Certificate Management Protocol (CMP, RFC 4210) extension to OpenSSL

Also includes CRMF (RFC 4211) and HTTP transfer (RFC 6712) CMP and CRMF API is added to libcrypto, and the "cmp" app to the openssl CLI. Adds extensive man pages and tests. Integration into build scripts. Incremental pull request based on OpenSSL commit 8869ad4a39f of 2019-04-02 4th chunk: CMP context/parameters and utilities in crypto/cmp/cmp_ctx.c, crypto/cmp/cmp_util.c, and related files Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9107)
author: Dr. David von Oheimb <David.von.Oheimb@siemens.com> 2019-08-10 14:07:22 +0200
committer: Matt Caswell <matt@openssl.org> 2019-09-27 10:53:11 +0100
commit: 7960dbec6801c1c98c848b81ca00e73625e8970b (patch)
tree: 58045a9618ce5668f8b95b966810a35b3285deb3 /include
parent: 0c452a51a5dfe061e5080ae484f1cd06772d8f47 (diff)
6 files changed, 221 insertions, 29 deletions
diff --git a/include/openssl/cmp.h b/include/openssl/cmp.h
index 3d9c3d4d37..1a628dbd62 100644
--- a/include/openssl/cmp.h
+++ b/include/openssl/cmp.h
@@ -1,4 +1,4 @@
-/*-
+/*
  * Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved.
  * Copyright Nokia 2007-2019
  * Copyright Siemens AG 2015-2019
@@ -7,8 +7,6 @@
  * this file except in compliance with the License.  You can obtain a copy
  * in the file LICENSE in the source distribution or at
  * https://www.openssl.org/source/license.html
- *
- * CMP (RFC 4210) implementation by M. Peylo, M. Viljanen, and D. von Oheimb.
  */
 
 #ifndef OSSL_HEADER_CMP_H
@@ -19,6 +17,7 @@
 
 #  include <openssl/crmf.h>
 #  include <openssl/cmperr.h>
+#  include <openssl/cmp_util.h>
 
 /* explicit #includes not strictly needed since implied by the above: */
 #  include <openssl/ossl_typ.h>
@@ -203,26 +202,30 @@ DECLARE_ASN1_ITEM(OSSL_CMP_PKISTATUS)
 #  define OSSL_CMP_CERTORENCCERT_ENCRYPTEDCERT 1
 
 /* data type declarations */
-typedef struct OSSL_cmp_ctx_st OSSL_CMP_CTX;
-typedef struct OSSL_cmp_pkiheader_st OSSL_CMP_PKIHEADER;
+typedef struct ossl_cmp_ctx_st OSSL_CMP_CTX;
+typedef struct ossl_cmp_pkiheader_st OSSL_CMP_PKIHEADER;
 DECLARE_ASN1_FUNCTIONS(OSSL_CMP_PKIHEADER)
-typedef struct OSSL_cmp_msg_st OSSL_CMP_MSG;
+typedef struct ossl_cmp_msg_st OSSL_CMP_MSG;
 DECLARE_ASN1_ENCODE_FUNCTIONS(OSSL_CMP_MSG, OSSL_CMP_MSG, OSSL_CMP_MSG)
-typedef struct OSSL_cmp_certstatus_st OSSL_CMP_CERTSTATUS;
+typedef struct ossl_cmp_certstatus_st OSSL_CMP_CERTSTATUS;
 DEFINE_STACK_OF(OSSL_CMP_CERTSTATUS)
-typedef struct OSSL_cmp_itav_st OSSL_CMP_ITAV;
+typedef struct ossl_cmp_itav_st OSSL_CMP_ITAV;
 DEFINE_STACK_OF(OSSL_CMP_ITAV)
-typedef struct OSSL_cmp_revrepcontent_st OSSL_CMP_REVREPCONTENT;
-typedef struct OSSL_cmp_pkisi_st OSSL_CMP_PKISI;
+typedef struct ossl_cmp_revrepcontent_st OSSL_CMP_REVREPCONTENT;
+typedef struct ossl_cmp_pkisi_st OSSL_CMP_PKISI;
 DEFINE_STACK_OF(OSSL_CMP_PKISI)
-typedef struct OSSL_cmp_certrepmessage_st OSSL_CMP_CERTREPMESSAGE;
+typedef struct ossl_cmp_certrepmessage_st OSSL_CMP_CERTREPMESSAGE;
 DEFINE_STACK_OF(OSSL_CMP_CERTREPMESSAGE)
-typedef struct OSSL_cmp_pollrep_st OSSL_CMP_POLLREP;
+typedef struct ossl_cmp_pollrep_st OSSL_CMP_POLLREP;
 typedef STACK_OF(OSSL_CMP_POLLREP) OSSL_CMP_POLLREPCONTENT;
-typedef struct OSSL_cmp_certresponse_st OSSL_CMP_CERTRESPONSE;
+typedef struct ossl_cmp_certresponse_st OSSL_CMP_CERTRESPONSE;
 DEFINE_STACK_OF(OSSL_CMP_CERTRESPONSE)
 typedef STACK_OF(ASN1_UTF8STRING) OSSL_CMP_PKIFREETEXT;
 
