/src/openssl30/crypto/cmp/cmp_local.h
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved. |
3 | | * Copyright Nokia 2007-2019 |
4 | | * Copyright Siemens AG 2015-2019 |
5 | | * |
6 | | * Licensed under the Apache License 2.0 (the "License"). You may not use |
7 | | * this file except in compliance with the License. You can obtain a copy |
8 | | * in the file LICENSE in the source distribution or at |
9 | | * https://www.openssl.org/source/license.html |
10 | | */ |
11 | | |
12 | | #ifndef OSSL_CRYPTO_CMP_LOCAL_H |
13 | | # define OSSL_CRYPTO_CMP_LOCAL_H |
14 | | |
15 | | # include "internal/cryptlib.h" |
16 | | |
17 | | # include <openssl/cmp.h> |
18 | | # include <openssl/err.h> |
19 | | |
20 | | /* explicit #includes not strictly needed since implied by the above: */ |
21 | | # include <openssl/crmf.h> |
22 | | # include <openssl/types.h> |
23 | | # include <openssl/safestack.h> |
24 | | # include <openssl/x509.h> |
25 | | # include <openssl/x509v3.h> |
26 | | # include "crypto/x509.h" |
27 | | |
28 | 298 | #define IS_NULL_DN(name) (X509_NAME_get_entry(name, 0) == NULL) |
29 | | |
30 | | /* |
31 | | * this structure is used to store the context for CMP sessions |
32 | | */ |
33 | | struct ossl_cmp_ctx_st { |
34 | | OSSL_LIB_CTX *libctx; |
35 | | char *propq; |
36 | | OSSL_CMP_log_cb_t log_cb; /* log callback for error/debug/etc. output */ |
37 | | OSSL_CMP_severity log_verbosity; /* level of verbosity of log output */ |
38 | | |
39 | | /* message transfer */ |
40 | | OSSL_CMP_transfer_cb_t transfer_cb; /* default: OSSL_CMP_MSG_http_perform */ |
41 | | void *transfer_cb_arg; /* allows to store optional argument to cb */ |
42 | | /* HTTP-based transfer */ |
43 | | OSSL_HTTP_REQ_CTX *http_ctx; |
44 | | char *serverPath; |
45 | | char *server; |
46 | | int serverPort; |
47 | | char *proxy; |
48 | | char *no_proxy; |
49 | | int keep_alive; /* persistent connection: 0=no, 1=prefer, 2=require */ |
50 | | int msg_timeout; /* max seconds to wait for each CMP message round trip */ |
51 | | int total_timeout; /* max number of seconds an enrollment may take, incl. */ |
52 | | /* attempts polling for a response if a 'waiting' PKIStatus is received */ |
53 | | time_t end_time; /* session start time + totaltimeout */ |
54 | | OSSL_HTTP_bio_cb_t http_cb; |
55 | | void *http_cb_arg; /* allows to store optional argument to cb */ |
56 | | |
57 | | /* server authentication */ |
58 | | /* |
59 | | * unprotectedErrors may be set as workaround for broken server responses: |
60 | | * accept missing or invalid protection of regular error messages, negative |
61 | | * certificate responses (ip/cp/kup), revocation responses (rp), and PKIConf |
62 | | */ |
63 | | int unprotectedErrors; |
64 | | X509 *srvCert; /* certificate used to identify the server */ |
65 | | X509 *validatedSrvCert; /* caches any already validated server cert */ |
66 | | X509_NAME *expected_sender; /* expected sender in header of response */ |
67 | | X509_STORE *trusted; /* trust store maybe w CRLs and cert verify callback */ |
68 | | STACK_OF(X509) *untrusted; /* untrusted (intermediate CA) certs */ |
69 | | int ignore_keyusage; /* ignore key usage entry when validating certs */ |
70 | | /* |
71 | | * permitTAInExtraCertsForIR allows use of root certs in extracerts |
72 | | * when validating message protection; this is used for 3GPP-style E.7 |
73 | | */ |
74 | | int permitTAInExtraCertsForIR; |
75 | | |
76 | | /* client authentication */ |
77 | | int unprotectedSend; /* send unprotected PKI messages */ |
78 | | X509 *cert; /* protection cert used to identify and sign for MSG_SIG_ALG */ |
79 | | STACK_OF(X509) *chain; /* (cached) chain of protection cert including it */ |
80 | | EVP_PKEY *pkey; /* the key pair corresponding to cert */ |
81 | | ASN1_OCTET_STRING *referenceValue; /* optional user name for MSG_MAC_ALG */ |
82 | | ASN1_OCTET_STRING *secretValue; /* password/shared secret for MSG_MAC_ALG */ |
83 | | /* PBMParameters for MSG_MAC_ALG */ |
84 | | size_t pbm_slen; /* salt length, currently fixed to 16 */ |
85 | | EVP_MD *pbm_owf; /* one-way function (OWF), default: SHA256 */ |
86 | | int pbm_itercnt; /* OWF iteration count, currently fixed to 500 */ |
87 | | int pbm_mac; /* NID of MAC algorithm, default: HMAC-SHA1 as per RFC 4210 */ |
88 | | |
89 | | /* CMP message header and extra certificates */ |
90 | | X509_NAME *recipient; /* to set in recipient in pkiheader */ |
91 | | EVP_MD *digest; /* digest used in MSG_SIG_ALG and POPO, default SHA256 */ |
92 | | ASN1_OCTET_STRING *transactionID; /* the current transaction ID */ |
93 | | ASN1_OCTET_STRING *senderNonce; /* last nonce sent */ |
94 | | ASN1_OCTET_STRING *recipNonce; /* last nonce received */ |
95 | | ASN1_UTF8STRING *freeText; /* optional string to include each msg */ |
96 | | STACK_OF(OSSL_CMP_ITAV) *geninfo_ITAVs; |
97 | | int implicitConfirm; /* set implicitConfirm in IR/KUR/CR messages */ |
98 | | int disableConfirm; /* disable certConf in IR/KUR/CR for broken servers */ |
99 | | STACK_OF(X509) *extraCertsOut; /* to be included in request messages */ |
100 | | |
101 | | /* certificate template */ |
102 | | EVP_PKEY *newPkey; /* explicit new private/public key for cert enrollment */ |
103 | | int newPkey_priv; /* flag indicating if newPkey contains private key */ |
104 | | X509_NAME *issuer; /* issuer name to used in cert template */ |
105 | | int days; /* Number of days new certificates are asked to be valid for */ |
