diff options
Diffstat (limited to 'doc')
-rw-r--r-- | doc/internal/man3/ossl_cmp_hdr_init.pod | 6 | ||||
-rw-r--r-- | doc/internal/man3/ossl_cmp_mock_srv_new.pod | 85 | ||||
-rw-r--r-- | doc/internal/man3/ossl_cmp_pkisi_get_status.pod (renamed from doc/internal/man3/ossl_cmp_statusinfo_new.pod) | 53 | ||||
-rw-r--r-- | doc/man3/OSSL_CMP_CTX_new.pod | 50 | ||||
-rw-r--r-- | doc/man3/OSSL_CMP_CTX_snprint_PKIStatus.pod | 46 | ||||
-rw-r--r-- | doc/man3/OSSL_CMP_MSG_get0_header.pod | 17 | ||||
-rw-r--r-- | doc/man3/OSSL_CMP_SRV_CTX_new.pod | 159 | ||||
-rw-r--r-- | doc/man3/OSSL_CMP_STATUSINFO_new.pod | 66 | ||||
-rw-r--r-- | doc/man3/OSSL_CMP_X509_digest.pod | 36 | ||||
-rw-r--r-- | doc/man3/X509_dup.pod | 4 | ||||
-rw-r--r-- | doc/man3/d2i_X509.pod | 2 |
11 files changed, 424 insertions, 100 deletions
diff --git a/doc/internal/man3/ossl_cmp_hdr_init.pod b/doc/internal/man3/ossl_cmp_hdr_init.pod index a7a4d87f09..31468a567b 100644 --- a/doc/internal/man3/ossl_cmp_hdr_init.pod +++ b/doc/internal/man3/ossl_cmp_hdr_init.pod @@ -14,7 +14,7 @@ ossl_cmp_hdr_push1_freeText, ossl_cmp_hdr_generalinfo_item_push0, ossl_cmp_hdr_generalinfo_items_push1, ossl_cmp_hdr_set_implicitConfirm, -ossl_cmp_hdr_check_implicitConfirm, +ossl_cmp_hdr_has_implicitConfirm, ossl_cmp_hdr_init - functions manipulating CMP message headers @@ -41,7 +41,7 @@ ossl_cmp_hdr_init int ossl_cmp_hdr_push1_freeText(OSSL_CMP_PKIHEADER *hdr, ASN1_UTF8STRING *text); int ossl_cmp_hdr_set_implicitConfirm(OSSL_CMP_PKIHEADER *hdr); - int ossl_cmp_hdr_check_implicitConfirm(OSSL_CMP_PKIHEADER *hdr); + int ossl_cmp_hdr_has_implicitConfirm(OSSL_CMP_PKIHEADER *hdr); int ossl_cmp_hdr_init(OSSL_CMP_CTX *ctx, OSSL_CMP_PKIHEADER *hdr); =head1 DESCRIPTION @@ -85,7 +85,7 @@ pointer. ossl_cmp_hdr_set_implicitConfirm() sets implicitConfirm in the generalInfo field of the PKIMessage header. -ossl_cmp_hdr_check_implicitConfirm() returns 1 if implicitConfirm is +ossl_cmp_hdr_has_implicitConfirm() returns 1 if implicitConfirm is set int generalInfo field of the given PKIMessage header, 0 if not. ossl_cmp_hdr_init() initializes a PKIHeader structure based on the diff --git a/doc/internal/man3/ossl_cmp_mock_srv_new.pod b/doc/internal/man3/ossl_cmp_mock_srv_new.pod new file mode 100644 index 0000000000..da1f44b391 --- /dev/null +++ b/doc/internal/man3/ossl_cmp_mock_srv_new.pod @@ -0,0 +1,85 @@ +=pod + +=head1 NAME + +ossl_cmp_mock_srv_new, +ossl_cmp_mock_srv_free, +ossl_cmp_mock_srv_set1_certOut, +ossl_cmp_mock_srv_set1_chainOut, +ossl_cmp_mock_srv_set1_caPubsOut, +ossl_cmp_mock_srv_set_statusInfo, +ossl_cmp_mock_srv_set_send_error, +ossl_cmp_mock_srv_set_pollCount, +ossl_cmp_mock_srv_set_checkAfterTime +- functions used for testing with CMP mock server + +=head1 SYNOPSIS + + #include <openssl/cmp.h> + + OSSL_CMP_SRV_CTX *ossl_cmp_mock_srv_new(void); + void ossl_cmp_mock_srv_free(OSSL_CMP_SRV_CTX *srv_ctx); + + int ossl_cmp_mock_srv_set1_certOut(OSSL_CMP_SRV_CTX *srv_ctx, X509 *cert); + int ossl_cmp_mock_srv_set1_chainOut(OSSL_CMP_SRV_CTX *srv_ctx, + STACK_OF(X509) *chain); + int ossl_cmp_mock_srv_set1_caPubsOut(OSSL_CMP_SRV_CTX *srv_ctx, + STACK_OF(X509) *caPubs); + int