+/*
+ * function DECLARATIONS
+ */
+
 /* from cmp_asn.c */
 OSSL_CMP_ITAV *OSSL_CMP_ITAV_create(ASN1_OBJECT *type, ASN1_TYPE *value);
 void OSSL_CMP_ITAV_set0(OSSL_CMP_ITAV *itav, ASN1_OBJECT *type,
@@ -233,8 +236,106 @@ int OSSL_CMP_ITAV_push0_stack_item(STACK_OF(OSSL_CMP_ITAV) **itav_sk_p,
                                    OSSL_CMP_ITAV *itav);
 void OSSL_CMP_ITAV_free(OSSL_CMP_ITAV *itav);
 void OSSL_CMP_MSG_free(OSSL_CMP_MSG *msg);
-void OSSL_CMP_PKISI_free(OSSL_CMP_PKISI *si);
-DECLARE_ASN1_DUP_FUNCTION(OSSL_CMP_MSG)
+
+/* from cmp_ctx.c */
+OSSL_CMP_CTX *OSSL_CMP_CTX_new(void);
+void OSSL_CMP_CTX_free(OSSL_CMP_CTX *ctx);
+int OSSL_CMP_CTX_reinit(OSSL_CMP_CTX *ctx);
+/* various CMP options: */
+#  define OSSL_CMP_OPT_LOG_VERBOSITY 0
+#  define OSSL_CMP_OPT_MSGTIMEOUT 1
+#  define OSSL_CMP_OPT_TOTALTIMEOUT 2
+#  define OSSL_CMP_OPT_VALIDITYDAYS 3
+#  define OSSL_CMP_OPT_SUBJECTALTNAME_NODEFAULT 4
+#  define OSSL_CMP_OPT_SUBJECTALTNAME_CRITICAL 5
+#  define OSSL_CMP_OPT_POLICIES_CRITICAL 6
+#  define OSSL_CMP_OPT_POPOMETHOD 7
+#  define OSSL_CMP_OPT_DIGEST_ALGNID 8
+#  define OSSL_CMP_OPT_OWF_ALGNID 9
+#  define OSSL_CMP_OPT_MAC_ALGNID 10
+#  define OSSL_CMP_OPT_REVOCATION_REASON 11
+#  define OSSL_CMP_OPT_IMPLICITCONFIRM 12
+#  define OSSL_CMP_OPT_DISABLECONFIRM 13
+#  define OSSL_CMP_OPT_UNPROTECTED_SEND 14
+#  define OSSL_CMP_OPT_UNPROTECTED_ERRORS 15
+#  define OSSL_CMP_OPT_IGNORE_KEYUSAGE 16
+#  define OSSL_CMP_OPT_PERMIT_TA_IN_EXTRACERTS_FOR_IR 17
+int OSSL_CMP_CTX_set_option(OSSL_CMP_CTX *ctx, int opt, int val);
+int OSSL_CMP_CTX_get_option(const OSSL_CMP_CTX *ctx, int opt);
+/* CMP-specific callback for logging and outputting the error queue: */
+int OSSL_CMP_CTX_set_log_cb(OSSL_CMP_CTX *ctx, OSSL_cmp_log_cb_t cb);
+#define OSSL_CMP_CTX_set_log_verbosity(ctx, level) \
+    OSSL_CMP_CTX_set_option(ctx, OSSL_CMP_OPT_LOG_VERBOSITY, level)
+void OSSL_CMP_CTX_print_errors(OSSL_CMP_CTX *ctx);
+/* message transfer: */
+int OSSL_CMP_CTX_set1_serverPath(OSSL_CMP_CTX *ctx, const char *path);
+int OSSL_CMP_CTX_set1_serverName(OSSL_CMP_CTX *ctx, const char *name);
+int OSSL_CMP_CTX_set_serverPort(OSSL_CMP_CTX *ctx, int port);
+int OSSL_CMP_CTX_set1_proxyName(OSSL_CMP_CTX *ctx, const char *name);
+int OSSL_CMP_CTX_set_proxyPort(OSSL_CMP_CTX *ctx, int port);
+#  define OSSL_CMP_DEFAULT_PORT 80
+typedef BIO *(*OSSL_cmp_http_cb_t) (OSSL_CMP_CTX *ctx, BIO *hbio,
+                                    unsigned long detail);
+int OSSL_CMP_CTX_set_http_cb(OSSL_CMP_CTX *ctx, OSSL_cmp_http_cb_t cb);
+int OSSL_CMP_CTX_set_http_cb_arg(OSSL_CMP_CTX *ctx, void *arg);
+void *OSSL_CMP_CTX_get_http_cb_arg(const OSSL_CMP_CTX *ctx);
+typedef int (*OSSL_cmp_transfer_cb_t) (OSSL_CMP_CTX *ctx,
+                                       const OSSL_CMP_MSG *req,
+                                       OSSL_CMP_MSG **res);
+int OSSL_CMP_CTX_set_transfer_cb(OSSL_CMP_CTX *ctx, OSSL_cmp_transfer_cb_t cb);
+int OSSL_CMP_CTX_set_transfer_cb_arg(OSSL_CMP_CTX *ctx, void *arg);
+void *OSSL_CMP_CTX_get_transfer_cb_arg(const OSSL_CMP_CTX *ctx);
+/* server authentication: */
+int OSSL_CMP_CTX_set1_srvCert(OSSL_CMP_CTX *ctx, X509 *cert);
