_untrusted_certs(const OSSL_CMP_CTX ctx);
	295	/* client authentication: */
	296	int OSSL_CMP_CTX_set1_clCert(OSSL_CMP_CTX ctx, X509 cert);
	297	int OSSL_CMP_CTX_set1_pkey(OSSL_CMP_CTX ctx, EVP_PKEY pkey);
	298	int OSSL_CMP_CTX_set1_referenceValue(OSSL_CMP_CTX *ctx,
	299	const unsigned char *ref, int len);
	300	int OSSL_CMP_CTX_set1_secretValue(OSSL_CMP_CTX ctx, const unsigned char sec,
	301	const int len);
	302	/* CMP message header and extra certificates: */
303	int OSSL_CMP_CTX_set1_recipient(OSSL_CMP_CTX ctx, const X509_NAME name);
304	int OSSL_CMP_CTX_push0_geninfo_ITAV(OSSL_CMP_CTX ctx, OSSL_CMP_ITAV itav);
305	int OSSL_CMP_CTX_set1_extraCertsOut(OSSL_CMP_CTX *ctx,
306	STACK_OF(X509) *extraCertsOut);
307	/* certificate template: */
308	int OSSL_CMP_CTX_set0_newPkey(OSSL_CMP_CTX ctx, int priv, EVP_PKEY pkey);
309	EVP_PKEY OSSL_CMP_CTX_get0_newPkey(const OSSL_CMP_CTX ctx, int priv);
310	int OSSL_CMP_CTX_set1_issuer(OSSL_CMP_CTX ctx, const X509_NAME name);
311	int OSSL_CMP_CTX_set1_subjectName(OSSL_CMP_CTX ctx, const X509_NAME name);
312	int OSSL_CMP_CTX_push1_subjectAltName(OSSL_CMP_CTX ctx, const GENERAL_NAME name);
313	int OSSL_CMP_CTX_set0_reqExtensions(OSSL_CMP_CTX ctx, X509_EXTENSIONS exts);
314	int OSSL_CMP_CTX_reqExtensions_have_SAN(OSSL_CMP_CTX *ctx);
315	int OSSL_CMP_CTX_push0_policy(OSSL_CMP_CTX ctx, POLICYINFO pinfo);
316	int OSSL_CMP_CTX_set1_oldCert(OSSL_CMP_CTX ctx, X509 cert);
317	int OSSL_CMP_CTX_set1_p10CSR(OSSL_CMP_CTX ctx, const X509_REQ csr);
318	/* misc body contents: */
319	int OSSL_CMP_CTX_push0_genm_ITAV(OSSL_CMP_CTX ctx, OSSL_CMP_ITAV itav);
320	/* certificate confirmation: */
321	typedef int (OSSL_cmp_certConf_cb_t) (OSSL_CMP_CTX ctx, X509 *cert,
322	int fail_info, const char **txt);
323	int OSSL_CMP_CTX_set_certConf_cb(OSSL_CMP_CTX *ctx, OSSL_cmp_certConf_cb_t cb);
324	int OSSL_CMP_CTX_set_certConf_cb_arg(OSSL_CMP_CTX ctx, void arg);
325	void OSSL_CMP_CTX_get_certConf_cb_arg(const OSSL_CMP_CTX ctx);
326	/* result fetching: */
327	int OSSL_CMP_CTX_get_status(const OSSL_CMP_CTX *ctx);
328	OSSL_CMP_PKIFREETEXT OSSL_CMP_CTX_get0_statusString(const OSSL_CMP_CTX ctx);
329	int OSSL_CMP_CTX_get_failInfoCode(const OSSL_CMP_CTX *ctx);
330	# define OSSL_CMP_PKISI_BUFLEN 1024
331	X509 OSSL_CMP_CTX_get0_newCert(const OSSL_CMP_CTX ctx);
332	STACK_OF(X509) OSSL_CMP_CTX_get1_caPubs(const OSSL_CMP_CTX ctx);
333	STACK_OF(X509) OSSL_CMP_CTX_get1_extraCertsIn(const OSSL_CMP_CTX ctx);
334	/* support application-level CMP debugging in cmp.c: */
335	int OSSL_CMP_CTX_set1_transactionID(OSSL_CMP_CTX *ctx,
336	const ASN1_OCTET_STRING *id);
337	int OSSL_CMP_CTX_set1_senderNonce(OSSL_CMP_CTX *ctx,
338	const ASN1_OCTET_STRING *nonce);
8869ad4a AK	339
	340	# ifdef __cplusplus
	341	}
	342	# endif
	343	# endif /* !defined OPENSSL_NO_CMP */
	344	#endif /* !defined OSSL_HEADER_CMP_H */