ossl_cmp_mock_srv_set_statusInfo(OSSL_CMP_SRV_CTX *srv_ctx, int status, + int fail_info, const char *text); + int ossl_cmp_mock_srv_set_send_error(OSSL_CMP_SRV_CTX *srv_ctx, int val); + int ossl_cmp_mock_srv_set_pollCount(OSSL_CMP_SRV_CTX *srv_ctx, int count); + int ossl_cmp_mock_srv_set_checkAfterTime(OSSL_CMP_SRV_CTX *srv_ctx, int sec); + +=head1 DESCRIPTION + +ossl_cmp_mock_srv_new() allocates the contexts for the CMP mock server. + +ossl_cmp_mock_srv_free() deallocates the contexts for the CMP mock server. + +OSSL_CMP_SRV_CTX_set1_certOut() sets the certificate to be returned in +cp/ip/kup. + +OSSL_CMP_SRV_CTX_set1_chainOut() sets the certificate chain to be added to +the extraCerts in a cp/ip/kup. +It should to useful to validate B<certOut>. + +OSSL_CMP_SRV_CTX_set1_caPubsOut() sets the caPubs to be returned in an ip. + +OSSL_CMP_SRV_CTX_set_statusInfo() sets the status info to be returned. + +OSSL_CMP_SRV_CTX_set_send_error() enables enforcement of error responses. + +OSSL_CMP_SRV_CTX_set_pollCount() sets the number of polls before cert response. + +OSSL_CMP_SRV_CTX_set_checkAfterTime() sets the number of seconds +the client should wait for the next poll. + + +=head1 NOTES + +CMP is defined in RFC 4210 (and CRMF in RFC 4211). + +=head1 RETURN VALUES + +ossl_cmp_mock_srv() returns a B<OSSL_CMP_SRV_CTX> structure on success, +NULL on error. + +ossl_cmp_mock_srv_free() does not return a value. + +All other functions return 1 on success, 0 on error. + +=head1 HISTORY + +The OpenSSL CMP support was added in OpenSSL 3.0. + +=head1 COPYRIGHT + +Copyright 2007-2020 The OpenSSL Project Authors. All Rights Reserved. + +Licensed under the Apache License 2.0 (the "License"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file LICENSE in the source distribution or at +L<https://www.openssl.org/source/license.html>. + +=cut diff --git a/doc/internal/man3/ossl_cmp_statusinfo_new.pod b/doc/internal/man3/ossl_cmp_pkisi_get_status.pod index ee7dd35cf5..deca1aa2bb 100644 --- a/doc/internal/man3/ossl_cmp_statusinfo_new.pod +++ b/doc/internal/man3/ossl_cmp_pkisi_get_status.pod @@ -2,13 +2,11 @@ =head1 NAME -ossl_cmp_statusinfo_new, -ossl_cmp_pkisi_pkistatus_get, -ossl_cmp_pkisi_pkifailureinfo_get, -ossl_cmp_pkisi_pkifailureinfo_check, -ossl_cmp_pkisi_failinfo_get0, -ossl_cmp_pkisi_statusstring_get0, -ossl_pkisi_snprint +ossl_cmp_pkisi_get_status, +ossl_cmp_PKIStatus_to_string, +ossl_cmp_pkisi_get0_statusString, +ossl_cmp_pkisi_get_pkifailureinfo, +ossl_cmp_pkisi_check_pkifailureinfo - functions for managing PKI status information =head1 SYNOPSIS @@ -44,40 +42,27 @@ ossl_pkisi_snprint # define OSSL_CMP_PKIFAILUREINFO_duplicateCertReq 26 # define OSSL_CMP_PKIFAILUREINFO_MAX 26 - OSSL_CMP_PKISI *ossl_cmp_statusinfo_new(int status, int fail_info, - const char *text); - int ossl_cmp_pkisi_pkistatus_get(OSSL_CMP_PKISI *si); - int ossl_cmp_pkisi_pkifailureinfo_get(OSSL_CMP_PKISI *si); - int ossl_cmp_pkisi_pkifailureinfo_check(OSSL_CMP_PKISI *si, int bit_index); - OSSL_CMP_PKIFAILUREINFO *ossl_cmp_pkisi_failinfo_get0(const OSSL_CMP_PKISI *si); - OSSL_CMP_PKIFREETEXT *ossl_cmp_pkisi_statusstring_get0(const OSSL_CMP_PKISI *si); - char *ossl_pkisi_snprint(OSSL_CMP_PKISI *si, char *buf, int bufsize); + int ossl_cmp_pkisi_get_status(const OSSL_CMP_PKISI *si); + const char *ossl_cmp_PKIStatus_to_string(int status); + OSSL_CMP_PKIFREETEXT *ossl_cmp_pkisi_get0_statusString(const OSSL_CMP_PKISI *si); + int ossl_cmp_pkisi_get_pkifailureinfo(const OSSL_CMP_PKISI *si); + int ossl_cmp_pkisi_check_pkifailureinfo(const OSSL_CMP_PKISI *si, int index); =head1 DESCRIPTION -ossl_cmp_statusinfo_new() creates a new PKIStatusInfo structure and fills it -with the given values. It sets the status field to B<status>. -If B<text> is not NULL, it is copied to statusString. -B<fail_info> is is interpreted as bit pattern for the failInfo field. -Returns a pointer to the structure on success, or NULL on error. +ossl_cmp_pkisi_get_status() returns the PKIStatus of B<si>, or -1 on error. -ossl_cmp_pkisi_pkistatus_get() returns the PKIStatus of B<si>, or -1 on error. +ossl_cmp_PKIStatus_to_string() returns a human-readable string representing +the PKIStatus values as specified in RFC 4210, Appendix F. -ossl_cmp_pkisi_pkifailureinfo_get() returns the PKIFailureInfo bits -of B<si>, encoded as integer, or -1 on error. - -ossl_cmp_pkisi_pkifailureinfo_check() returns the state of the bit (0 or 1) -with index B<bit_index> in the PKIFailureInfo of the B<si>, or -1 on error. - -ossl_cmp_pkisi_failinfo_get0() returns a direct pointer to the failInfo -field contained in B<si>, or NULL on error. - -ossl_cmp_pkisi_statusstring_get0() returns a direct pointer to the statusString +ossl_cmp_pkisi_get0_statusString() returns a direct pointer to the statusString field contained in B<si>. -ossl_pkisi_snprint() places at max B<bufsize> characters of human-readable -error string of B<si> in pre-allocated B<buf>. Returns pointer to the same -B<buf> containing the string, or NULL on error. +ossl_cmp_pkisi_get_pkifailureinfo() returns the PKIFailureInfo bits +of B<si>, encoded as integer, or -1 on error. + +ossl_cmp_pkisi_check_pkifailureinfo() returns the state of the bit (0 or 1) +with index B<index> in the PKIFailureInfo of the B<si>, or -1 on error. =head1 NOTES diff --git a/doc/man3/OSSL_CMP_CTX_new.pod b/doc/man3/OSSL_CMP_CTX_new.pod index b10cfc4801..626f7d65af 100644 --- a/doc/man3/OSSL_CMP_CTX_new.pod +++ b/doc/man3/OSSL_CMP_CTX_new.pod @@ -239,7 +239,7 @@ The following options can be set: OSSL_CMP_OPT_MAC_ALGNID The MAC algorithm NID to be used in RFC 4210's MSG_MAC_ALG, - if applicable used for message protection. + if applicable used for message protection. Default is HMAC-SHA1 as per RFC 4210. =item B<OSSL_CMP_OPT_REVOCATION_REASON> @@ -404,20 +404,40 @@ The reference counts of those certificates handled successfully are increased. OSSL_CMP_CTX_get0_untrusted_certs(OSSL_CMP_CTX *ctx) returns a pointer to the list of untrusted certs, which my be empty if unset. -OSSL_CMP_CTX_set1_clCert() sets the client certificate in the given -OSSL_CMP_CTX structure. The client certificate will then be used by the -functions to set the "sender" field for outgoing messages and it will be -included in the extraCerts field. - -OSSL_CMP_CTX_set1_pkey() sets the private key corresponding to the client -certificate