+int OSSL_CMP_CTX_set1_expected_sender(OSSL_CMP_CTX *ctx, const X509_NAME *name);
+int OSSL_CMP_CTX_set0_trustedStore(OSSL_CMP_CTX *ctx, X509_STORE *store);
+X509_STORE *OSSL_CMP_CTX_get0_trustedStore(const OSSL_CMP_CTX *ctx);
+int OSSL_CMP_CTX_set1_untrusted_certs(OSSL_CMP_CTX *ctx, STACK_OF(X509) *certs);
+STACK_OF(X509) *OSSL_CMP_CTX_get0_untrusted_certs(const OSSL_CMP_CTX *ctx);
+/* client authentication: */
+int OSSL_CMP_CTX_set1_clCert(OSSL_CMP_CTX *ctx, X509 *cert);
+int OSSL_CMP_CTX_set1_pkey(OSSL_CMP_CTX *ctx, EVP_PKEY *pkey);
+int OSSL_CMP_CTX_set1_referenceValue(OSSL_CMP_CTX *ctx,
+                                     const unsigned char *ref, int len);
+int OSSL_CMP_CTX_set1_secretValue(OSSL_CMP_CTX *ctx, const unsigned char *sec,
+                                  const int len);
+/* CMP message header and extra certificates: */
+int OSSL_CMP_CTX_set1_recipient(OSSL_CMP_CTX *ctx, const X509_NAME *name);
+int OSSL_CMP_CTX_push0_geninfo_ITAV(OSSL_CMP_CTX *ctx, OSSL_CMP_ITAV *itav);
+int OSSL_CMP_CTX_set1_extraCertsOut(OSSL_CMP_CTX *ctx,
+                                    STACK_OF(X509) *extraCertsOut);
+/* certificate template: */
+int OSSL_CMP_CTX_set0_newPkey(OSSL_CMP_CTX *ctx, int priv, EVP_PKEY *pkey);
+EVP_PKEY *OSSL_CMP_CTX_get0_newPkey(const OSSL_CMP_CTX *ctx, int priv);
+int OSSL_CMP_CTX_set1_issuer(OSSL_CMP_CTX *ctx, const X509_NAME *name);
+int OSSL_CMP_CTX_set1_subjectName(OSSL_CMP_CTX *ctx, const X509_NAME *name);
+int OSSL_CMP_CTX_push1_subjectAltName(OSSL_CMP_CTX *ctx, const GENERAL_NAME *name);
+int OSSL_CMP_CTX_set0_reqExtensions(OSSL_CMP_CTX *ctx, X509_EXTENSIONS *exts);
+int OSSL_CMP_CTX_reqExtensions_have_SAN(OSSL_CMP_CTX *ctx);
+int OSSL_CMP_CTX_push0_policy(OSSL_CMP_CTX *ctx, POLICYINFO *pinfo);
+int OSSL_CMP_CTX_set1_oldCert(OSSL_CMP_CTX *ctx, X509 *cert);
+int OSSL_CMP_CTX_set1_p10CSR(OSSL_CMP_CTX *ctx, const X509_REQ *csr);
+/* misc body contents: */
+int OSSL_CMP_CTX_push0_genm_ITAV(OSSL_CMP_CTX *ctx, OSSL_CMP_ITAV *itav);
+/* certificate confirmation: */
+typedef int (*OSSL_cmp_certConf_cb_t) (OSSL_CMP_CTX *ctx, X509 *cert,
+                                       int fail_info, const char **txt);
+int OSSL_CMP_CTX_set_certConf_cb(OSSL_CMP_CTX *ctx, OSSL_cmp_certConf_cb_t cb);
+int OSSL_CMP_CTX_set_certConf_cb_arg(OSSL_CMP_CTX *ctx, void *arg);
+void *OSSL_CMP_CTX_get_certConf_cb_arg(const OSSL_CMP_CTX *ctx);
+/* result fetching: */
+int OSSL_CMP_CTX_get_status(const OSSL_CMP_CTX *ctx);
+OSSL_CMP_PKIFREETEXT *OSSL_CMP_CTX_get0_statusString(const OSSL_CMP_CTX *ctx);
+int OSSL_CMP_CTX_get_failInfoCode(const OSSL_CMP_CTX *ctx);
+#  define OSSL_CMP_PKISI_BUFLEN 1024
+X509 *OSSL_CMP_CTX_get0_newCert(const OSSL_CMP_CTX *ctx);
+STACK_OF(X509) *OSSL_CMP_CTX_get1_caPubs(const OSSL_CMP_CTX *ctx);
+STACK_OF(X509) *OSSL_CMP_CTX_get1_extraCertsIn(const OSSL_CMP_CTX *ctx);
+/* support application-level CMP debugging in cmp.c: */
+int OSSL_CMP_CTX_set1_transactionID(OSSL_CMP_CTX *ctx,
+                                    const ASN1_OCTET_STRING *id);
+int OSSL_CMP_CTX_set1_senderNonce(OSSL_CMP_CTX *ctx,
+                                  const ASN1_OCTET_STRING *nonce);
 
