]>
Commit | Line | Data |
---|---|---|
fcc25beb DDO |
1 | =pod |
2 | ||
3 | =head1 NAME | |
4 | ||
28e9f62b | 5 | ossl_cmp_build_cert_chain, |
6d1f50b5 | 6 | ossl_cmp_calc_protection, |
fcc25beb DDO |
7 | ossl_cmp_msg_protect, |
8 | ossl_cmp_msg_add_extraCerts | |
9 | - functions for producing CMP message protection | |
10 | ||
11 | =head1 SYNOPSIS | |
12 | ||
28e9f62b | 13 | #include "cmp_local.h" |
fcc25beb | 14 | |
28e9f62b DDO |
15 | STACK_OF(X509) |
16 | *ossl_cmp_build_cert_chain(OPENSSL_CTX *libctx, const char *propq, | |
17 | STACK_OF(X509) *certs, X509 *cert); | |
6d1f50b5 DDO |
18 | ASN1_BIT_STRING *ossl_cmp_calc_protection(const OSSL_CMP_CTX *ctx, |
19 | const OSSL_CMP_MSG *msg); | |
28e9f62b DDO |
20 | int ossl_cmp_msg_protect(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg); |
21 | int ossl_cmp_msg_add_extraCerts(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg); | |
fcc25beb DDO |
22 | |
23 | =head1 DESCRIPTION | |
24 | ||
28e9f62b | 25 | ossl_cmp_build_cert_chain() builds up the chain of intermediate CA certificates |
6d1f50b5 | 26 | starting from the given certificate I<cert> as high up as possible using |
28e9f62b DDO |
27 | the given list of candidate certificates, similarly to ssl_add_cert_chain(). |
28 | It internally uses a B<X509_STORE_CTX> structure associated with the library | |
29 | context I<libctx> and property query string I<propq>, both of which may be NULL. | |
30 | Intended use of this function is to find all the certificates above the trust | |
31 | anchor needed to verify an EE's own certificate. | |
32 | Those are supposed to be included in the ExtraCerts field of every first | |
33 | CMP message of a transaction when MSG_SIG_ALG is utilized. | |
34 | This allocates a stack and increments the reference count of each cert, | |
35 | so when not needed any more the stack and all its elements should be freed. | |
36 | In case there is more than one possibility for the chain, | |
37 | OpenSSL seems to take the first one; check X509_verify_cert() for details. | |
38 | ||
6d1f50b5 DDO |
39 | ossl_cmp_calc_protection() calculates the protection for the given I<msg> |
40 | according to the algorithm and parameters in the message header's protectionAlg | |
41 | using the credentials, library context, and property criteria in the I<ctx>. | |
42 | ||
43 | ossl_cmp_msg_protect() (re-)protects the given message I<msg> using an algorithm | |
44 | depending on the available context information given in the I<ctx>. | |
63f1883d | 45 | If there is a secretValue it selects PBMAC, else if there is a protection cert |
6d1f50b5 | 46 | it selects Signature and uses L<ossl_cmp_msg_add_extraCerts(3)>. |
fcc25beb DDO |
47 | It also sets the protectionAlg field in the message header accordingly. |
48 | ||
49 | ossl_cmp_msg_add_extraCerts() adds elements to the extraCerts field in the given | |
6d1f50b5 DDO |
50 | message I<msg>. It tries to build the certificate chain of the client cert in |
51 | the I<ctx> if present by using certificates in ctx->untrusted_certs; | |
fcc25beb DDO |
52 | if no untrusted certs are set, it will at least add the client certificate. |
53 | In any case all the certificates explicitly specified to be sent out (i.e., | |
6d1f50b5 | 54 | I<ctx->extraCertsOut>) are added. Note that it will NOT add the root certificate |
fcc25beb DDO |
55 | of the chain, i.e, the trust anchor (unless it is part of extraCertsOut). |
56 | ||
57 | =head1 NOTES | |
58 | ||
59 | CMP is defined in RFC 4210 (and CRMF in RFC 4211). | |
60 | ||
61 | =head1 RETURN VALUES | |
62 | ||
28e9f62b DDO |
63 | ossl_cmp_build_cert_chain() returns NULL on error, |
64 | else a pointer to a stack of (up_ref'ed) certificates | |
65 | containing the EE certificate given in the function arguments (cert) | |
66 | and all intermediate certificates up the chain toward the trust anchor. | |
67 | The (self-signed) trust anchor is not included. | |
68 | ||
6d1f50b5 DDO |
69 | ossl_cmp_calc_protection() returns the protection on success, else NULL. |
70 | ||
28e9f62b | 71 | All other functions return 1 on success, 0 on error. |
fcc25beb DDO |
72 | |
73 | =head1 HISTORY | |
74 | ||
75 | The OpenSSL CMP support was added in OpenSSL 3.0. | |
76 | ||
77 | =head1 COPYRIGHT | |
78 | ||
33388b44 | 79 | Copyright 2007-2020 The OpenSSL Project Authors. All Rights Reserved. |
fcc25beb DDO |
80 | |
81 | Licensed under the Apache License 2.0 (the "License"). You may not use | |
82 | this file except in compliance with the License. You can obtain a copy | |
83 | in the file LICENSE in the source distribution or at | |
84 | L<https://www.openssl.org/source/license.html>. | |
85 | ||
86 | =cut |