106 | | X509_NAME *subjectName; /* subject name to be used in cert template */ |
107 | | STACK_OF(GENERAL_NAME) *subjectAltNames; /* to add to the cert template */ |
108 | | int SubjectAltName_nodefault; |
109 | | int setSubjectAltNameCritical; |
110 | | X509_EXTENSIONS *reqExtensions; /* exts to be added to cert template */ |
111 | | CERTIFICATEPOLICIES *policies; /* policies to be included in extensions */ |
112 | | int setPoliciesCritical; |
113 | | int popoMethod; /* Proof-of-possession mechanism; default: signature */ |
114 | | X509 *oldCert; /* cert to be updated (via KUR) or to be revoked (via RR) */ |
115 | | X509_REQ *p10CSR; /* for P10CR: PKCS#10 CSR to be sent */ |
116 | | |
117 | | /* misc body contents */ |
118 | | int revocationReason; /* revocation reason code to be included in RR */ |
119 | | STACK_OF(OSSL_CMP_ITAV) *genm_ITAVs; /* content of general message */ |
120 | | |
121 | | /* result returned in responses */ |
122 | | int status; /* PKIStatus of last received IP/CP/KUP/RP/error or -1 */ |
123 | | OSSL_CMP_PKIFREETEXT *statusString; /* of last IP/CP/KUP/RP/error */ |
124 | | int failInfoCode; /* failInfoCode of last received IP/CP/KUP/error, or -1 */ |
125 | | X509 *newCert; /* newly enrolled cert received from the CA */ |
126 | | STACK_OF(X509) *newChain; /* chain of newly enrolled cert received */ |
127 | | STACK_OF(X509) *caPubs; /* CA certs received from server (in IP message) */ |
128 | | STACK_OF(X509) *extraCertsIn; /* extraCerts received from server */ |
129 | | |
130 | | /* certificate confirmation */ |
131 | | OSSL_CMP_certConf_cb_t certConf_cb; /* callback for app checking new cert */ |
132 | | void *certConf_cb_arg; /* allows to store an argument individual to cb */ |
133 | | } /* OSSL_CMP_CTX */; |
134 | | |
135 | | /* |
136 | | * ########################################################################## |
137 | | * ASN.1 DECLARATIONS |
138 | | * ########################################################################## |
139 | | */ |
140 | | |
141 | | /*- |
142 | | * RevAnnContent ::= SEQUENCE { |
143 | | * status PKIStatus, |
144 | | * certId CertId, |
145 | | * willBeRevokedAt GeneralizedTime, |
146 | | * badSinceDate GeneralizedTime, |
147 | | * crlDetails Extensions OPTIONAL |
148 | | * -- extra CRL details (e.g., crl number, reason, location, etc.) |
149 | | * } |
150 | | */ |
151 | | typedef struct ossl_cmp_revanncontent_st { |
152 | | ASN1_INTEGER *status; |
153 | | OSSL_CRMF_CERTID *certId; |
154 | | ASN1_GENERALIZEDTIME *willBeRevokedAt; |
155 | | ASN1_GENERALIZEDTIME *badSinceDate; |
156 | | X509_EXTENSIONS *crlDetails; |
157 | | } OSSL_CMP_REVANNCONTENT; |
158 | | DECLARE_ASN1_FUNCTIONS(OSSL_CMP_REVANNCONTENT) |
159 | | |
160 | | /*- |
161 | | * Challenge ::= SEQUENCE { |
162 | | * owf AlgorithmIdentifier OPTIONAL, |
163 | | * |
164 | | * -- MUST be present in the first Challenge; MAY be omitted in |
165 | | * -- any subsequent Challenge in POPODecKeyChallContent (if |
166 | | * -- omitted, then the owf used in the immediately preceding |
167 | | * -- Challenge is to be used). |
168 | | * |
169 | | * witness OCTET STRING, |
170 | | * -- the result of applying the one-way function (owf) to a |
171 | | * -- randomly-generated INTEGER, A. [Note that a different |
172 | | * -- INTEGER MUST be used for each Challenge.] |
173 | | * challenge OCTET STRING |
174 | | * -- the encryption (under the public key for which the cert. |
175 | | * -- request is being made) of Rand, where Rand is specified as |
176 | | * -- Rand ::= SEQUENCE { |
177 | | * -- int INTEGER, |
178 | | * -- - the randomly-generated INTEGER A (above) |
179 | | * -- sender GeneralName |
180 | | * -- - the sender's name (as included in PKIHeader) |
181 | | * -- } |
182 | | * } |
183 | | */ |
184 | | typedef struct ossl_cmp_challenge_st { |
185 | | X509_ALGOR *owf; |
186 | | ASN1_OCTET_STRING *witness; |
187 | | ASN1_OCTET_STRING *challenge; |
188 | | } OSSL_CMP_CHALLENGE; |
189 | | DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CHALLENGE) |
190 | | |
191 | | /*- |
192 | | * CAKeyUpdAnnContent ::= SEQUENCE { |
193 | | * oldWithNew Certificate, |
194 | | * newWithOld Certificate, |
195 | | * newWithNew Certificate |
196 | | * } |
197 | | */ |
198 | | typedef struct ossl_cmp_cakeyupdanncontent_st { |
199 | | X509 *oldWithNew; |
200 | | X509 *newWithOld; |
201 | | X509 *newWithNew; |
202 | | } OSSL_CMP_CAKEYUPDANNCONTENT; |
203 | | DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CAKEYUPDANNCONTENT) |
204 | | |
205 | | /*- |
206 | | * declared already here as it will be used in OSSL_CMP_MSG (nested) and |
207 | | * infoType and infoValue |
208 | | */ |
209 | | typedef STACK_OF(OSSL_CMP_MSG) OSSL_CMP_MSGS; |
210 | | DECLARE_ASN1_FUNCTIONS(OSSL_CMP_MSGS) |
211 | | |
212 | | /*- |
213 | | * InfoTypeAndValue ::= SEQUENCE { |
214 | | * infoType OBJECT IDENTIFIER, |
215 | | * infoValue ANY DEFINED BY infoType OPTIONAL |
216 | | * } |
217 | | */ |
218 | | struct ossl_cmp_itav_st { |
219 | | ASN1_OBJECT *infoType; |
220 | | union { |
221 | | char *ptr; |
222 | | /* NID_id_it_caProtEncCert - CA Protocol Encryption Certificate */ |
223 | | X509 *caProtEncCert; |
224 | | /* NID_id_it_signKeyPairTypes - Signing Key Pair Types */ |
225 | | STACK_OF(X509_ALGOR) *signKeyPairTypes; |
226 | | /* NID_id_it_encKeyPairTypes - Encryption/Key Agreement Key Pair Types */ |
227 | | STACK_OF(X509_ALGOR) *encKeyPairTypes; |
228 | | /* NID_id_it_preferredSymmAlg - Preferred Symmetric Algorithm */ |