 #   ifdef  __cplusplus
 }
diff --git a/include/openssl/cmp_util.h b/include/openssl/cmp_util.h
new file mode 100644
index 0000000000..5e06a3aaae
--- /dev/null
+++ b/include/openssl/cmp_util.h
@@ -0,0 +1,79 @@
+/*
+ * Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright Nokia 2007-2019
+ * Copyright Siemens AG 2015-2019
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#ifndef OSSL_HEADER_CMP_UTIL_H
+# define OSSL_HEADER_CMP_UTIL_H
+
+# include <openssl/opensslconf.h>
+# ifndef OPENSSL_NO_CMP
+
+#  include <openssl/macros.h>
+#  include <openssl/trace.h>
+#  include <openssl/x509.h>
+
+#  ifdef  __cplusplus
+extern "C" {
+#  endif
+
+/*
+ * convenience functions for CMP-specific logging via the trace API
+ */
+
+int  OSSL_CMP_log_open(void);
+void OSSL_CMP_log_close(void);
+#  define OSSL_CMP_LOG_PREFIX "CMP "
+/* in OSSL_CMP_LOG_START, cannot use OPENSSL_FUNC when expands to __func__ */
+#  define OSSL_CMP_LOG_START "%s:" OPENSSL_FILE ":" \
+                             OPENSSL_MSTR(OPENSSL_LINE) ":" OSSL_CMP_LOG_PREFIX
+#  define OSSL_CMP_alert(msg) OSSL_CMP_log(ALERT, msg)
+#  define OSSL_CMP_err(msg)   OSSL_CMP_log(ERROR, msg)
+#  define OSSL_CMP_warn(msg)  OSSL_CMP_log(WARN, msg)
+#  define OSSL_CMP_info(msg)  OSSL_CMP_log(INFO, msg)
+#  define OSSL_CMP_debug(msg) OSSL_CMP_log(DEBUG, msg)
+#  define OSSL_CMP_log(level, msg) \
+    OSSL_TRACEV(CMP, (trc_out, OSSL_CMP_LOG_START#level ": %s\n", \
+                      OPENSSL_FUNC, msg))
+#  define OSSL_CMP_log1(level, fmt, arg1) \
+    OSSL_TRACEV(CMP, (trc_out, OSSL_CMP_LOG_START#level ": " fmt "\n", \
+                      OPENSSL_FUNC, arg1))
+#  define OSSL_CMP_log2(level, fmt, arg1, arg2) \
+    OSSL_TRACEV(CMP, (trc_out, OSSL_CMP_LOG_START#level ": " fmt "\n", \
+                      OPENSSL_FUNC, arg1, arg2))
+#  define OSSL_CMP_log3(level, fmt, arg1, arg2, arg3) \
+    OSSL_TRACEV(CMP, (trc_out, OSSL_CMP_LOG_START#level ": " fmt "\n", \
+                      OPENSSL_FUNC, arg1, arg2, arg3))
+#  define OSSL_CMP_log4(level, fmt, arg1, arg2, arg3, arg4) \
+    OSSL_TRACEV(CMP, (trc_out, OSSL_CMP_LOG_START#level ": " fmt "\n", \
+                      OPENSSL_FUNC, arg1, arg2, arg3, arg4))
+
+/*
+ * generalized logging/error callback mirroring the severity levels of syslog.h
+ */
+typedef int OSSL_CMP_severity;
+#  define OSSL_CMP_LOG_EMERG   0
+#  define OSSL_CMP_LOG_ALERT   1
+#  define OSSL_CMP_LOG_CRIT    2
+#  define OSSL_CMP_LOG_ERR     3
+#  define OSSL_CMP_LOG_WARNING 4
+#  define OSSL_CMP_LOG_NOTICE  5
+#  define OSSL_CMP_LOG_INFO    6
+#  define OSSL_CMP_LOG_DEBUG   7
+typedef int (*OSSL_cmp_log_cb_t)(const char *func, const char *file, int line,
+                                 OSSL_CMP_severity level, const char *msg);
+
+/* use of the logging callback for outputting error queue */
+void OSSL_CMP_print_errors_cb(OSSL_cmp_log_cb_t log_fn);
+
+#   ifdef  __cplusplus
+}
+#   endif
+# endif /* !defined OPENSSL_NO_CMP */
+#endif /* !defined OSSL_HEADER_CMP_UTIL_H */
diff --git a/include/openssl/cmperr.h b/include/openssl/cmperr.h
index 7b864c6b9c..18c56efbef 100644
--- a/include/openssl/cmperr.h
+++ b/include/openssl/cmperr.h
@@ -33,6 +33,10 @@ int ERR_load_CMP_strings(void);
 /*
  * CMP reason codes.
  */
+#  define CMP_R_INVALID_ARGS                               100
+#  define CMP_R_MULTIPLE_SAN_SOURCES                       102
+#  define CMP_R_NO_STDIO                                   194
+#  define CMP_R_NULL_ARGUMENT                              103
 
