From: Dr. David von Oheimb Date: Thu, 10 Jul 2025 15:54:33 +0000 (+0200) Subject: CMP doc: update RFC 4210 -> 9810, RFC 6712 -> 9811 X-Git-Tag: 4.0-PRE-CLANG-FORMAT-WEBKIT~166 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d46fca326325789743c9baff98a48234b78acaa9;p=thirdparty%2Fopenssl.git CMP doc: update RFC 4210 -> 9810, RFC 6712 -> 9811 Reviewed-by: Dmitry Belyavskiy Reviewed-by: Alicja Kario (Merged from https://github.com/openssl/openssl/pull/28017) --- diff --git a/apps/cmp.c b/apps/cmp.c index 011c9df7d74..627fac1a856 100644 --- a/apps/cmp.c +++ b/apps/cmp.c @@ -371,7 +371,7 @@ const OPTIONS cmp_options[] = { {"disable_confirm", OPT_DISABLE_CONFIRM, '-', "Do not confirm newly enrolled certificate w/o requesting implicit"}, {OPT_MORE_STR, 0, 0, - "confirmation. WARNING: This leads to behavior violating RFC 4210"}, + "confirmation. WARNING: This leads to behavior violating RFC 9810"}, {"certout", OPT_CERTOUT, 's', "File to save newly enrolled certificate"}, {"chainout", OPT_CHAINOUT, 's', @@ -440,7 +440,7 @@ const OPTIONS cmp_options[] = { {OPT_MORE_STR, 0, 0, "certificate responses (ip/cp/kup), revocation responses (rp), and PKIConf"}, {OPT_MORE_STR, 0, 0, - "WARNING: This setting leads to behavior allowing violation of RFC 4210"}, + "WARNING: This setting leads to behavior allowing violation of RFC 9810"}, {"no_cache_extracerts", OPT_NO_CACHE_EXTRACERTS, '-', "Do not keep certificates received in the extraCerts CMP message field"}, { "srvcertout", OPT_SRVCERTOUT, 's', @@ -623,7 +623,7 @@ const OPTIONS cmp_options[] = { {OPT_MORE_STR, 0, 0, "certificate responses (ip/cp/kup), and revocation responses (rp)."}, {OPT_MORE_STR, 0, 0, - "WARNING: This setting leads to behavior violating RFC 4210"}, + "WARNING: This setting leads to behavior violating RFC 9810"}, {"accept_unprotected", OPT_ACCEPT_UNPROTECTED, '-', "Accept missing or invalid protection of requests"}, {"accept_unprot_err", OPT_ACCEPT_UNPROT_ERR, '-', diff --git a/crypto/cmp/cmp_asn.c b/crypto/cmp/cmp_asn.c index a2d3d3a8493..101accd9f1c 100644 --- a/crypto/cmp/cmp_asn.c +++ b/crypto/cmp/cmp_asn.c @@ -14,7 +14,11 @@ #include "cmp_local.h" #include "internal/crmf.h" -/* ASN.1 declarations from RFC4210 */ +/* explicit #includes not strictly needed since implied by the above: */ +#include +#include + +/* ASN.1 declarations from RFC 9810 */ ASN1_SEQUENCE(OSSL_CMP_REVANNCONTENT) = { /* OSSL_CMP_PKISTATUS is effectively ASN1_INTEGER so it is used directly */ ASN1_SIMPLE(OSSL_CMP_REVANNCONTENT, status, ASN1_INTEGER), diff --git a/crypto/cmp/cmp_client.c b/crypto/cmp/cmp_client.c index 76e6771166c..4488dd32360 100644 --- a/crypto/cmp/cmp_client.c +++ b/crypto/cmp/cmp_client.c @@ -557,11 +557,11 @@ static X509 *get1_cert_status(OSSL_CMP_CTX *ctx, int bodytype, * ctx->certConf_cb_arg, which has been initialized using opt_out_trusted, and * ctx->untrusted, which at this point already contains msg->extraCerts. * Returns 0 on acceptance, else a bit field reflecting PKIFailureInfo. - * Quoting from RFC 4210 section 5.1. Overall PKI Message: + * Quoting from RFC 9810 section 5.1. Overall PKI Message: * The extraCerts field can contain certificates that may be useful to * the recipient. For example, this can be used by a CA or RA to * present an end entity with certificates that it needs to verify its - * own new certificate (if, for example, the CA that issued the end + * own new certificate (for example, if the CA that issued the end * entity's certificate is not a root CA for the end entity). Note that * this field does not necessarily contain a certification path; the * recipient may have to sort, select from, or otherwise process the diff --git a/crypto/cmp/cmp_msg.c b/crypto/cmp/cmp_msg.c index a3b6258f526..3c9c9d84ca5 100644 --- a/crypto/cmp/cmp_msg.c +++ b/crypto/cmp/cmp_msg.c @@ -1143,7 +1143,7 @@ X509 *ossl_cmp_certresponse_get1_cert(const OSSL_CMP_CTX *ctx, const OSSL_CMP_CE crt = X509_dup(coec->value.certificate); break; case OSSL_CMP_CERTORENCCERT_ENCRYPTEDCERT: - /* cert encrypted for indirect PoP; RFC 4210, 5.2.8.2 */ + /* cert encrypted for indirect PoP; RFC 9810, 5.2.8.3.2 */ pkey = OSSL_CMP_CTX_get0_newPkey(ctx, 1); /* pkey is ctx->newPkey (if private, else NULL) or ctx->pkey */ if (pkey == NULL) { diff --git a/crypto/cmp/cmp_protect.c b/crypto/cmp/cmp_protect.c index 6078a61b248..e12f8fc397f 100644 --- a/crypto/cmp/cmp_protect.c +++ b/crypto/cmp/cmp_protect.c @@ -291,7 +291,7 @@ int ossl_cmp_msg_protect(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg) goto err; /* - * As required by RFC 4210 section 5.1.1., if the sender name is not known + * As required by RFC 9810 section 5.1.1., if the sender name is not known * to the client it set to NULL-DN. In this case for identification at least * the senderKID must be set, where we took the referenceValue as fallback. */ diff --git a/crypto/cmp/cmp_vfy.c b/crypto/cmp/cmp_vfy.c index 0fb73b5e84d..c24ce077dcd 100644 --- a/crypto/cmp/cmp_vfy.c +++ b/crypto/cmp/cmp_vfy.c @@ -593,7 +593,7 @@ int OSSL_CMP_validate_msg(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *msg) } if (verify_PBMAC(ctx, msg)) { /* - * RFC 4210, 5.3.2: 'Note that if the PKI Message Protection is + * RFC 9810, 5.3.2: 'Note that if the PKI message protection is * "shared secret information", then any certificate transported in * the caPubs field may be directly trusted as a root CA * certificate by the initiator.' @@ -849,7 +849,7 @@ int ossl_cmp_msg_check_update(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *msg, return 0; /* - * RFC 4210 section 5.1.1 states: the recipNonce is copied from + * RFC 9810 section 5.1.1 states: the recipNonce is copied from * the senderNonce of the previous message in the transaction. * --> Store for setting in next message */ @@ -858,7 +858,7 @@ int ossl_cmp_msg_check_update(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *msg, if (ossl_cmp_hdr_get_protection_nid(hdr) == NID_id_PasswordBasedMAC) { /* - * RFC 4210, 5.3.2: 'Note that if the PKI Message Protection is + * RFC 9810, 5.3.2: 'Note that if the PKI message protection is * "shared secret information", then any certificate transported in * the caPubs field may be directly trusted as a root CA * certificate by the initiator.' diff --git a/crypto/crmf/crmf_lib.c b/crypto/crmf/crmf_lib.c index ecdd3526e38..bafa4ae169c 100644 --- a/crypto/crmf/crmf_lib.c +++ b/crypto/crmf/crmf_lib.c @@ -861,7 +861,7 @@ unsigned char /* * Decrypts the certificate in the given encryptedValue using private key pkey. - * This is needed for the indirect PoP method as in RFC 4210 section 5.2.8.2. + * This is needed for the indirect PoP method as in RFC 9810 section 5.2.8.3.2. * * returns a pointer to the decrypted certificate * returns NULL on error or if no certificate available @@ -891,7 +891,7 @@ X509 *OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert(const OSSL_CRMF_ENCRYPTEDVALUE *ecer } /*- * Decrypts