229 | | X509_ALGOR *preferredSymmAlg; |
230 | | /* NID_id_it_caKeyUpdateInfo - Updated CA Key Pair */ |
231 | | OSSL_CMP_CAKEYUPDANNCONTENT *caKeyUpdateInfo; |
232 | | /* NID_id_it_currentCRL - CRL */ |
233 | | X509_CRL *currentCRL; |
234 | | /* NID_id_it_unsupportedOIDs - Unsupported Object Identifiers */ |
235 | | STACK_OF(ASN1_OBJECT) *unsupportedOIDs; |
236 | | /* NID_id_it_keyPairParamReq - Key Pair Parameters Request */ |
237 | | ASN1_OBJECT *keyPairParamReq; |
238 | | /* NID_id_it_keyPairParamRep - Key Pair Parameters Response */ |
239 | | X509_ALGOR *keyPairParamRep; |
240 | | /* NID_id_it_revPassphrase - Revocation Passphrase */ |
241 | | OSSL_CRMF_ENCRYPTEDVALUE *revPassphrase; |
242 | | /* NID_id_it_implicitConfirm - ImplicitConfirm */ |
243 | | ASN1_NULL *implicitConfirm; |
244 | | /* NID_id_it_confirmWaitTime - ConfirmWaitTime */ |
245 | | ASN1_GENERALIZEDTIME *confirmWaitTime; |
246 | | /* NID_id_it_origPKIMessage - origPKIMessage */ |
247 | | OSSL_CMP_MSGS *origPKIMessage; |
248 | | /* NID_id_it_suppLangTags - Supported Language Tags */ |
249 | | STACK_OF(ASN1_UTF8STRING) *suppLangTagsValue; |
250 | | /* this is to be used for so far undeclared objects */ |
251 | | ASN1_TYPE *other; |
252 | | } infoValue; |
253 | | } /* OSSL_CMP_ITAV */; |
254 | | DECLARE_ASN1_FUNCTIONS(OSSL_CMP_ITAV) |
255 | | |
256 | | typedef struct ossl_cmp_certorenccert_st { |
257 | | int type; |
258 | | union { |
259 | | X509 *certificate; |
260 | | OSSL_CRMF_ENCRYPTEDVALUE *encryptedCert; |
261 | | } value; |
262 | | } OSSL_CMP_CERTORENCCERT; |
263 | | DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CERTORENCCERT) |
264 | | |
265 | | /*- |
266 | | * CertifiedKeyPair ::= SEQUENCE { |
267 | | * certOrEncCert CertOrEncCert, |
268 | | * privateKey [0] EncryptedValue OPTIONAL, |
269 | | * -- see [CRMF] for comment on encoding |
270 | | * publicationInfo [1] PKIPublicationInfo OPTIONAL |
271 | | * } |
272 | | */ |
273 | | typedef struct ossl_cmp_certifiedkeypair_st { |
274 | | OSSL_CMP_CERTORENCCERT *certOrEncCert; |
275 | | OSSL_CRMF_ENCRYPTEDVALUE *privateKey; |
276 | | OSSL_CRMF_PKIPUBLICATIONINFO *publicationInfo; |
277 | | } OSSL_CMP_CERTIFIEDKEYPAIR; |
278 | | DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CERTIFIEDKEYPAIR) |
279 | | |
280 | | /*- |
281 | | * PKIStatusInfo ::= SEQUENCE { |
282 | | * status PKIStatus, |
283 | | * statusString PKIFreeText OPTIONAL, |
284 | | * failInfo PKIFailureInfo OPTIONAL |
285 | | * } |
286 | | */ |
287 | | struct ossl_cmp_pkisi_st { |
288 | | OSSL_CMP_PKISTATUS *status; |
289 | | OSSL_CMP_PKIFREETEXT *statusString; |
290 | | OSSL_CMP_PKIFAILUREINFO *failInfo; |
291 | | } /* OSSL_CMP_PKISI */; |
292 | | |
293 | | /*- |
294 | | * RevReqContent ::= SEQUENCE OF RevDetails |
295 | | * |
296 | | * RevDetails ::= SEQUENCE { |
297 | | * certDetails CertTemplate, |
298 | | * crlEntryDetails Extensions OPTIONAL |
299 | | * } |
300 | | */ |
301 | | struct ossl_cmp_revdetails_st { |
302 | | OSSL_CRMF_CERTTEMPLATE *certDetails; |
303 | | X509_EXTENSIONS *crlEntryDetails; |
304 | | } /* OSSL_CMP_REVDETAILS */; |
305 | | typedef struct ossl_cmp_revdetails_st OSSL_CMP_REVDETAILS; |
306 | | DECLARE_ASN1_FUNCTIONS(OSSL_CMP_REVDETAILS) |
307 | | DEFINE_STACK_OF(OSSL_CMP_REVDETAILS) |
308 | | |
309 | | /*- |
310 | | * RevRepContent ::= SEQUENCE { |
311 | | * status SEQUENCE SIZE (1..MAX) OF PKIStatusInfo, |
312 | | * -- in same order as was sent in RevReqContent |
313 | | * revCerts [0] SEQUENCE SIZE (1..MAX) OF CertId |
314 | | * OPTIONAL, |
315 | | * -- IDs for which revocation was requested |
316 | | * -- (same order as status) |
317 | | * crls [1] SEQUENCE SIZE (1..MAX) OF CertificateList |
318 | | * OPTIONAL |
319 | | * -- the resulting CRLs (there may be more than one) |
320 | | * } |
321 | | */ |
322 | | struct ossl_cmp_revrepcontent_st { |
323 | | STACK_OF(OSSL_CMP_PKISI) *status; |
324 | | STACK_OF(OSSL_CRMF_CERTID) *revCerts; |
325 | | STACK_OF(X509_CRL) *crls; |
326 | | } /* OSSL_CMP_REVREPCONTENT */; |
327 | | DECLARE_ASN1_FUNCTIONS(OSSL_CMP_REVREPCONTENT) |
328 | | |
329 | | /*- |
330 | | * KeyRecRepContent ::= SEQUENCE { |
331 | | * status PKIStatusInfo, |
332 | | * newSigCert [0] Certificate OPTIONAL, |
333 | | * caCerts [1] SEQUENCE SIZE (1..MAX) OF |
334 | | * Certificate OPTIONAL, |
335 | | * keyPairHist [2] SEQUENCE SIZE (1..MAX) OF |
336 | | * CertifiedKeyPair OPTIONAL |
337 | | * } |
338 | | */ |
339 | | typedef struct ossl_cmp_keyrecrepcontent_st { |
340 | | OSSL_CMP_PKISI *status; |
341 | | X509 *newSigCert; |
342 | | STACK_OF(X509) *caCerts; |
343 | | STACK_OF(OSSL_CMP_CERTIFIEDKEYPAIR) *keyPairHist; |
344 | | } OSSL_CMP_KEYRECREPCONTENT; |
345 | | DECLARE_ASN1_FUNCTIONS(OSSL_CMP_KEYRECREPCONTENT) |
346 | | |
347 | | /*- |
348 | | * ErrorMsgContent ::= SEQUENCE { |
349 | | * pKIStatusInfo PKIStatusInfo, |
350 | | * errorCode INTEGER OPTIONAL, |
351 | | * -- implementation-specific error codes |
352 | | * errorDetails PKIFreeText OPTIONAL |
353 | | * -- implementation-specific error details |
354 | | * } |
355 | | */ |
356 | | typedef struct ossl_cmp_errormsgcontent_st { |
357 | | OSSL_CMP_PKISI *pKIStatusInfo; |
358 | | ASN1_INTEGER *errorCode; |
359 | | OSSL_CMP_PKIFREETEXT *errorDetails; |
360 | | } OSSL_CMP_ERRORMSGCONTENT; |
361 | | DECLARE_ASN1_FUNCTIONS(OSSL_CMP_ERRORMSGCONTENT) |
362 | | |
363 | | /*- |
364 | | * CertConfirmContent ::= SEQUENCE OF CertStatus |
365 | | * |