 # endif
 #endif
diff --git a/include/openssl/crmf.h b/include/openssl/crmf.h
index bc0c891cd6..1e34e56996 100644
--- a/include/openssl/crmf.h
+++ b/include/openssl/crmf.h
@@ -39,30 +39,30 @@ extern "C" {
 #  define OSSL_CRMF_SUBSEQUENTMESSAGE_ENCRCERT       0
 #  define OSSL_CRMF_SUBSEQUENTMESSAGE_CHALLENGERESP  1
 
-typedef struct OSSL_crmf_encryptedvalue_st OSSL_CRMF_ENCRYPTEDVALUE;
+typedef struct ossl_crmf_encryptedvalue_st OSSL_CRMF_ENCRYPTEDVALUE;
 DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_ENCRYPTEDVALUE)
-typedef struct OSSL_crmf_msg_st OSSL_CRMF_MSG;
+typedef struct ossl_crmf_msg_st OSSL_CRMF_MSG;
 DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_MSG)
 DEFINE_STACK_OF(OSSL_CRMF_MSG)
-typedef struct OSSL_crmf_attributetypeandvalue_st OSSL_CRMF_ATTRIBUTETYPEANDVALUE;
-typedef struct OSSL_crmf_pbmparameter_st OSSL_CRMF_PBMPARAMETER;
+typedef struct ossl_crmf_attributetypeandvalue_st OSSL_CRMF_ATTRIBUTETYPEANDVALUE;
+typedef struct ossl_crmf_pbmparameter_st OSSL_CRMF_PBMPARAMETER;
 DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_PBMPARAMETER)
-typedef struct OSSL_crmf_poposigningkey_st OSSL_CRMF_POPOSIGNINGKEY;
-typedef struct OSSL_crmf_certrequest_st OSSL_CRMF_CERTREQUEST;
-typedef struct OSSL_crmf_certid_st OSSL_CRMF_CERTID;
+typedef struct ossl_crmf_poposigningkey_st OSSL_CRMF_POPOSIGNINGKEY;
+typedef struct ossl_crmf_certrequest_st OSSL_CRMF_CERTREQUEST;
+typedef struct ossl_crmf_certid_st OSSL_CRMF_CERTID;
 DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_CERTID)
 DEFINE_STACK_OF(OSSL_CRMF_CERTID)
 