the certificate in the given encryptedKey using private key pkey. - * This is needed for the indirect PoP method as in RFC 4210 section 5.2.8.2. + * This is needed for the indirect PoP method as in RFC 9810 section 5.2.8.3.2. * * returns a pointer to the decrypted certificate * returns NULL on error or if no certificate available diff --git a/doc/internal/man3/ossl_cmp_certreq_new.pod b/doc/internal/man3/ossl_cmp_certreq_new.pod index 37a234066d3..219ea7a5bcb 100644 --- a/doc/internal/man3/ossl_cmp_certreq_new.pod +++ b/doc/internal/man3/ossl_cmp_certreq_new.pod @@ -150,7 +150,7 @@ The function does not protect the message if I is nonzero. =head1 NOTES -CMP is specified in RFC 4210 (and CRMF in RFC 4211). +CMP is specified in RFC 9810 (and CRMF in RFC 4211). =head1 RETURN VALUES diff --git a/doc/internal/man3/ossl_cmp_ctx_set1_caPubs.pod b/doc/internal/man3/ossl_cmp_ctx_set1_caPubs.pod index f3c45ed56c6..3c5cf9f9a7e 100644 --- a/doc/internal/man3/ossl_cmp_ctx_set1_caPubs.pod +++ b/doc/internal/man3/ossl_cmp_ctx_set1_caPubs.pod @@ -54,7 +54,7 @@ ossl_cmp_ctx_set1_recipNonce() sets the given recipient nonce in the context. =head1 NOTES -CMP is defined in RFC 4210 (and CRMF in RFC 4211). +CMP is defined in RFC 9810. =head1 RETURN VALUES diff --git a/doc/internal/man3/ossl_cmp_hdr_init.pod b/doc/internal/man3/ossl_cmp_hdr_init.pod index a0804aa4cf2..61bdaad252b 100644 --- a/doc/internal/man3/ossl_cmp_hdr_init.pod +++ b/doc/internal/man3/ossl_cmp_hdr_init.pod @@ -72,7 +72,7 @@ PKIHeader to the given X509 Name value, without consuming the pointer. If B is NULL, recipient is set to the NULL DN (the empty list of strings). ossl_cmp_hdr_update_messagetime() (re-)sets the messageTime to the current -system time. As written in RFC 4210, section 5.1.1: +system time. As written in RFC 9810, section 5.1.1: The messageTime field contains the time at which the sender created the message. This may be useful to allow end entities to correct/check their local time for consistency with the time on a central system. @@ -109,13 +109,13 @@ values in the given OSSL_CMP_CTX structure. This starts a new transaction in case ctx->transactionID is NULL. The sender name is copied from the subject of the client cert, if any, or else from the subject name provided for certification requests. -As required by RFC 4210 section 5.1.1., if the sender name is not known +As required by RFC 9810 section 5.1.1., if the sender name is not known to the client it set to the NULL-DN. In this case for identification at least the senderKID must be set, which we take from any referenceValue provided. =head1 NOTES -CMP is defined in RFC 4210 (and CRMF in RFC 4211). +CMP is defined in RFC 9810. =head1 RETURN VALUES diff --git a/doc/internal/man3/ossl_cmp_mock_srv_new.pod b/doc/internal/man3/ossl_cmp_mock_srv_new.pod index 6f4f4fe86ba..165b6806506 100644 --- a/doc/internal/man3/ossl_cmp_mock_srv_new.pod +++ b/doc/internal/man3/ossl_cmp_mock_srv_new.pod @@ -85,7 +85,7 @@ the client should wait for the next poll. =head1 NOTES -CMP is defined in RFC 4210 (and CRMF in RFC 4211). +CMP is defined in RFC 9810 (and CRMF in RFC 4211). =head1 RETURN VALUES diff --git a/doc/internal/man3/ossl_cmp_msg_check_update.pod b/doc/internal/man3/ossl_cmp_msg_check_update.pod index d1513bf34f0..2a6a9fccb04 100644 --- a/doc/internal/man3/ossl_cmp_msg_check_update.pod +++ b/doc/internal/man3/ossl_cmp_msg_check_update.pod @@ -64,7 +64,7 @@ If all checks pass then