366 | | * CertStatus ::= SEQUENCE { |
367 | | * certHash OCTET STRING, |
368 | | * -- the hash of the certificate, using the same hash algorithm |
369 | | * -- as is used to create and verify the certificate signature |
370 | | * certReqId INTEGER, |
371 | | * -- to match this confirmation with the corresponding req/rep |
372 | | * statusInfo PKIStatusInfo OPTIONAL |
373 | | * } |
374 | | */ |
375 | | struct ossl_cmp_certstatus_st { |
376 | | ASN1_OCTET_STRING *certHash; |
377 | | ASN1_INTEGER *certReqId; |
378 | | OSSL_CMP_PKISI *statusInfo; |
379 | | } /* OSSL_CMP_CERTSTATUS */; |
380 | | DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CERTSTATUS) |
381 | | typedef STACK_OF(OSSL_CMP_CERTSTATUS) OSSL_CMP_CERTCONFIRMCONTENT; |
382 | | DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CERTCONFIRMCONTENT) |
383 | | |
384 | | /*- |
385 | | * CertResponse ::= SEQUENCE { |
386 | | * certReqId INTEGER, |
387 | | * -- to match this response with corresponding request (a value |
388 | | * -- of -1 is to be used if certReqId is not specified in the |
389 | | * -- corresponding request) |
390 | | * status PKIStatusInfo, |
391 | | * certifiedKeyPair CertifiedKeyPair OPTIONAL, |
392 | | * rspInfo OCTET STRING OPTIONAL |
393 | | * -- analogous to the id-regInfo-utf8Pairs string defined |
394 | | * -- for regInfo in CertReqMsg [CRMF] |
395 | | * } |
396 | | */ |
397 | | struct ossl_cmp_certresponse_st { |
398 | | ASN1_INTEGER *certReqId; |
399 | | OSSL_CMP_PKISI *status; |
400 | | OSSL_CMP_CERTIFIEDKEYPAIR *certifiedKeyPair; |
401 | | ASN1_OCTET_STRING *rspInfo; |
402 | | } /* OSSL_CMP_CERTRESPONSE */; |
403 | | DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CERTRESPONSE) |
404 | | |
405 | | /*- |
406 | | * CertRepMessage ::= SEQUENCE { |
407 | | * caPubs [1] SEQUENCE SIZE (1..MAX) OF CMPCertificate |
408 | | * OPTIONAL, |
409 | | * response SEQUENCE OF CertResponse |
410 | | * } |
411 | | */ |
412 | | struct ossl_cmp_certrepmessage_st { |
413 | | STACK_OF(X509) *caPubs; |
414 | | STACK_OF(OSSL_CMP_CERTRESPONSE) *response; |
415 | | } /* OSSL_CMP_CERTREPMESSAGE */; |
416 | | DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CERTREPMESSAGE) |
417 | | |
418 | | /*- |
419 | | * PollReqContent ::= SEQUENCE OF SEQUENCE { |
420 | | * certReqId INTEGER |
421 | | * } |
422 | | */ |
423 | | typedef struct ossl_cmp_pollreq_st { |
424 | | ASN1_INTEGER *certReqId; |
425 | | } OSSL_CMP_POLLREQ; |
426 | | DECLARE_ASN1_FUNCTIONS(OSSL_CMP_POLLREQ) |
427 | | DEFINE_STACK_OF(OSSL_CMP_POLLREQ) |
428 | | typedef STACK_OF(OSSL_CMP_POLLREQ) OSSL_CMP_POLLREQCONTENT; |
429 | | DECLARE_ASN1_FUNCTIONS(OSSL_CMP_POLLREQCONTENT) |
430 | | |
431 | | /*- |
432 | | * PollRepContent ::= SEQUENCE OF SEQUENCE { |
433 | | * certReqId INTEGER, |
434 | | * checkAfter INTEGER, -- time in seconds |
435 | | * reason PKIFreeText OPTIONAL |
436 | | * } |
437 | | */ |
438 | | struct ossl_cmp_pollrep_st { |
439 | | ASN1_INTEGER *certReqId; |
440 | | ASN1_INTEGER *checkAfter; |
441 | | OSSL_CMP_PKIFREETEXT *reason; |
442 | | } /* OSSL_CMP_POLLREP */; |
443 | | DECLARE_ASN1_FUNCTIONS(OSSL_CMP_POLLREP) |
444 | | DEFINE_STACK_OF(OSSL_CMP_POLLREP) |
445 | | DECLARE_ASN1_FUNCTIONS(OSSL_CMP_POLLREPCONTENT) |
446 | | |
447 | | /*- |
448 | | * PKIHeader ::= SEQUENCE { |
449 | | * pvno INTEGER { cmp1999(1), cmp2000(2) }, |
450 | | * sender GeneralName, |
451 | | * -- identifies the sender |
452 | | * recipient GeneralName, |
453 | | * -- identifies the intended recipient |
454 | | * messageTime [0] GeneralizedTime OPTIONAL, |
455 | | * -- time of production of this message (used when sender |
456 | | * -- believes that the transport will be "suitable"; i.e., |
457 | | * -- that the time will still be meaningful upon receipt) |
458 | | * protectionAlg [1] AlgorithmIdentifier OPTIONAL, |
459 | | * -- algorithm used for calculation of protection bits |
460 | | * senderKID [2] KeyIdentifier OPTIONAL, |
461 | | * recipKID [3] KeyIdentifier OPTIONAL, |
462 | | * -- to identify specific keys used for protection |
463 | | * transactionID [4] OCTET STRING OPTIONAL, |
464 | | * -- identifies the transaction; i.e., this will be the same in |
465 | | * -- corresponding request, response, certConf, and PKIConf |
466 | | * -- messages |
467 | | * senderNonce [5] OCTET STRING OPTIONAL, |
468 | | * recipNonce [6] OCTET STRING OPTIONAL, |
469 | | * -- nonces used to provide replay protection, senderNonce |
470 | | * -- is inserted by the creator of this message; recipNonce |
471 | | * -- is a nonce previously inserted in a related message by |
472 | | * -- the intended recipient of this message |
473 | | * freeText [7] PKIFreeText OPTIONAL, |
474 | | * -- this may be used to indicate context-specific instructions |
475 | | * -- (this field is intended for human consumption) |
476 | | * generalInfo [8] SEQUENCE SIZE (1..MAX) OF |
477 | | * InfoTypeAndValue OPTIONAL |
478 | | * -- this may be used to convey context-specific information |
479 | | * -- (this field not primarily intended for human consumption) |
480 | | * } |
481 | | */ |
482 | | struct ossl_cmp_pkiheader_st { |
483 | | ASN1_INTEGER *pvno; |
484 | | GENERAL_NAME *sender; |
485 | | GENERAL_NAME *recipient; |
486 | | ASN1_GENERALIZEDTIME *messageTime; /* 0 */ |
487 | | X509_ALGOR *protectionAlg; /* 1 */ |
488 | | ASN1_OCTET_STRING *senderKID; /* 2 */ |
489 | | ASN1_OCTET_STRING *recipKID; /* 3 */ |
490 | | ASN1_OCTET_STRING *transactionID; /* 4 */ |
