[thirdparty/openssl.git] / doc / internal / man3 / ossl_cmp_msg_protect.pod

=pod

=head1 NAME

ossl_cmp_build_cert_chain,
ossl_cmp_calc_protection,
ossl_cmp_msg_protect,
ossl_cmp_msg_add_extraCerts
- functions for producing CMP message protection

=head1 SYNOPSIS

 #include "cmp_local.h"

 STACK_OF(X509)
     *ossl_cmp_build_cert_chain(OPENSSL_CTX *libctx, const char *propq,
                                STACK_OF(X509) *certs, X509 *cert);
 ASN1_BIT_STRING *ossl_cmp_calc_protection(const OSSL_CMP_CTX *ctx,
                                           const OSSL_CMP_MSG *msg);
 int ossl_cmp_msg_protect(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg);
 int ossl_cmp_msg_add_extraCerts(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg);

=head1 DESCRIPTION

ossl_cmp_build_cert_chain() builds up the chain of intermediate CA certificates
starting from the given certificate I<cert> as high up as possible using
the given list of candidate certificates, similarly to ssl_add_cert_chain().
It internally uses a B<X509_STORE_CTX> structure associated with the library
context I<libctx> and property query string I<propq>, both of which may be NULL.
Intended use of this function is to find all the certificates above the trust
anchor needed to verify an EE's own certificate.
Those are supposed to be included in the ExtraCerts field of every first
CMP message of a transaction when MSG_SIG_ALG is utilized.
This allocates a stack and increments the reference count of each cert,
so when not needed any more the stack and all its elements should be freed.
In case there is more than one possibility for the chain,
OpenSSL seems to take the first one; check X509_verify_cert() for details.

ossl_cmp_calc_protection() calculates the protection for the given I<msg>
according to the algorithm and parameters in the message header's protectionAlg
using the credentials, library context, and property criteria in the I<ctx>.

ossl_cmp_msg_protect() (re-)protects the given message I<msg> using an algorithm
depending on the available context information given in the I<ctx>.
If there is a secretValue it selects PBMAC, else if there is a protection cert
it selects Signature and uses L<ossl_cmp_msg_add_extraCerts(3)>.
It also sets the protectionAlg field in the message header accordingly.

ossl_cmp_msg_add_extraCerts() adds elements to the extraCerts field in the given
message I<msg>. It tries to build the certificate chain of the client cert in
the I<ctx> if present by using certificates in ctx->untrusted_certs;
if no untrusted certs are set, it will at least add the client certificate.
In any case all the certificates explicitly specified to be sent out (i.e.,
I<ctx->extraCertsOut>) are added. Note that it will NOT add the root certificate
of the chain, i.e, the trust anchor (unless it is part of extraCertsOut).

=head1 NOTES

CMP is defined in RFC 4210 (and CRMF in RFC 4211).

=head1 RETURN VALUES

ossl_cmp_build_cert_chain() returns NULL on error,
else a pointer to a stack of (up_ref'ed) certificates
containing the EE certificate given in the function arguments (cert)
and all intermediate certificates up the chain toward the trust anchor.
The (self-signed) trust anchor is not included.

ossl_cmp_calc_protection() returns the protection on success, else NULL.

All other functions return 1 on success, 0 on error.

=head1 HISTORY

The OpenSSL CMP support was added in OpenSSL 3.0.

=head1 COPYRIGHT

Copyright 2007-2020 The OpenSSL Project Authors. All Rights Reserved.

Licensed under the Apache License 2.0 (the "License").  You may not use
this file except in compliance with the License.  You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.