ossl_cmp_msg_check_update() records in B the senderNonce of the received message as the new recipNonce and learns the transaction ID if none is currently present in B. -Moreover, according to RFC 4210 section 5.3.2, if the message protection is +Moreover, according to RFC 9810 section 5.3.2, if the message protection is PBM-based then any certificates in the caPubs field are added to the list of trusted certificates (if set via L). This way these certs are available for validating subsequent messages in the diff --git a/doc/internal/man3/ossl_cmp_msg_create.pod b/doc/internal/man3/ossl_cmp_msg_create.pod index d4294d3e9fa..6a8321cd80b 100644 --- a/doc/internal/man3/ossl_cmp_msg_create.pod +++ b/doc/internal/man3/ossl_cmp_msg_create.pod @@ -107,7 +107,7 @@ Returns 1 on success, 0 on error. =head1 NOTES -CMP is defined in RFC 4210 (and CRMF in RFC 4211). +CMP is defined in RFC 9810. =head1 RETURN VALUES diff --git a/doc/internal/man3/ossl_cmp_msg_protect.pod b/doc/internal/man3/ossl_cmp_msg_protect.pod index 7e14274f584..fce51c9840d 100644 --- a/doc/internal/man3/ossl_cmp_msg_protect.pod +++ b/doc/internal/man3/ossl_cmp_msg_protect.pod @@ -41,7 +41,7 @@ of the chain, i.e, the trust anchor (unless it is part of extraCertsOut). =head1 NOTES -CMP is defined in RFC 4210 (and CRMF in RFC 4211). +CMP is defined in RFC 9810. The I parameter of ossl_cmp_msg_add_extraCerts() and thus also of ossl_cmp_msg_protect() cannot be made I diff --git a/doc/internal/man3/ossl_cmp_pkisi_get_status.pod b/doc/internal/man3/ossl_cmp_pkisi_get_status.pod index e44bfd3f019..df5acbf61d4 100644 --- a/doc/internal/man3/ossl_cmp_pkisi_get_status.pod +++ b/doc/internal/man3/ossl_cmp_pkisi_get_status.pod @@ -60,7 +60,7 @@ Uses data from I, which in case of indirect POPO includes the private key. ossl_cmp_pkisi_get_status() returns the PKIStatus of I, or -1 on error. ossl_cmp_PKIStatus_to_string() returns a human-readable string representing -the PKIStatus values as specified in RFC 4210, Appendix F. +the PKIStatus values as specified in RFC 9810, Appendix F. ossl_cmp_pkisi_get0_statusString() returns a direct pointer to the statusString field contained in I. @@ -73,7 +73,7 @@ with index I in the PKIFailureInfo of the I, or -1 on error. =head1 NOTES -CMP is defined in RFC 4210 (and CRMF in RFC 4211). +CMP is defined in RFC 9810. =head1 RETURN VALUES diff --git a/doc/man1/openssl-cmp.pod.in b/doc/man1/openssl-cmp.pod.in index e7bc672544f..7341def9566 100644 --- a/doc/man1/openssl-cmp.pod.in +++ b/doc/man1/openssl-cmp.pod.in @@ -3,7 +3,7 @@ =head1 NAME -openssl-cmp - Certificate Management Protocol (CMP, RFC 4210) application +openssl-cmp - Certificate Management Protocol (CMP, RFCs 9810 and 9811) application =head1 SYNOPSIS @@ -171,7 +171,8 @@ Certificate verification options, for both CMP and TLS: =head1 DESCRIPTION The B command is a client implementation for the Certificate -Management Protocol (CMP) as defined in RFC4210. +Management Protocol (CMP) as defined in RFCs 9810 and +its HTTP(S) transfer as defined in RFC 9811. It can be used to request certificates from a CA server, update their certificates, request certificates to be revoked, and perform other types of CMP requests. @@ -439,7 +440,7 @@ Request implicit confirmation of newly enrolled certificates. Do not send certificate confirmation message for newly enrolled certificate without requesting implicit confirmation to cope with broken servers not supporting implicit