491 | | ASN1_OCTET_STRING *senderNonce; /* 5 */ |
492 | | ASN1_OCTET_STRING *recipNonce; /* 6 */ |
493 | | OSSL_CMP_PKIFREETEXT *freeText; /* 7 */ |
494 | | STACK_OF(OSSL_CMP_ITAV) *generalInfo; /* 8 */ |
495 | | } /* OSSL_CMP_PKIHEADER */; |
496 | | |
497 | | typedef STACK_OF(OSSL_CMP_CHALLENGE) OSSL_CMP_POPODECKEYCHALLCONTENT; |
498 | | DECLARE_ASN1_FUNCTIONS(OSSL_CMP_POPODECKEYCHALLCONTENT) |
499 | | typedef STACK_OF(ASN1_INTEGER) OSSL_CMP_POPODECKEYRESPCONTENT; |
500 | | DECLARE_ASN1_FUNCTIONS(OSSL_CMP_POPODECKEYRESPCONTENT) |
501 | | typedef STACK_OF(OSSL_CMP_REVDETAILS) OSSL_CMP_REVREQCONTENT; |
502 | | DECLARE_ASN1_FUNCTIONS(OSSL_CMP_REVREQCONTENT) |
503 | | typedef STACK_OF(X509_CRL) OSSL_CMP_CRLANNCONTENT; |
504 | | DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CRLANNCONTENT) |
505 | | typedef STACK_OF(OSSL_CMP_ITAV) OSSL_CMP_GENMSGCONTENT; |
506 | | DECLARE_ASN1_FUNCTIONS(OSSL_CMP_GENMSGCONTENT) |
507 | | typedef STACK_OF(OSSL_CMP_ITAV) OSSL_CMP_GENREPCONTENT; |
508 | | DECLARE_ASN1_FUNCTIONS(OSSL_CMP_GENREPCONTENT) |
509 | | |
510 | | /*- |
511 | | * PKIBody ::= CHOICE { -- message-specific body elements |
512 | | * ir [0] CertReqMessages, --Initialization Request |
513 | | * ip [1] CertRepMessage, --Initialization Response |
514 | | * cr [2] CertReqMessages, --Certification Request |
515 | | * cp [3] CertRepMessage, --Certification Response |
516 | | * p10cr [4] CertificationRequest, --imported from [PKCS10] |
517 | | * popdecc [5] POPODecKeyChallContent, --pop Challenge |
518 | | * popdecr [6] POPODecKeyRespContent, --pop Response |
519 | | * kur [7] CertReqMessages, --Key Update Request |
520 | | * kup [8] CertRepMessage, --Key Update Response |
521 | | * krr [9] CertReqMessages, --Key Recovery Request |
522 | | * krp [10] KeyRecRepContent, --Key Recovery Response |
523 | | * rr [11] RevReqContent, --Revocation Request |
524 | | * rp [12] RevRepContent, --Revocation Response |
525 | | * ccr [13] CertReqMessages, --Cross-Cert. Request |
526 | | * ccp [14] CertRepMessage, --Cross-Cert. Response |
527 | | * ckuann [15] CAKeyUpdAnnContent, --CA Key Update Ann. |
528 | | * cann [16] CertAnnContent, --Certificate Ann. |
529 | | * rann [17] RevAnnContent, --Revocation Ann. |
530 | | * crlann [18] CRLAnnContent, --CRL Announcement |
531 | | * pkiconf [19] PKIConfirmContent, --Confirmation |
532 | | * nested [20] NestedMessageContent, --Nested Message |
533 | | * genm [21] GenMsgContent, --General Message |
534 | | * genp [22] GenRepContent, --General Response |
535 | | * error [23] ErrorMsgContent, --Error Message |
536 | | * certConf [24] CertConfirmContent, --Certificate confirm |
537 | | * pollReq [25] PollReqContent, --Polling request |
538 | | * pollRep [26] PollRepContent --Polling response |
539 | | * } |
540 | | */ |
541 | | typedef struct ossl_cmp_pkibody_st { |
542 | | int type; |
543 | | union { |
544 | | OSSL_CRMF_MSGS *ir; /* 0 */ |
545 | | OSSL_CMP_CERTREPMESSAGE *ip; /* 1 */ |
546 | | OSSL_CRMF_MSGS *cr; /* 2 */ |
547 | | OSSL_CMP_CERTREPMESSAGE *cp; /* 3 */ |
548 | | /*- |
549 | | * p10cr [4] CertificationRequest, --imported from [PKCS10] |
550 | | * |
551 | | * PKCS10_CERTIFICATIONREQUEST is effectively X509_REQ |
552 | | * so it is used directly |
553 | | */ |
554 | | X509_REQ *p10cr; /* 4 */ |
555 | | /*- |
556 | | * popdecc [5] POPODecKeyChallContent, --pop Challenge |
557 | | * |
558 | | * POPODecKeyChallContent ::= SEQUENCE OF Challenge |
559 | | */ |
560 | | OSSL_CMP_POPODECKEYCHALLCONTENT *popdecc; /* 5 */ |
561 | | /*- |
562 | | * popdecr [6] POPODecKeyRespContent, --pop Response |
563 | | * |
564 | | * POPODecKeyRespContent ::= SEQUENCE OF INTEGER |
565 | | */ |
566 | | OSSL_CMP_POPODECKEYRESPCONTENT *popdecr; /* 6 */ |
567 | | OSSL_CRMF_MSGS *kur; /* 7 */ |
568 | | OSSL_CMP_CERTREPMESSAGE *kup; /* 8 */ |
569 | | OSSL_CRMF_MSGS *krr; /* 9 */ |
570 | | |
571 | | /*- |
572 | | * krp [10] KeyRecRepContent, --Key Recovery Response |
573 | | */ |
574 | | OSSL_CMP_KEYRECREPCONTENT *krp; /* 10 */ |
575 | | /*- |
576 | | * rr [11] RevReqContent, --Revocation Request |
577 | | */ |
578 | | OSSL_CMP_REVREQCONTENT *rr; /* 11 */ |
579 | | /*- |
580 | | * rp [12] RevRepContent, --Revocation Response |
581 | | */ |
582 | | OSSL_CMP_REVREPCONTENT *rp; /* 12 */ |
583 | | /*- |
584 | | * ccr [13] CertReqMessages, --Cross-Cert. Request |
585 | | */ |
586 | | OSSL_CRMF_MSGS *ccr; /* 13 */ |
587 | | /*- |
588 | | * ccp [14] CertRepMessage, --Cross-Cert. Response |
589 | | */ |
590 | | OSSL_CMP_CERTREPMESSAGE *ccp; /* 14 */ |
591 | | /*- |
592 | | * ckuann [15] CAKeyUpdAnnContent, --CA Key Update Ann. |
593 | | */ |
594 | | OSSL_CMP_CAKEYUPDANNCONTENT *ckuann; /* 15 */ |
595 | | /*- |
596 | | * cann [16] CertAnnContent, --Certificate Ann. |
597 | | * OSSL_CMP_CMPCERTIFICATE is effectively X509 so it is used directly |
598 | | */ |
599 | | X509 *cann; /* 16 */ |
600 | | /*- |
601 | | * rann [17] RevAnnContent, --Revocation Ann. |
602 | | */ |
603 | | OSSL_CMP_REVANNCONTENT *rann; /* 17 */ |
604 | | /*- |
605 | | * crlann [18] CRLAnnContent, --CRL Announcement |
606 | | * CRLAnnContent ::= SEQUENCE OF CertificateList |
607 | | */ |
608 | | OSSL_CMP_CRLANNCONTENT *crlann; /* 18 */ |
609 | | /*- |
610 | | * PKIConfirmContent ::= NULL |
611 | | * pkiconf [19] PKIConfirmContent, --Confirmation |
612 | | * OSSL_CMP_PKICONFIRMCONTENT would be only a typedef of ASN1_NULL |
613 | | * OSSL_CMP_CONFIRMCONTENT *pkiconf; |
614 | | * |