=cut
Commit	Line	Data
fcc25beb DDO	1	=pod
	2
	3	=head1 NAME
	4
28e9f62b	5	ossl_cmp_build_cert_chain,
6d1f50b5	6	ossl_cmp_calc_protection,
fcc25beb DDO	7	ossl_cmp_msg_protect,
	8	ossl_cmp_msg_add_extraCerts
	9	- functions for producing CMP message protection
	10
	11	=head1 SYNOPSIS
	12
28e9f62b	13	#include "cmp_local.h"
fcc25beb	14
28e9f62b DDO	15	STACK_OF(X509)
	16	ossl_cmp_build_cert_chain(OPENSSL_CTX libctx, const char *propq,
	17	STACK_OF(X509) certs, X509 cert);
6d1f50b5 DDO	18	ASN1_BIT_STRING ossl_cmp_calc_protection(const OSSL_CMP_CTX ctx,
6d1f50b5 DDO	19	const OSSL_CMP_MSG *msg);
28e9f62b DDO	20	int ossl_cmp_msg_protect(OSSL_CMP_CTX ctx, OSSL_CMP_MSG msg);
28e9f62b DDO	21	int ossl_cmp_msg_add_extraCerts(OSSL_CMP_CTX ctx, OSSL_CMP_MSG msg);
fcc25beb DDO	22
	23	=head1 DESCRIPTION
	24
28e9f62b	25	ossl_cmp_build_cert_chain() builds up the chain of intermediate CA certificates
6d1f50b5	26	starting from the given certificate I<cert> as high up as possible using
28e9f62b DDO	27	the given list of candidate certificates, similarly to ssl_add_cert_chain().
	28	It internally uses a B<X509_STORE_CTX> structure associated with the library
	29	context I<libctx> and property query string I<propq>, both of which may be NULL.
	30	Intended use of this function is to find all the certificates above the trust
	31	anchor needed to verify an EE's own certificate.
	32	Those are supposed to be included in the ExtraCerts field of every first
	33	CMP message of a transaction when MSG_SIG_ALG is utilized.
	34	This allocates a stack and increments the reference count of each cert,
	35	so when not needed any more the stack and all its elements should be freed.
	36	In case there is more than one possibility for the chain,
	37	OpenSSL seems to take the first one; check X509_verify_cert() for details.
	38
6d1f50b5 DDO	39	ossl_cmp_calc_protection() calculates the protection for the given I<msg>
	40	according to the algorithm and parameters in the message header's protectionAlg
	41	using the credentials, library context, and property criteria in the I<ctx>.
	42
	43	ossl_cmp_msg_protect() (re-)protects the given message I<msg> using an algorithm
	44	depending on the available context information given in the I<ctx>.
63f1883d	45	If there is a secretValue it selects PBMAC, else if there is a protection cert
6d1f50b5	46	it selects Signature and uses L<ossl_cmp_msg_add_extraCerts(3)>.
fcc25beb DDO	47	It also sets the protectionAlg field in the message header accordingly.
	48
	49	ossl_cmp_msg_add_extraCerts() adds elements to the extraCerts field in the given
6d1f50b5 DDO	50	message I<msg>. It tries to build the certificate chain of the client cert in
6d1f50b5 DDO	51	the I<ctx> if present by using certificates in ctx->untrusted_certs;
fcc25beb DDO	52	if no untrusted certs are set, it will at least add the client certificate.
fcc25beb DDO	53	In any case all the certificates explicitly specified to be sent out (i.e.,
6d1f50b5	54	I<ctx->extraCertsOut>) are added. Note that it will NOT add the root certificate
fcc25beb DDO	55	of the chain, i.e, the trust anchor (unless it is part of extraCertsOut).
	56
	57	=head1 NOTES
	58
	59	CMP is defined in RFC 4210 (and CRMF in RFC 4211).
	60
	61	=head1 RETURN VALUES
	62
28e9f62b DDO	63	ossl_cmp_build_cert_chain() returns NULL on error,
	64	else a pointer to a stack of (up_ref'ed) certificates
	65	containing the EE certificate given in the function arguments (cert)
	66	and all intermediate certificates up the chain toward the trust anchor.
	67	The (self-signed) trust anchor is not included.
	68
6d1f50b5 DDO	69	ossl_cmp_calc_protection() returns the protection on success, else NULL.
6d1f50b5 DDO	70
28e9f62b	71	All other functions return 1 on success, 0 on error.
fcc25beb DDO	72
	73	=head1 HISTORY
	74
	75	The OpenSSL CMP support was added in OpenSSL 3.0.
	76
	77	=head1 COPYRIGHT
	78
33388b44	79	Copyright 2007-2020 The OpenSSL Project Authors. All Rights Reserved.
fcc25beb DDO	80
	81	Licensed under the Apache License 2.0 (the "License"). You may not use
	82	this file except in compliance with the License. You can obtain a copy
	83	in the file LICENSE in the source distribution or at
	84	L<https://www.openssl.org/source/license.html>.
	85
	86	=cut