confirmation correctly. -B This leads to behavior violating RFC 4210. +B This leads to behavior violating RFC 9810. =item B<-certout> I @@ -697,7 +698,7 @@ This applies to the following message types and contents: B This setting leads to unspecified behavior and it is meant exclusively to allow interoperability with server implementations violating -RFC 4210, e.g.: +RFC 9810, e.g.: =over 4 @@ -813,7 +814,7 @@ This takes precedence over the B<-cert> and B<-key> options. The secret is used for creating MAC-based protection of outgoing messages and for validating incoming messages that have MAC-based protection. The algorithm used by default is Password-Based Message Authentication Code (PBM) -as defined in RFC 4210 section 5.1.3.1. +as defined in RFC 9810 section 5.1.3.1. For more information about the format of I see L. @@ -837,7 +838,7 @@ this "protection certificate", also called "signer certificate", will be included first in the extraCerts field of outgoing messages and the signature is done with the corresponding key. In Initialization Request (IR) messages this can be used for authenticating -using an external entity certificate as defined in appendix E.7 of RFC 4210. +using an external entity certificate as defined in appendix D.7 of RFC 9810. For Key Update Request (KUR) messages this is also used as the certificate to be updated if the B<-oldcert> option is not given. @@ -880,7 +881,7 @@ L. =item B<-digest> I -Specifies name of supported digest to use in RFC 4210's MSG_SIG_ALG +Specifies name of supported digest to use in RFC 9810's MSG_SIG_ALG and as the one-way function (OWF) in C. If applicable, this is used for message protection and proof-of-possession (POPO) signatures. @@ -893,7 +894,7 @@ Specifies the name of the MAC algorithm in C. To get the names of supported MAC algorithms use C and possibly combine such a name with the name of a supported digest algorithm, e.g., hmacWithSHA256. -Defaults to C as per RFC 4210. +Defaults to C, for backward compatibility with RFC 4210. =item B<-extracerts> I|I @@ -1284,7 +1285,7 @@ Send response messages without CMP-level protection. In case of negative responses, server shall send unprotected error messages, certificate responses (IP/CP/KUP), and revocation responses (RP). -WARNING: This setting leads to behavior violating RFC 4210. +WARNING: This setting leads to behavior violating RFC 9810. =item B<-accept_unprotected> diff --git a/doc/man3/OSSL_CMP_ATAV_set0.pod b/doc/man3/OSSL_CMP_ATAV_set0.pod index 2fe37f79407..8a184a13f83 100644 --- a/doc/man3/OSSL_CMP_ATAV_set0.pod +++ b/doc/man3/OSSL_CMP_ATAV_set0.pod @@ -80,7 +80,7 @@ OSSL_CMP_ATAV_free() deallocates I. It is defined as a macro. =head1 NOTES -CMP is defined in RFC 4210. CRMF is defined in RFC 4211. +CMP is defined in RFC 9810. CRMF is defined in RFC 4211. =head1 RETURN VALUES diff --git a/doc/man3/OSSL_CMP_CTX_new.pod b/doc/man3/OSSL_CMP_CTX_new.pod index ab7aaa453b2..6ff711c5014 100644 --- a/doc/man3/OSSL_CMP_CTX_new.pod +++ b/doc/man3/OSSL_CMP_CTX_new.pod @@ -287,19 +287,19 @@ is provided as the newPkey or client's pkey component of the CMP context. =item B -The NID of the digest algorithm to be used in RFC 4210's MSG_SIG_ALG +The NID of the digest algorithm to be used in RFC 9810's MSG_SIG_ALG for signature-based message protection and Proof-of-Possession (POPO). Default is SHA256. =item B The NID of the digest algorithm to be used as one-way function (OWF) for MAC-based message