615 | | * NOTE: this should ASN1_NULL according to the RFC |
616 | | * but there might be a struct in it when sent from faulty servers... |
617 | | */ |
618 | | ASN1_TYPE *pkiconf; /* 19 */ |
619 | | /*- |
620 | | * nested [20] NestedMessageContent, --Nested Message |
621 | | * NestedMessageContent ::= PKIMessages |
622 | | */ |
623 | | OSSL_CMP_MSGS *nested; /* 20 */ |
624 | | /*- |
625 | | * genm [21] GenMsgContent, --General Message |
626 | | * GenMsgContent ::= SEQUENCE OF InfoTypeAndValue |
627 | | */ |
628 | | OSSL_CMP_GENMSGCONTENT *genm; /* 21 */ |
629 | | /*- |
630 | | * genp [22] GenRepContent, --General Response |
631 | | * GenRepContent ::= SEQUENCE OF InfoTypeAndValue |
632 | | */ |
633 | | OSSL_CMP_GENREPCONTENT *genp; /* 22 */ |
634 | | /*- |
635 | | * error [23] ErrorMsgContent, --Error Message |
636 | | */ |
637 | | OSSL_CMP_ERRORMSGCONTENT *error; /* 23 */ |
638 | | /*- |
639 | | * certConf [24] CertConfirmContent, --Certificate confirm |
640 | | */ |
641 | | OSSL_CMP_CERTCONFIRMCONTENT *certConf; /* 24 */ |
642 | | /*- |
643 | | * pollReq [25] PollReqContent, --Polling request |
644 | | */ |
645 | | OSSL_CMP_POLLREQCONTENT *pollReq; /* 25 */ |
646 | | /*- |
647 | | * pollRep [26] PollRepContent --Polling response |
648 | | */ |
649 | | OSSL_CMP_POLLREPCONTENT *pollRep; /* 26 */ |
650 | | } value; |
651 | | } OSSL_CMP_PKIBODY; |
652 | | DECLARE_ASN1_FUNCTIONS(OSSL_CMP_PKIBODY) |
653 | | |
654 | | /*- |
655 | | * PKIProtection ::= BIT STRING |
656 | | * |
657 | | * PKIMessages ::= SEQUENCE SIZE (1..MAX) OF PKIMessage |
658 | | * |
659 | | * PKIMessage ::= SEQUENCE { |
660 | | * header PKIHeader, |
661 | | * body PKIBody, |
662 | | * protection [0] PKIProtection OPTIONAL, |
663 | | * extraCerts [1] SEQUENCE SIZE (1..MAX) OF CMPCertificate |
664 | | * OPTIONAL |
665 | | * } |
666 | | */ |
667 | | struct ossl_cmp_msg_st { |
668 | | OSSL_CMP_PKIHEADER *header; |
669 | | OSSL_CMP_PKIBODY *body; |
670 | | ASN1_BIT_STRING *protection; /* 0 */ |
671 | | /* OSSL_CMP_CMPCERTIFICATE is effectively X509 so it is used directly */ |
672 | | STACK_OF(X509) *extraCerts; /* 1 */ |
673 | | OSSL_LIB_CTX *libctx; |
674 | | char *propq; |
675 | | } /* OSSL_CMP_MSG */; |
676 | | OSSL_CMP_MSG *OSSL_CMP_MSG_new(OSSL_LIB_CTX *libctx, const char *propq); |
677 | | void OSSL_CMP_MSG_free(OSSL_CMP_MSG *msg); |
678 | | |
679 | | /*- |
680 | | * ProtectedPart ::= SEQUENCE { |
681 | | * header PKIHeader, |
682 | | * body PKIBody |
683 | | * } |
684 | | */ |
685 | | typedef struct ossl_cmp_protectedpart_st { |
686 | | OSSL_CMP_PKIHEADER *header; |
687 | | OSSL_CMP_PKIBODY *body; |
688 | | } OSSL_CMP_PROTECTEDPART; |
689 | | DECLARE_ASN1_FUNCTIONS(OSSL_CMP_PROTECTEDPART) |
690 | | |
691 | | /*- |
692 | | * this is not defined here as it is already in CRMF: |
693 | | * id-PasswordBasedMac OBJECT IDENTIFIER ::= {1 2 840 113533 7 66 13} |
694 | | * PBMParameter ::= SEQUENCE { |
695 | | * salt OCTET STRING, |
696 | | * -- note: implementations MAY wish to limit acceptable sizes |
697 | | * -- of this string to values appropriate for their environment |
698 | | * -- in order to reduce the risk of denial-of-service attacks |
699 | | * owf AlgorithmIdentifier, |
700 | | * -- AlgId for a One-Way Function (SHA-1 recommended) |
701 | | * iterationCount INTEGER, |
702 | | * -- number of times the OWF is applied |
703 | | * -- note: implementations MAY wish to limit acceptable sizes |
704 | | * -- of this integer to values appropriate for their environment |
705 | | * -- in order to reduce the risk of denial-of-service attacks |
706 | | * mac AlgorithmIdentifier |
707 | | * -- the MAC AlgId (e.g., DES-MAC, Triple-DES-MAC [PKCS11], |
708 | | * } -- or HMAC [RFC2104, RFC2202]) |
709 | | */ |
710 | | /*- |
711 | | * id-DHBasedMac OBJECT IDENTIFIER ::= {1 2 840 113533 7 66 30} |
712 | | * DHBMParameter ::= SEQUENCE { |
713 | | * owf AlgorithmIdentifier, |
714 | | * -- AlgId for a One-Way Function (SHA-1 recommended) |
715 | | * mac AlgorithmIdentifier |
716 | | * -- the MAC AlgId (e.g., DES-MAC, Triple-DES-MAC [PKCS11], |
717 | | * } -- or HMAC [RFC2104, RFC2202]) |
718 | | */ |
719 | | /*- |
720 | | * The following is not cared for, because it is described in section 5.2.5 |
721 | | * that this is beyond the scope of CMP |
722 | | * OOBCert ::= CMPCertificate |
723 | | * |
724 | | * OOBCertHash ::= SEQUENCE { |
725 | | * hashAlg [0] AlgorithmIdentifier OPTIONAL, |
726 | | * certId [1] CertId OPTIONAL, |
727 | | * hashVal BIT STRING |
728 | | * -- hashVal is calculated over the DER encoding of the |
729 | | * -- self-signed certificate with the identifier certID. |
730 | | * } |
731 | | */ |
732 | | |
733 | | /* from cmp_asn.c */ |
734 | | int ossl_cmp_asn1_get_int(const ASN1_INTEGER *a); |
735 | | |
736 | | /* from cmp_util.c */ |
737 | | const char *ossl_cmp_log_parse_metadata(const char *buf, |
738 | | OSSL_CMP_severity *level, char **func, |
739 | | char **file, int *line); |
740 | | # define ossl_cmp_add_error_data(txt) ERR_add_error_txt(" : ", txt) |
741 | | # define ossl_cmp_add_error_line(txt) ERR_add_error_txt("\n", txt) |
742 | | /* The two functions manipulating X509_STORE could be generally useful */ |
743 | | int ossl_cmp_X509_STORE_add1_certs(X509_STORE *store, STACK_OF(X509) *certs, |
744 | | int only_self_issued); |
745 | | STACK_OF(X509) *ossl_cmp_X509_STORE_get1_certs(X509_STORE *store); |
746 | | int ossl_cmp_sk_ASN1_UTF8STRING_push_str(STACK_OF(ASN1_UTF8STRING) *sk, |