set with B<OSSL_CMP_CTX_set1_clCert()> in the given CMP context. -Used to create the protection in case of MSG_SIG_ALG. - -OSSL_CMP_CTX_set1_referenceValue() sets the given referenceValue in the given -B<ctx> or clears it if the B<ref> argument is NULL. - -OSSL_CMP_CTX_set1_secretValue() sets the B<sec> with the length B<len> in the -given B<ctx> or clears it if the B<sec> argument is NULL. +OSSL_CMP_CTX_set1_clCert() sets the client certificate in the given B<ctx>. +The public key of this B<clCert> must correspond to +the private key set via B<OSSL_CMP_CTX_set1_pkey()>. +When using signature-based protection of CMP request messages +this "protection certificate" will be included first in the extraCerts field. +The subject of this B<clCert> will be used as the "sender" field +of outgoing CMP messages, with the fallback being +the B<subjectName> set via B<OSSL_CMP_CTX_set1_subjectName()>. +The B<cert> argument may be NULL to clear the entry. + +OSSL_CMP_CTX_set1_pkey() sets the private key corresponding to +the client certificate B<clCert> set via B<OSSL_CMP_CTX_set1_clCert()>. +This key is used create signature-based protection (protectionAlg = MSG_SIG_ALG) +of outgoing messages +unless a PBM secret has been set via B<OSSL_CMP_CTX_set1_secretValue()>. +The B<pkey> argument may be NULL to clear the entry. + +OSSL_CMP_CTX_set1_secretValue() sets the byte string B<sec> with length B<len> +as PBM secret in the given B<ctx> or clears it if the B<sec> argument is NULL. +If present, this secret is used to create PBM-based protection of outgoing +messages and to verify any PBM-based protection of incoming messages +(protectionAlg = MSG_MAC_ALG). PBM stands for Password-Based MAC. +PBM-based protection takes precedence over signature-based protection. + +OSSL_CMP_CTX_set1_referenceValue() sets the given referenceValue B<ref> with +length B<len> in the given B<ctx> or clears it if the B<ref> argument is NULL. +According to RFC 4210 section 5.1.1, if no value for the "sender" field in +CMP message headers can be determined (i.e., no B<clCert> and no B<subjectName> +is given) then the "sender" field will contain the NULL-DN +and the senderKID field of the CMP message header must be set. +When signature-based protection is used the senderKID will be set to +the subjectKeyIdentifier of the <clCert> as far as present. +If not present or when PBM-based protection is used +the B<ref> value is taken as the fallback value for the senderKID. OSSL_CMP_CTX_set1_recipient() sets the recipient name that will be used in the PKIHeader of a request message, i.e. the X509 name of the (CA) server. diff --git a/doc/man3/OSSL_CMP_CTX_snprint_PKIStatus.pod b/doc/man3/OSSL_CMP_CTX_snprint_PKIStatus.pod deleted file mode 100644 index 3ae6831ee2..0000000000 --- a/doc/man3/OSSL_CMP_CTX_snprint_PKIStatus.pod +++ /dev/null @@ -1,46 +0,0 @@ -=pod - -=head1 NAME - -OSSL_CMP_CTX_snprint_PKIStatus -- function(s) for managing the CMP PKIStatus - -=head1 SYNOPSIS - - #include <openssl/cmp.h> - - char *OSSL_CMP_CTX_snprint_PKIStatus(OSSL_CMP_CTX *ctx, char *buf, int bufsize); - -=head1 DESCRIPTION - -This is the PKIStatus API for using CMP (Certificate