-typedef struct OSSL_crmf_pkipublicationinfo_st OSSL_CRMF_PKIPUBLICATIONINFO;
+typedef struct ossl_crmf_pkipublicationinfo_st OSSL_CRMF_PKIPUBLICATIONINFO;
 DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_PKIPUBLICATIONINFO)
-typedef struct OSSL_crmf_singlepubinfo_st OSSL_CRMF_SINGLEPUBINFO;
+typedef struct ossl_crmf_singlepubinfo_st OSSL_CRMF_SINGLEPUBINFO;
 DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_SINGLEPUBINFO)
-typedef struct OSSL_crmf_certtemplate_st OSSL_CRMF_CERTTEMPLATE;
+typedef struct ossl_crmf_certtemplate_st OSSL_CRMF_CERTTEMPLATE;
 DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_CERTTEMPLATE)
 typedef STACK_OF(OSSL_CRMF_MSG) OSSL_CRMF_MSGS;
 DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_MSGS)
 
-typedef struct OSSL_crmf_optionalvalidity_st OSSL_CRMF_OPTIONALVALIDITY;
+typedef struct ossl_crmf_optionalvalidity_st OSSL_CRMF_OPTIONALVALIDITY;
 
 /* crmf_pbm.c */
 OSSL_CRMF_PBMPARAMETER *OSSL_CRMF_pbmp_new(size_t slen, int owfnid,
@@ -109,7 +109,7 @@ int OSSL_CRMF_MSG_set_certReqId(OSSL_CRMF_MSG *crm, int rid);
 int OSSL_CRMF_MSG_get_certReqId(OSSL_CRMF_MSG *crm);
 int OSSL_CRMF_MSG_set0_extensions(OSSL_CRMF_MSG *crm, X509_EXTENSIONS *exts);
 