747 | | const char *text, int len); |
748 | | int ossl_cmp_asn1_octet_string_set1(ASN1_OCTET_STRING **tgt, |
749 | | const ASN1_OCTET_STRING *src); |
750 | | int ossl_cmp_asn1_octet_string_set1_bytes(ASN1_OCTET_STRING **tgt, |
751 | | const unsigned char *bytes, int len); |
752 | | |
753 | | /* from cmp_ctx.c */ |
754 | | int ossl_cmp_print_log(OSSL_CMP_severity level, const OSSL_CMP_CTX *ctx, |
755 | | const char *func, const char *file, int line, |
756 | | const char *level_str, const char *format, ...); |
757 | | # define ossl_cmp_log(level, ctx, msg) \ |
758 | 6.84k | ossl_cmp_print_log(OSSL_CMP_LOG_##level, ctx, OPENSSL_FUNC, OPENSSL_FILE, \ |
759 | 6.84k | OPENSSL_LINE, #level, "%s", msg) |
760 | | # define ossl_cmp_log1(level, ctx, fmt, arg1) \ |
761 | 10.5k | ossl_cmp_print_log(OSSL_CMP_LOG_##level, ctx, OPENSSL_FUNC, OPENSSL_FILE, \ |
762 | 10.5k | OPENSSL_LINE, #level, fmt, arg1) |
763 | | # define ossl_cmp_log2(level, ctx, fmt, arg1, arg2) \ |
764 | 0 | ossl_cmp_print_log(OSSL_CMP_LOG_##level, ctx, OPENSSL_FUNC, OPENSSL_FILE, \ |
765 | 0 | OPENSSL_LINE, #level, fmt, arg1, arg2) |
766 | | # define ossl_cmp_log3(level, ctx, fmt, arg1, arg2, arg3) \ |
767 | 0 | ossl_cmp_print_log(OSSL_CMP_LOG_##level, ctx, OPENSSL_FUNC, OPENSSL_FILE, \ |
768 | 0 | OPENSSL_LINE, #level, fmt, arg1, arg2, arg3) |
769 | | # define ossl_cmp_log4(level, ctx, fmt, arg1, arg2, arg3, arg4) \ |
770 | | ossl_cmp_print_log(OSSL_CMP_LOG_##level, ctx, OPENSSL_FUNC, OPENSSL_FILE, \ |
771 | | OPENSSL_LINE, #level, fmt, arg1, arg2, arg3, arg4) |
772 | 0 | # define OSSL_CMP_LOG_ERROR OSSL_CMP_LOG_ERR |
773 | 188 | # define OSSL_CMP_LOG_WARN OSSL_CMP_LOG_WARNING |
774 | | # define ossl_cmp_alert(ctx, msg) ossl_cmp_log(ALERT, ctx, msg) |
775 | 0 | # define ossl_cmp_err(ctx, msg) ossl_cmp_log(ERROR, ctx, msg) |
776 | 188 | # define ossl_cmp_warn(ctx, msg) ossl_cmp_log(WARN, ctx, msg) |
777 | 617 | # define ossl_cmp_info(ctx, msg) ossl_cmp_log(INFO, ctx, msg) |
778 | 722 | # define ossl_cmp_debug(ctx, msg) ossl_cmp_log(DEBUG, ctx, msg) |
779 | | # define ossl_cmp_trace(ctx, msg) ossl_cmp_log(TRACE, ctx, msg) |
780 | | int ossl_cmp_ctx_set0_validatedSrvCert(OSSL_CMP_CTX *ctx, X509 *cert); |
781 | | int ossl_cmp_ctx_set_status(OSSL_CMP_CTX *ctx, int status); |
782 | | int ossl_cmp_ctx_set0_statusString(OSSL_CMP_CTX *ctx, |
783 | | OSSL_CMP_PKIFREETEXT *text); |
784 | | int ossl_cmp_ctx_set_failInfoCode(OSSL_CMP_CTX *ctx, int fail_info); |
785 | | int ossl_cmp_ctx_set0_newCert(OSSL_CMP_CTX *ctx, X509 *cert); |
786 | | int ossl_cmp_ctx_set1_newChain(OSSL_CMP_CTX *ctx, STACK_OF(X509) *newChain); |
787 | | int ossl_cmp_ctx_set1_caPubs(OSSL_CMP_CTX *ctx, STACK_OF(X509) *caPubs); |
788 | | int ossl_cmp_ctx_set1_extraCertsIn(OSSL_CMP_CTX *ctx, |
789 | | STACK_OF(X509) *extraCertsIn); |
790 | | int ossl_cmp_ctx_set1_recipNonce(OSSL_CMP_CTX *ctx, |
791 | | const ASN1_OCTET_STRING *nonce); |
792 | | EVP_PKEY *ossl_cmp_ctx_get0_newPubkey(const OSSL_CMP_CTX *ctx); |
793 | | |
794 | | /* from cmp_status.c */ |
795 | | int ossl_cmp_pkisi_get_status(const OSSL_CMP_PKISI *si); |
796 | | const char *ossl_cmp_PKIStatus_to_string(int status); |
797 | | OSSL_CMP_PKIFREETEXT *ossl_cmp_pkisi_get0_statusString(const OSSL_CMP_PKISI *s); |
798 | | int ossl_cmp_pkisi_get_pkifailureinfo(const OSSL_CMP_PKISI *si); |
799 | | int ossl_cmp_pkisi_check_pkifailureinfo(const OSSL_CMP_PKISI *si, int index); |
800 | | |
801 | | /* from cmp_hdr.c */ |
802 | | int ossl_cmp_hdr_set_pvno(OSSL_CMP_PKIHEADER *hdr, int pvno); |
803 | | int ossl_cmp_hdr_get_pvno(const OSSL_CMP_PKIHEADER *hdr); |
804 | | int ossl_cmp_hdr_get_protection_nid(const OSSL_CMP_PKIHEADER *hdr); |
805 | | ASN1_OCTET_STRING *ossl_cmp_hdr_get0_senderNonce(const OSSL_CMP_PKIHEADER *hdr); |
806 | | int ossl_cmp_general_name_is_NULL_DN(GENERAL_NAME *name); |
807 | | int ossl_cmp_hdr_set1_sender(OSSL_CMP_PKIHEADER *hdr, const X509_NAME *nm); |
808 | | int ossl_cmp_hdr_set1_recipient(OSSL_CMP_PKIHEADER *hdr, const X509_NAME *nm); |
809 | | int ossl_cmp_hdr_update_messageTime(OSSL_CMP_PKIHEADER *hdr); |
810 | | int ossl_cmp_hdr_set1_senderKID(OSSL_CMP_PKIHEADER *hdr, |
811 | | const ASN1_OCTET_STRING *senderKID); |
812 | | int ossl_cmp_hdr_push0_freeText(OSSL_CMP_PKIHEADER *hdr, ASN1_UTF8STRING *text); |
813 | | int ossl_cmp_hdr_push1_freeText(OSSL_CMP_PKIHEADER *hdr, ASN1_UTF8STRING *text); |
814 | | int ossl_cmp_hdr_generalInfo_push0_item(OSSL_CMP_PKIHEADER *hdr, |
815 | | OSSL_CMP_ITAV *itav); |
816 | | int ossl_cmp_hdr_generalInfo_push1_items(OSSL_CMP_PKIHEADER *hdr, |
817 | | const STACK_OF(OSSL_CMP_ITAV) *itavs); |
818 | | int ossl_cmp_hdr_set_implicitConfirm(OSSL_CMP_PKIHEADER *hdr); |
819 | | int ossl_cmp_hdr_has_implicitConfirm(const OSSL_CMP_PKIHEADER *hdr); |
820 | 5.21k | # define OSSL_CMP_TRANSACTIONID_LENGTH 16 |
821 | 5.62k | # define OSSL_CMP_SENDERNONCE_LENGTH 16 |
822 | | int ossl_cmp_hdr_set_transactionID(OSSL_CMP_CTX *ctx, OSSL_CMP_PKIHEADER *hdr); |
823 | | int ossl_cmp_hdr_init(OSSL_CMP_CTX *ctx, OSSL_CMP_PKIHEADER *hdr); |
824 | | |
825 | | /* from cmp_msg.c */ |
826 | | /* OSSL_CMP_MSG bodytype ASN.1 choice IDs */ |
827 | 384 | # define OSSL_CMP_PKIBODY_IR 0 |
828 | 98 | # define OSSL_CMP_PKIBODY_IP 1 |
829 | 1.78k | # define OSSL_CMP_PKIBODY_CR 2 |
830 | 902 | # define OSSL_CMP_PKIBODY_CP 3 |
831 | 4.58k | # define OSSL_CMP_PKIBODY_P10CR 4 |
832 | | # define OSSL_CMP_PKIBODY_POPDECC 5 |
833 | | # define OSSL_CMP_PKIBODY_POPDECR 6 |