Management Protocol) with -OpenSSL. - -OSSL_CMP_CTX_snprint_PKIStatus() takes the PKIStatusInfo components contained -in the given CMP context and places a human-readable string created from them -in the given buffer, with the given maximal length. -On success it returns a copy of the buffer pointer containing the string. - -=head1 NOTES - -CMP is defined in RFC 4210 (and CRMF in RFC 4211). - -=head1 RETURN VALUES - -OSSL_CMP_CTX_snprint_PKIStatus() -returns the intended pointer value as described above or NULL on error. - -=head1 HISTORY - -The OpenSSL CMP support was added in OpenSSL 3.0. - -=head1 COPYRIGHT - -Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved. - -Licensed under the Apache License 2.0 (the "License"). You may not use -this file except in compliance with the License. You can obtain a copy -in the file LICENSE in the source distribution or at -L<https://www.openssl.org/source/license.html>. - -=cut diff --git a/doc/man3/OSSL_CMP_MSG_get0_header.pod b/doc/man3/OSSL_CMP_MSG_get0_header.pod index 3ed1140082..cee99cd00b 100644 --- a/doc/man3/OSSL_CMP_MSG_get0_header.pod +++ b/doc/man3/OSSL_CMP_MSG_get0_header.pod @@ -2,7 +2,9 @@ =head1 NAME -OSSL_CMP_MSG_get0_header +OSSL_CMP_MSG_get0_header, +OSSL_d2i_CMP_MSG_bio, +OSSL_i2d_CMP_MSG_bio - function(s) manipulating CMP messages =head1 SYNOPSIS @@ -10,20 +12,31 @@ OSSL_CMP_MSG_get0_header #include <openssl/cmp.h> OSSL_CMP_PKIHEADER *OSSL_CMP_MSG_get0_header(const OSSL_CMP_MSG *msg); + OSSL_CMP_MSG *OSSL_d2i_CMP_MSG_bio(BIO *bio, OSSL_CMP_MSG **msg); + int OSSL_i2d_CMP_MSG_bio(BIO *bio, const OSSL_CMP_MSG *msg); =head1 DESCRIPTION OSSL_CMP_MSG_get0_header returns the header of the given CMP message. +OSSL_d2i_CMP_MSG_bio parses an ASN.1-encoded OSSL_CMP_MSG from the BIO I<bio>. +It assigns a pointer to the new structure to I<*msg> if I<msg> is not NULL. + +OSSL_i2d_CMP_MSG_bio writes the OSSL_CMP_MSG I<msg> in ASN.1 encoding to BIO I<bio>. + =head1 NOTES CMP is defined in RFC 4210. =head1 RETURN VALUES -CMP_MSG_get0_header() returns the intended pointer value as described above +OSSL_CMP_MSG_get0_header() returns the intended pointer value as described above or NULL if the respective entry does not exist and on error. +OSSL_d2i_CMP_MSG_bio() returns the parsed message or NULL on error. + +OSSL_i2d_CMP_MSG_bio() returns 1 on success or 0 on error. + =head1 HISTORY The OpenSSL CMP support was added in OpenSSL 3.0. diff --git a/doc/man3/OSSL_CMP_SRV_CTX_new.pod b/doc/man3/OSSL_CMP_SRV_CTX_new.pod new file mode 100644 index 0000000000..45ac0174b7 --- /dev/null +++ b/doc/man3/OSSL_CMP_SRV_CTX_new.pod @@ -0,0 +1,159 @@ +=pod + +=head1 NAME + +OSSL_CMP_SRV_process_request, +OSSL_CMP_CTX_server_perform, +OSSL_CMP_SRV_CTX_new, +OSSL_CMP_SRV_CTX_free, +OSSL_CMP_SRV_cert_request_cb_t, +OSSL_CMP_SRV_rr_cb_t, +OSSL_CMP_SRV_certConf_cb_t, +OSSL_CMP_SRV_genm_cb_t, +OSSL_CMP_SRV_error_cb_t, +OSSL_CMP_SRV_pollReq_cb_t, +OSSL_CMP_SRV_CTX_init, +OSSL_CMP_SRV_CTX_get0_cmp_ctx, +OSSL_CMP_SRV_CTX_get0_custom_ctx, +OSSL_CMP_SRV_CTX_set_send_unprotected_errors, +OSSL_CMP_SRV_CTX_set_accept_unprotected, +OSSL_CMP_SRV_CTX_set_accept_raverified, +OSSL_CMP_SRV_CTX_set_grant_implicit_confirm +- generic functions to set up and control a CMP server + +=head1 SYNOPSIS + + #include <openssl/cmp.h> + + OSSL_CMP_MSG *OSSL_CMP_SRV_process_request(OSSL_CMP_SRV_CTX *srv_ctx, + const OSSL_CMP_MSG *req); + OSSL_CMP_MSG *OSSL_CMP_CTX_server_perform(OSSL_CMP_CTX *client_ctx, + const OSSL_CMP_MSG *req); + OSSL_CMP_SRV_CTX *OSSL_CMP_SRV_CTX_new(void); + void OSSL_CMP_SRV_CTX_free(OSSL_CMP_SRV_CTX *srv_ctx); + + typedef OSSL_CMP_PKISI *(*OSSL_CMP_SRV_cert_request_cb_t)( + OSSL_CMP_SRV_CTX *srv_ctx, + const OSSL_CMP_MSG *req, + int certReqId, + const OSSL_CRMF_MSG *crm, + const X509_REQ *p10cr, + X509 **certOut, + STACK_OF(X509) **chainOut, + STACK_OF(X509) **caPubs); + typedef OSSL_CMP_PKISI *(*OSSL_CMP_SRV_rr_cb_t)(OSSL_CMP_SRV_CTX *srv_ctx, + const OSSL_CMP_MSG *req, + const X509_NAME *issuer, + const ASN1_INTEGER *serial); + typedef int (*OSSL_CMP_SRV_genm_cb_t)(OSSL_CMP_SRV_CTX *srv_ctx, + const OSSL_CMP_MSG *req, + STACK_OF(OSSL_CMP_ITAV) *in, + STACK_OF(OSSL_CMP_ITAV) **out); + typedef void (*OSSL_CMP_SRV_error_cb_t)(OSSL_CMP_SRV_CTX *srv_ctx, + const OSSL_CMP_MSG *req, + const OSSL_CMP_PKISI *statusInfo, + const ASN1_INTEGER *errorCode, + const OSSL_CMP_PKIFREETEXT *errorDetails); + typedef int (*OSSL_CMP_SRV_certConf_cb_t)(OSSL_CMP_SRV_CTX *srv_ctx, + const OSSL_CMP_MSG *req, + int certReqId, + const ASN1_OCTET_STRING *certHash, + const OSSL_CMP_PKISI *si); + typedef int (*OSSL_CMP_SRV_pollReq_cb_t)(OSSL_CMP_SRV_CTX *srv_ctx, + const OSSL_CMP_MSG *req, + int certReqId, + OSSL_CMP_MSG **certReq, + int64_t *check_after); + int OSSL_CMP_SRV_CTX_init(OSSL_CMP_SRV_CTX *srv_ctx, void *custom_ctx, + OSSL_CMP_SRV_cert_request_cb_t process_cert_request, + OSSL_CMP_SRV_rr_cb_t process_rr, + OSSL_CMP_SRV_genm_cb_t process_genm, + OSSL_CMP_SRV_error_cb_t process_error, + OSSL_CMP_SRV_certConf_cb_t process_certConf, + OSSL_CMP_SRV_pollReq_cb_t process_pollReq); + + OSSL_CMP_CTX *OSSL_CMP_SRV_CTX_get0_cmp_ctx(const OSSL_CMP_SRV_CTX *srv_ctx); + void *OSSL_CMP_SRV_CTX_get0_custom_ctx(const OSSL_CMP_SRV_CTX *srv_ctx); + + int OSSL_CMP_SRV_CTX_set_send_unprotected_errors(OSSL_CMP_SRV_CTX *srv_ctx, + int val); + int OSSL_CMP_SRV_CTX_set_accept_unprotected(OSSL_CMP_SRV_CTX *srv_ctx, int val); + int OSSL_CMP_SRV_CTX_set_accept_raverified(OSSL_CMP_SRV_CTX *srv_ctx, int val); + int OSSL_CMP_SRV_CTX_set_grant_implicit_confirm(OSSL_CMP_SRV_CTX *srv_ctx, + int val); + +=head1 DESCRIPTION + +OSSL_CMP_SRV_process_request() implements the generic aspects of a CMP server. +It does the typical generic checks on the given request message, calls +the respective callback function (if present) for more specific processing, +and then assembles a result message, which may be a CMP error message. + +OSSL_CMP_CTX_server_perform() is an interface to +B<OSSL_CMP_SRV_process_request()> that can be used by a CMP client +in the same way as B<OSSL_CMP_MSG_http_perform()>. +The B<OSSL_CMP_SRV_CTX> must be set as B<transfer_cb_arg> of B<client_ctx>. + +OSSL_CMP_SRV_CTX_new() creates and initializes an OSSL_CMP_SRV_CTX structure +and returns a pointer to it on success, NULL on error. + +OSSL_CMP_SRV_CTX_free() deletes the given