protection with password-based MAC (PBM). -See RFC 4210 section 5.1.3.1 for details. +See RFC 9810 section 5.1.3.1 for details. Default is SHA256. =item B The NID of the MAC algorithm to be used for message protection with PBM. -Default is HMAC-SHA1 as per RFC 4210. +Default is HMAC-SHA1, for backward compatibility with RFC 4210. =item B @@ -319,7 +319,7 @@ Do not confirm enrolled certificates, to cope with broken servers not supporting implicit confirmation correctly. B This setting leads to unspecified behavior and it is meant exclusively to allow interoperability with server implementations violating -RFC 4210. +RFC 9810. =item B @@ -333,7 +333,7 @@ error messages as well as certificate responses (IP/CP/KUP) and revocation responses (RP) with rejection. B This setting leads to unspecified behavior and it is meant exclusively to allow interoperability with server implementations violating -RFC 4210. +RFC 9810. =item B @@ -543,7 +543,7 @@ messages that have MAC-based protection (protectionAlg = C). OSSL_CMP_CTX_set1_referenceValue() sets the given referenceValue I with length I in the given I or clears it if the I argument is NULL. -According to RFC 4210 section 5.1.1, if no value for the sender field in +According to RFC 9810 section 5.1.1, if no value for the sender field in CMP message headers can be determined (i.e., no CMP signer certificate and no subject DN is set via OSSL_CMP_CTX_set1_subjectName() then the sender field will contain the NULL-DN @@ -756,7 +756,7 @@ the I. This will be used to validate the recipNonce in incoming messages. =head1 NOTES -CMP is defined in RFC 4210 (and CRMF in RFC 4211). +CMP is defined in RFC 9810 (and CRMF in RFC 4211). =head1 RETURN VALUES diff --git a/doc/man3/OSSL_CMP_HDR_get0_transactionID.pod b/doc/man3/OSSL_CMP_HDR_get0_transactionID.pod index 6e79e9a0e3c..a66d1b88b5a 100644 --- a/doc/man3/OSSL_CMP_HDR_get0_transactionID.pod +++ b/doc/man3/OSSL_CMP_HDR_get0_transactionID.pod @@ -30,7 +30,7 @@ in the generalInfo field of the given PKIHeader. =head1 NOTES -CMP is defined in RFC 4210. +CMP is defined in RFC 9810. =head1 RETURN VALUES diff --git a/doc/man3/OSSL_CMP_ITAV_new_caCerts.pod b/doc/man3/OSSL_CMP_ITAV_new_caCerts.pod index ce555d16e6a..f7f3a24494b 100644 --- a/doc/man3/OSSL_CMP_ITAV_new_caCerts.pod +++ b/doc/man3/OSSL_CMP_ITAV_new_caCerts.pod @@ -173,7 +173,7 @@ B or B and assigns to I<*keySpec> a copy of the keySpec field. =head1 NOTES -CMP is defined in RFC 4210. +CMP is defined in RFC 9810. =head1 RETURN VALUES diff --git a/doc/man3/OSSL_CMP_ITAV_set0.pod b/doc/man3/OSSL_CMP_ITAV_set0.pod index 13d7868a6de..0b4c76e6a76 100644 --- a/doc/man3/OSSL_CMP_ITAV_set0.pod +++ b/doc/man3/OSSL_CMP_ITAV_set0.pod @@ -29,7 +29,7 @@ OSSL_CMP_ITAV_get0_certProfile =head1 DESCRIPTION -ITAV is short for InfoTypeAndValue. This type is defined in RFC 4210 +ITAV is short for InfoTypeAndValue. This type is defined in RFC 9810 section 5.3.19 and Appendix F. It is used at various places in CMP messages, e.g., in the generalInfo PKIHeader field, to hold a key-value pair. @@ -61,7 +61,7 @@ It is an error if the infoType of I is not B. =head1 NOTES -CMP is defined in RFC 4210 and RFC 9480 (and CRMF in RFC 4211). +CMP is defined in RFC 9810. OIDs to use as types in B can be found at L. diff --git a/doc/man3/OSSL_CMP_MSG_get0_header.pod b/doc/man3/OSSL_CMP_MSG_get0_header.pod index f8f535f30b0..9ba22119092 100644 --- a/doc/man3/OSSL_CMP_MSG_get0_header.pod +++ b/doc/man3/OSSL_CMP_MSG_get0_header.pod @@ -114,7 +114,7 @@ to BIO I. =head1 NOTES -CMP is defined in RFC 4210. +CMP is defined in RFC 9810. =head1 RETURN VALUES diff --git a/doc/man3/OSSL_CMP_MSG_http_perform.pod b/doc/man3/OSSL_CMP_MSG_http_perform.pod index c8d1a4fb47e..89dc637f0ed 100644 --- a/doc/man3/OSSL_CMP_MSG_http_perform.pod +++ b/doc/man3/OSSL_CMP_MSG_http_perform.pod @@ -43,8 +43,8 @@ such as L. =head1 NOTES -CMP is defined in RFC 4210. -HTTP transfer for CMP is defined in RFC 6712. +CMP is defined in RFC 9810. +HTTP transfer for CMP is defined in RFC 9811. =head1 RETURN VALUES diff --git a/doc/man3/OSSL_CMP_SRV_CTX_new.pod b/doc/man3/OSSL_CMP_SRV_CTX_new.pod index 35706dc6c3b..34862a09068 100644 --- a/doc/man3/OSSL_CMP_SRV_CTX_new.pod +++ b/doc/man3/OSSL_CMP_SRV_CTX_new.pod @@ -158,7 +158,7 @@ confirmation of newly enrolled certificates if requested. =head1 NOTES -CMP is defined in RFC 4210 (and CRMF in RFC 4211). +CMP is defined in RFC 9810 (and CRMF in RFC 4211). So far the CMP server implementation is limited to one request per CMP message (and consequently to at most one response component per CMP message). diff --git a/doc/man3/OSSL_CMP_STATUSINFO_new.pod b/doc/man3/OSSL_CMP_STATUSINFO_new.pod index 9c5ce577c73..edca81133ad 100644 --- a/doc/man3/OSSL_CMP_STATUSINFO_new.pod +++ b/doc/man3/OSSL_CMP_STATUSINFO_new.pod @@ -39,7 +39,7 @@ in the given buffer, with the given maximal length. =head1 NOTES -CMP is defined in RFC 4210 (and CRMF in RFC 4211). +CMP is defined in RFC 9810. =head1 RETURN VALUES diff --git a/doc/man3/OSSL_CMP_exec_certreq.pod b/doc/man3/OSSL_CMP_exec_certreq.pod index 94ce586f416..e210c6e6b5d 100644 --- a/doc/man3/OSSL_CMP_exec_certreq.pod +++ b/doc/man3/OSSL_CMP_exec_certreq.pod @@ -119,7 +119,7 @@ otherwise the issuer DN and serial number of the certificate set by L, otherwise the subject DN and public key of the certificate signing request set by L. -RFC 4210 is vague in which PKIStatus should be returned by the server. +RFC 9810 is vague in which PKIStatus should be returned by the server. We take "accepted" and "grantedWithMods" as clear success and handle "revocationWarning" and "revocationNotification" just as warnings because CAs typically return them as an indication that the certificate was already revoked. @@ -138,7 +138,7 @@ and returns the list of Bs received in a genp response message. This can be used, for instance, with infoType C to obtain the set of signature algorithm identifiers that the CA will certify for subject public keys. -See RFC 4210 section 5.3.19 and appendix E.5 for details. +See RFC 9810 section 5.3.19 and appendix D.5 for details. Functions implementing more specific genm/genp exchanges are described next. OSSL_CMP_get1_caCerts() uses a genm/genp message exchange with infoType caCerts @@ -151,7 +151,7 @@ OSSL_CMP_get1_rootCaKeyUpdate() uses a genm request message with infoType rootCaCert to obtain from the CMP server referenced by I in a genp response message with infoType rootCaKeyUpdate any update of the given root CA certificate I and verifies it as far as possible. -See RFC 4210 section 4.4 for details. +See RFC 9810 section 4.4 for details. On success it assigns to I<*newWithNew> the root certificate received. When the I and I output parameters are not NULL, it assigns to them the corresponding transition certificates. @@ -183,7 +183,7 @@ Both must be freed by the caller. =head1 NOTES -CMP is defined in RFC 4210 (and CRMF in RFC 