834 | 2.42k | # define OSSL_CMP_PKIBODY_KUR 7 |
835 | 102 | # define OSSL_CMP_PKIBODY_KUP 8 |
836 | | # define OSSL_CMP_PKIBODY_KRR 9 |
837 | | # define OSSL_CMP_PKIBODY_KRP 10 |
838 | 1.14k | # define OSSL_CMP_PKIBODY_RR 11 |
839 | 30 | # define OSSL_CMP_PKIBODY_RP 12 |
840 | | # define OSSL_CMP_PKIBODY_CCR 13 |
841 | 11 | # define OSSL_CMP_PKIBODY_CCP 14 |
842 | | # define OSSL_CMP_PKIBODY_CKUANN 15 |
843 | | # define OSSL_CMP_PKIBODY_CANN 16 |
844 | | # define OSSL_CMP_PKIBODY_RANN 17 |
845 | | # define OSSL_CMP_PKIBODY_CRLANN 18 |
846 | 8 | # define OSSL_CMP_PKIBODY_PKICONF 19 |
847 | | # define OSSL_CMP_PKIBODY_NESTED 20 |
848 | 1.35k | # define OSSL_CMP_PKIBODY_GENM 21 |
849 | 236 | # define OSSL_CMP_PKIBODY_GENP 22 |
850 | 31.9k | # define OSSL_CMP_PKIBODY_ERROR 23 |
851 | 8 | # define OSSL_CMP_PKIBODY_CERTCONF 24 |
852 | 409 | # define OSSL_CMP_PKIBODY_POLLREQ 25 |
853 | 5.44k | # define OSSL_CMP_PKIBODY_POLLREP 26 |
854 | 5.31k | # define OSSL_CMP_PKIBODY_TYPE_MAX OSSL_CMP_PKIBODY_POLLREP |
855 | | /* certReqId for the first - and so far only - certificate request */ |
856 | 725 | # define OSSL_CMP_CERTREQID 0 |
857 | 682 | # define OSSL_CMP_CERTREQID_NONE -1 |
858 | 5.31k | # define OSSL_CMP_CERTREQID_INVALID -2 |
859 | | /* sequence id for the first - and so far only - revocation request */ |
860 | 37 | # define OSSL_CMP_REVREQSID 0 |
861 | | int ossl_cmp_msg_set0_libctx(OSSL_CMP_MSG *msg, OSSL_LIB_CTX *libctx, |
862 | | const char *propq); |
863 | | const char *ossl_cmp_bodytype_to_string(int type); |
864 | | int ossl_cmp_msg_set_bodytype(OSSL_CMP_MSG *msg, int type); |
865 | | OSSL_CMP_MSG *ossl_cmp_msg_create(OSSL_CMP_CTX *ctx, int bodytype); |
866 | | OSSL_CMP_MSG *ossl_cmp_certreq_new(OSSL_CMP_CTX *ctx, int bodytype, |
867 | | const OSSL_CRMF_MSG *crm); |
868 | | OSSL_CMP_MSG *ossl_cmp_certrep_new(OSSL_CMP_CTX *ctx, int bodytype, |
869 | | int certReqId, const OSSL_CMP_PKISI *si, |
870 | | X509 *cert, const X509 *encryption_recip, |
871 | | STACK_OF(X509) *chain, STACK_OF(X509) *caPubs, |
872 | | int unprotectedErrors); |
873 | | OSSL_CMP_MSG *ossl_cmp_rr_new(OSSL_CMP_CTX *ctx); |
874 | | OSSL_CMP_MSG *ossl_cmp_rp_new(OSSL_CMP_CTX *ctx, const OSSL_CMP_PKISI *si, |
875 | | const OSSL_CRMF_CERTID *cid, |
876 | | int unprotectedErrors); |
877 | | OSSL_CMP_MSG *ossl_cmp_pkiconf_new(OSSL_CMP_CTX *ctx); |
878 | | OSSL_CMP_MSG *ossl_cmp_pollRep_new(OSSL_CMP_CTX *ctx, int crid, |
879 | | int64_t poll_after); |
880 | | int ossl_cmp_msg_gen_push0_ITAV(OSSL_CMP_MSG *msg, OSSL_CMP_ITAV *itav); |
881 | | int ossl_cmp_msg_gen_push1_ITAVs(OSSL_CMP_MSG *msg, |
882 | | const STACK_OF(OSSL_CMP_ITAV) *itavs); |
883 | | OSSL_CMP_MSG *ossl_cmp_genm_new(OSSL_CMP_CTX *ctx); |
884 | | OSSL_CMP_MSG *ossl_cmp_genp_new(OSSL_CMP_CTX *ctx, |
885 | | const STACK_OF(OSSL_CMP_ITAV) *itavs); |
886 | | OSSL_CMP_MSG *ossl_cmp_error_new(OSSL_CMP_CTX *ctx, const OSSL_CMP_PKISI *si, |
887 | | int64_t errorCode, const char *details, |
888 | | int unprotected); |
889 | | int ossl_cmp_certstatus_set0_certHash(OSSL_CMP_CERTSTATUS *certStatus, |
890 | | ASN1_OCTET_STRING *hash); |
891 | | OSSL_CMP_MSG *ossl_cmp_certConf_new(OSSL_CMP_CTX *ctx, int certReqId, |
892 | | int fail_info, const char *text); |
893 | | OSSL_CMP_MSG *ossl_cmp_pollReq_new(OSSL_CMP_CTX *ctx, int crid); |
894 | | OSSL_CMP_MSG *ossl_cmp_pollRep_new(OSSL_CMP_CTX *ctx, int crid, |
895 | | int64_t poll_after); |
896 | | OSSL_CMP_PKISI * |
897 | | ossl_cmp_revrepcontent_get_pkisi(OSSL_CMP_REVREPCONTENT *rrep, int rsid); |
898 | | OSSL_CRMF_CERTID *ossl_cmp_revrepcontent_get_CertId(OSSL_CMP_REVREPCONTENT *rc, |
899 | | int rsid); |
900 | | OSSL_CMP_POLLREP * |
901 | | ossl_cmp_pollrepcontent_get0_pollrep(const OSSL_CMP_POLLREPCONTENT *prc, |
902 | | int rid); |
903 | | OSSL_CMP_CERTRESPONSE * |
904 | | ossl_cmp_certrepmessage_get0_certresponse(const OSSL_CMP_CERTREPMESSAGE *crm, |
905 | | int rid); |
906 | | X509 *ossl_cmp_certresponse_get1_cert(const OSSL_CMP_CTX *ctx, |
907 | | const OSSL_CMP_CERTRESPONSE *crep); |
908 | | OSSL_CMP_MSG *ossl_cmp_msg_load(const char *file); |
909 | | |
910 | | /* from cmp_protect.c */ |
911 | | int ossl_cmp_msg_add_extraCerts(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg); |
912 | | ASN1_BIT_STRING *ossl_cmp_calc_protection(const OSSL_CMP_CTX *ctx, |
913 | | const OSSL_CMP_MSG *msg); |
914 | | int ossl_cmp_msg_protect(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg); |
915 | | |
916 | | /* from cmp_vfy.c */ |
917 | | typedef int (*ossl_cmp_allow_unprotected_cb_t)(const OSSL_CMP_CTX *ctx, |
918 | | const OSSL_CMP_MSG *msg, |
919 | | int invalid_protection, int arg); |
920 | | int ossl_cmp_msg_check_update(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *msg, |
921 | | ossl_cmp_allow_unprotected_cb_t cb, int cb_arg); |
922 | | int ossl_cmp_msg_check_received(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *msg, |
923 | | ossl_cmp_allow_unprotected_cb_t cb, int cb_arg); |
924 | | int ossl_cmp_verify_popo(const OSSL_CMP_CTX *ctx, |
925 | | const OSSL_CMP_MSG *msg, int accept_RAVerified); |
926 | | |
927 | | /* from cmp_client.c */ |
928 | | int ossl_cmp_exchange_certConf(OSSL_CMP_CTX *ctx, int certReqId, |
929 | | int fail_info, const char *txt); |
930 | | int ossl_cmp_exchange_error(OSSL_CMP_CTX *ctx, int status, int fail_info, |
931 | | const char *txt, int errorCode, const char *detail); |
932 | | |
933 | | #endif /* !defined(OSSL_CRYPTO_CMP_LOCAL_H) */ |