B<srv_ctx>. + +OSSL_CMP_SRV_CTX_init() sets in the given B<srv_ctx> a custom server context +pointer as well as callback functions performing the specific processing of CMP +certificate requests, revocation requests, certificate confirmation requests, +general messages, error messages, and poll requests. +All arguments except B<srv_ctx> may be NULL. +If a callback for some message type is not given this means that the respective +type of CMP message is not supported by the server. + +OSSL_CMP_SRV_CTX_get0_cmp_ctx() returns the B<OSSL_CMP_CTX> from the B<srv_ctx>. + +OSSL_CMP_SRV_CTX_get0_custom_ctx() returns the custom server context from +B<srv_ctx> that has been set using B<OSSL_CMP_SRV_CTX_init>. + +OSSL_CMP_SRV_CTX_set_send_unprotected_errors() enables sending error messages +and other forms of negative responses unprotected. + +OSSL_CMP_SRV_CTX_set_accept_unprotected() enables acceptance of requests +without protection of with invalid protection. + +OSSL_CMP_SRV_CTX_set_accept_raverified() enables acceptance of ir/cr/kur +messages with POPO 'RAVerified'. + +OSSL_CMP_SRV_CTX_set_grant_implicit_confirm() enables granting implicit +confirmation of newly enrolled certificates if requested. + +=head1 NOTES + +CMP is defined in RFC 4210 (and CRMF in RFC 4211). + +=head1 RETURN VALUES + +OSSL_CMP_SRV_CTX_new() returns a B<OSSL_CMP_SRV_CTX> structure on success, +NULL on error. + +OSSL_CMP_SRV_CTX_free() does not return a value. + +OSSL_CMP_SRV_CTX_get0_cmp_ctx() returns a B<OSSL_CMP_CTX> structure on success, +NULL on error. + +OSSL_CMP_SRV_CTX_get0_custom_ctx() returns the custom server context +that has been set using B<OSSL_CMP_SRV_CTX_init>. + +All other functions return 1 on success, 0 on error. + +=head1 HISTORY + +The OpenSSL CMP support was added in OpenSSL 3.0. + +=head1 COPYRIGHT + +Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved. + +Licensed under the Apache License 2.0 (the "License"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file LICENSE in the source distribution or at +L<https://www.openssl.org/source/license.html>. + +=cut diff --git a/doc/man3/OSSL_CMP_STATUSINFO_new.pod b/doc/man3/OSSL_CMP_STATUSINFO_new.pod new file mode 100644 index 0000000000..520a104d7e --- /dev/null +++ b/doc/man3/OSSL_CMP_STATUSINFO_new.pod @@ -0,0 +1,66 @@ +=pod + +=head1 NAME + +OSSL_CMP_STATUSINFO_new, +OSSL_CMP_snprint_PKIStatusInfo, +OSSL_CMP_CTX_snprint_PKIStatus +- function(s) for managing the CMP PKIStatus + +=head1 SYNOPSIS + + #include <openssl/cmp.h> + + OSSL_CMP_PKISI *OSSL_CMP_STATUSINFO_new(int status, int fail_info, + const char *text); + char *OSSL_CMP_snprint_PKIStatusInfo(const OSSL_CMP_PKISI *statusInfo, + char *buf, size_t bufsize); + char *OSSL_CMP_CTX_snprint_PKIStatus(const OSSL_CMP_CTX *ctx, char *buf, + size_t bufsize); + +=head1 DESCRIPTION + +This is the PKIStatus API for using CMP (Certificate Management Protocol) with +OpenSSL. + +OSSL_CMP_STATUSINFO_new() creates a new PKIStatusInfo structure +and fills in the given values. +It sets the status field to B<status>, +copies B<text> (unless it is NULL) to statusString, +and interprets B<fail_info> as bit pattern for the failInfo