-int OSSL_CRMF_MSG_push0_extension(OSSL_CRMF_MSG *crm, const X509_EXTENSION *ext);
+int OSSL_CRMF_MSG_push0_extension(OSSL_CRMF_MSG *crm, X509_EXTENSION *ext);
 #  define OSSL_CRMF_POPO_NONE      -1
 #  define OSSL_CRMF_POPO_RAVERIFIED 0
 #  define OSSL_CRMF_POPO_SIGNATURE  1
@@ -122,6 +122,8 @@ int OSSL_CRMF_MSGS_verify_popo(const OSSL_CRMF_MSGS *reqs,
 OSSL_CRMF_CERTTEMPLATE *OSSL_CRMF_MSG_get0_tmpl(const OSSL_CRMF_MSG *crm);
 ASN1_INTEGER *OSSL_CRMF_CERTTEMPLATE_get0_serialNumber(OSSL_CRMF_CERTTEMPLATE *t);
 X509_NAME *OSSL_CRMF_CERTTEMPLATE_get0_issuer(OSSL_CRMF_CERTTEMPLATE *tmpl);
+X509_NAME *OSSL_CRMF_CERTID_get0_issuer(const OSSL_CRMF_CERTID *cid);
+ASN1_INTEGER *OSSL_CRMF_CERTID_get0_serialNumber(const OSSL_CRMF_CERTID *cid);
 int OSSL_CRMF_CERTTEMPLATE_fill(OSSL_CRMF_CERTTEMPLATE *tmpl,
                                 EVP_PKEY *pubkey,
                                 const X509_NAME *subject,
diff --git a/include/openssl/ocsp.h b/include/openssl/ocsp.h
index 5fdff0884b..3a37f613ed 100644
--- a/include/openssl/ocsp.h
+++ b/include/openssl/ocsp.h
@@ -26,7 +26,10 @@
  *        superseded              (4),
  *        cessationOfOperation    (5),
  *        certificateHold         (6),
- *        removeFromCRL           (8) }
+ *        -- value 7 is not used
+ *        removeFromCRL           (8),
+ *        privilegeWithdrawn      (9),
+ *        aACompromise           (10) }
  */
 #  define OCSP_REVOKED_STATUS_NOSTATUS               -1
 #  define OCSP_REVOKED_STATUS_UNSPECIFIED             0
@@ -37,6 +40,8 @@
 #  define OCSP_REVOKED_STATUS_CESSATIONOFOPERATION    5
 #  define OCSP_REVOKED_STATUS_CERTIFICATEHOLD         6
 #  define OCSP_REVOKED_STATUS_REMOVEFROMCRL           8
+#  define OCSP_REVOKED_STATUS_PRIVILEGEWITHDRAWN      9
+#  define OCSP_REVOKED_STATUS_AACOMPROMISE           10
 
 
 # ifndef OPENSSL_NO_OCSP
diff --git a/include/openssl/trace.h b/include/openssl/trace.h
index 79598ab63e..cc1888b579 100644
--- a/include/openssl/trace.h
+++ b/include/openssl/trace.h
@@ -49,7 +49,8 @@ extern "C" {
 # define OSSL_TRACE_CATEGORY_PKCS12_DECRYPT     10
 # define OSSL_TRACE_CATEGORY_X509V3_POLICY      11
 # define OSSL_TRACE_CATEGORY_BN_CTX             12
-# define OSSL_TRACE_CATEGORY_NUM                13
+# define OSSL_TRACE_CATEGORY_CMP                13
+# define OSSL_TRACE_CATEGORY_NUM                14
 
 /* Returns the trace category number for the given |name| */
 int OSSL_trace_get_category_num(const char *name);
author	Dr. David von Oheimb <David.von.Oheimb@siemens.com>	2019-08-10 14:07:22 +0200
committer	Matt Caswell <matt@openssl.org>	2019-09-27 10:53:11 +0100
commit	7960dbec6801c1c98c848b81ca00e73625e8970b (patch)
tree	58045a9618ce5668f8b95b966810a35b3285deb3 /include
parent	0c452a51a5dfe061e5080ae484f1cd06772d8f47 (diff)