4211). +CMP is defined in RFC 9810 (and CRMF in RFC 4211). The CMP client implementation is limited to one request per CMP message (and consequently to at most one response component per CMP message). diff --git a/doc/man3/OSSL_CMP_validate_msg.pod b/doc/man3/OSSL_CMP_validate_msg.pod index af060a8eb8a..25d0a1bb3c3 100644 --- a/doc/man3/OSSL_CMP_validate_msg.pod +++ b/doc/man3/OSSL_CMP_validate_msg.pod @@ -60,7 +60,7 @@ verification callback) and non-trusted intermediate certs from the I. =head1 NOTES -CMP is defined in RFC 4210 (and CRMF in RFC 4211). +CMP is defined in RFC 9810. =head1 RETURN VALUES diff --git a/doc/man3/OSSL_CRMF_MSG_get0_tmpl.pod b/doc/man3/OSSL_CRMF_MSG_get0_tmpl.pod index 0f700c118f5..a8a5a36b68a 100644 --- a/doc/man3/OSSL_CRMF_MSG_get0_tmpl.pod +++ b/doc/man3/OSSL_CRMF_MSG_get0_tmpl.pod @@ -92,7 +92,7 @@ of the given CertId I, which must be of ASN.1 type GEN_DIRNAME. OSSL_CRMF_ENCRYPTEDKEY_get1_encCert() decrypts the certificate in the given encryptedKey I, using the private key I, library context I and property query string I (see L). -This is needed for the indirect POPO method as in RFC 4210 section 5.2.8.2. +This is needed for the indirect POPO method as in RFC 9810 section 5.2.8.3.2. The function returns the decrypted certificate as a copy, leaving its ownership with the caller, who is responsible for freeing it. @@ -119,7 +119,7 @@ I and property query string I (see L). OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert() decrypts the certificate in the given encryptedValue I, using the private key I, library context I and property query string I (see L). -This is needed for the indirect POPO method as in RFC 4210 section 5.2.8.2. +This is needed for the indirect POPO method as in RFC 9810 section 5.2.8.3.2. The function returns the decrypted certificate as a copy, leaving its ownership with the caller, who is responsible for freeing it. diff --git a/doc/man3/OSSL_CRMF_pbmp_new.pod b/doc/man3/OSSL_CRMF_pbmp_new.pod index ff8b3c327cd..66125f8c50f 100644 --- a/doc/man3/OSSL_CRMF_pbmp_new.pod +++ b/doc/man3/OSSL_CRMF_pbmp_new.pod @@ -43,14 +43,15 @@ for the random number generation (DRBG) and may be NULL for the default. The algorithms for the OWF (one-way function) and for the MAC (message authentication code) may be any with a NID defined in F<< >>. -As specified by RFC 4210, these should include NID_hmac_sha1. +For backward compatibility with RFC 4210, these should include NID_hmac_sha1. -RFC 4210 recommends that the salt SHOULD be at least 8 bytes (64 bits) long, +RFC 4210 recommended that the salt SHOULD be at least 8 bytes (64 bits) long, where 16 bytes is common. The iteration count must be at least 100, as stipulated by RFC 4211, and is limited to at most 100000 to avoid DoS through manipulated or otherwise malformed input. +See RFC 9045 for currently suggested values. =head1 RETURN VALUES diff --git a/doc/man7/ossl-guide-migration.pod b/doc/man7/ossl-guide-migration.pod index 5e9a05452c9..b36916072e3 100644 --- a/doc/man7/ossl-guide-migration.pod +++ b/doc/man7/ossl-guide-migration.pod @@ -191,9 +191,9 @@ For more information, see L. =head3 Other major new features -=head4 Certificate Management Protocol (CMP, RFC 4210) +=head4 Certificate Management Protocol (CMP, RFC 9810) -This also covers CRMF (RFC 4211) and HTTP transfer (RFC 6712) +This also covers CRMF (RFC 4211) and HTTP transfer (RFC 9811) See L and L as starting points. =head4 HTTP(S) client