field. + +OSSL_CMP_snprint_PKIStatusInfo() places a human-readable string +representing the given statusInfo +in the given buffer, with the given maximal length. + +OSSL_CMP_CTX_snprint_PKIStatus() places a human-readable string +representing the PKIStatusInfo components of the CMP context B<ctx> +in the given buffer, with the given maximal length. + +=head1 NOTES + +CMP is defined in RFC 4210 (and CRMF in RFC 4211). + +=head1 RETURN VALUES + +OSSL_CMP_STATUSINFO_new() +returns a pointer to the structure on success, or NULL on error. + +OSSL_CMP_snprint_PKIStatusInfo() and +OSSL_CMP_CTX_snprint_PKIStatus() +return a copy of the buffer pointer containing the string or NULL on error. + +=head1 HISTORY + +The OpenSSL CMP support was added in OpenSSL 3.0. + +=head1 COPYRIGHT + +Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved. + +Licensed under the Apache License 2.0 (the "License"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file LICENSE in the source distribution or at +L<https://www.openssl.org/source/license.html>. + +=cut diff --git a/doc/man3/OSSL_CMP_X509_digest.pod b/doc/man3/OSSL_CMP_X509_digest.pod new file mode 100644 index 0000000000..824d3497c3 --- /dev/null +++ b/doc/man3/OSSL_CMP_X509_digest.pod @@ -0,0 +1,36 @@ +=pod + +=head1 NAME + +OSSL_CMP_X509_digest +- CMP certificate utility functions + +=head1 SYNOPSIS + + #include <openssl/cmp_util.h> + + ASN1_OCTET_STRING *OSSL_CMP_X509_digest(const X509 *cert); + +=head1 DESCRIPTION + +OSSL_CMP_X509_digest() calculates a digest of the given certificate +using the same hash algorithm as in the certificate signature. + +=head1 RETURN VALUES + +OSSL_CMP_X509_digest() returns an ASN1_OCTET_STRING on success, else NULL. + +=head1 HISTORY + +The OpenSSL CMP support was added in OpenSSL 3.0. + +=head1 COPYRIGHT + +Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved. + +Licensed under the Apache License 2.0 (the "License"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file LICENSE in the source distribution or at +L<https://www.openssl.org/source/license.html>. + +=cut diff --git a/doc/man3/X509_dup.pod b/doc/man3/X509_dup.pod index d7d8477896..cb1e9edf2c 100644 --- a/doc/man3/X509_dup.pod +++ b/doc/man3/X509_dup.pod @@ -122,13 +122,17 @@ OCSP_SIGNATURE_free, OCSP_SIGNATURE_new, OCSP_SINGLERESP_free, OCSP_SINGLERESP_new, +OSSL_CMP_ITAV_dup, OSSL_CMP_ITAV_free, +OSSL_CMP_MSG_dup, OSSL_CMP_MSG_it, OSSL_CMP_MSG_free, OSSL_CMP_PKIHEADER_free, OSSL_CMP_PKIHEADER_it, OSSL_CMP_PKIHEADER_new, +OSSL_CMP_PKISI_dup, OSSL_CMP_PKISI_free, +OSSL_CMP_PKISI_it, OSSL_CMP_PKISI_new, OSSL_CMP_PKISTATUS_it, OSSL_CRMF_CERTID_free, diff --git a/doc/man3/d2i_X509.pod b/doc/man3/d2i_X509.pod index d41d2e0c4b..354757387f 100644 --- a/doc/man3/d2i_X509.pod +++ b/doc/man3/d2i_X509.pod @@ -98,6 +98,7 @@ d2i_OCSP_SIGNATURE, d2i_OCSP_SINGLERESP, d2i_OSSL_CMP_MSG, d2i_OSSL_CMP_PKIHEADER, +d2i_OSSL_CMP_PKISI, d2i_OSSL_CRMF_CERTID, d2i_OSSL_CRMF_CERTTEMPLATE, d2i_OSSL_CRMF_ENCRYPTEDVALUE, @@ -289,6 +290,7 @@ i2d_OCSP_SIGNATURE, i2d_OCSP_SINGLERESP, i2d_OSSL_CMP_MSG, i2d_OSSL_CMP_PKIHEADER, +i2d_OSSL_CMP_PKISI, i2d_OSSL_CRMF_CERTID, i2d_OSSL_CRMF_CERTTEMPLATE, i2d_OSSL_CRMF_ENCRYPTEDVALUE, |