| 1 | /* |
|---|---|
| 2 | * Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved. |
| 3 | * Copyright Nokia 2007-2019 |
| 4 | * Copyright Siemens AG 2015-2019 |
| 5 | * |
| 6 | * Licensed under the Apache License 2.0 (the "License"). You may not use |
| 7 | * this file except in compliance with the License. You can obtain a copy |
| 8 | * in the file LICENSE in the source distribution or at |
| 9 | * https://www.openssl.org/source/license.html |
| 10 | */ |
| 11 | |
| 12 | #ifndef OSSL_CRYPTO_CMP_LOCAL_H |
| 13 | # define OSSL_CRYPTO_CMP_LOCAL_H |
| 14 | |
| 15 | # include "internal/cryptlib.h" |
| 16 | |
| 17 | # include <openssl/cmp.h> |
| 18 | # include <openssl/err.h> |
| 19 | |
| 20 | /* explicit #includes not strictly needed since implied by the above: */ |
| 21 | # include <openssl/crmf.h> |
| 22 | # include <openssl/types.h> |
| 23 | # include <openssl/safestack.h> |
| 24 | # include <openssl/x509.h> |
| 25 | # include <openssl/x509v3.h> |
| 26 | |
| 27 | /* |
| 28 | * this structure is used to store the context for CMP sessions |
| 29 | */ |
| 30 | struct ossl_cmp_ctx_st { |
| 31 | OSSL_cmp_log_cb_t log_cb; /* log callback for error/debug/etc. output */ |
| 32 | OSSL_CMP_severity log_verbosity; /* level of verbosity of log output */ |
| 33 | |
| 34 | /* message transfer */ |
| 35 | OSSL_cmp_transfer_cb_t transfer_cb; /* default: OSSL_CMP_MSG_http_perform */ |
| 36 | void *transfer_cb_arg; /* allows to store optional argument to cb */ |
| 37 | /* HTTP-based transfer */ |
| 38 | char *serverPath; |
| 39 | char *serverName; |
| 40 | int serverPort; |
| 41 | char *proxyName; |
| 42 | int proxyPort; |
| 43 | int msgtimeout; /* max seconds to wait for each CMP message round trip */ |
| 44 | int totaltimeout; /* maximum number seconds an enrollment may take, incl. */ |
| 45 | /* attempts polling for a response if a 'waiting' PKIStatus is received */ |
| 46 | time_t end_time; /* session start time + totaltimeout */ |
| 47 | OSSL_cmp_http_cb_t http_cb; |
| 48 | void *http_cb_arg; /* allows to store optional argument to cb */ |
| 49 | |
| 50 | /* server authentication */ |
| 51 | int unprotectedErrors; /* accept neg. response with no/invalid protection */ |
| 52 | /* to cope with broken server */ |
| 53 | X509 *srvCert; /* certificate used to identify the server */ |
| 54 | X509 *validatedSrvCert; /* caches any already validated server cert */ |
| 55 | X509_NAME *expected_sender; /* expected sender in pkiheader of response */ |
| 56 | X509_STORE *trusted; /* trust store maybe w CRLs and cert verify callback */ |
| 57 | STACK_OF(X509) *untrusted_certs; /* untrusted (intermediate) certs */ |
| 58 | int ignore_keyusage; /* ignore key usage entry when validating certs */ |
| 59 | int permitTAInExtraCertsForIR; /* allow use of root certs in extracerts */ |
| 60 | /* when validating message protection; used for 3GPP-style E.7 */ |
| 61 | |
| 62 | /* client authentication */ |
| 63 | int unprotectedSend; /* send unprotected PKI messages */ |
| 64 | X509 *clCert; /* client cert used to identify and sign for MSG_SIG_ALG */ |
| 65 | EVP_PKEY *pkey; /* the key pair corresponding to clCert */ |
| 66 | ASN1_OCTET_STRING *referenceValue; /* optional user name for MSG_MAC_ALG */ |
| 67 | ASN1_OCTET_STRING *secretValue; /* password/shared secret for MSG_MAC_ALG */ |
| 68 | /* PBMParameters for MSG_MAC_ALG */ |
| 69 | size_t pbm_slen; /* currently fixed to 16 */ |
| 70 | int pbm_owf; /* NID of one-way function (OWF), default: SHA256 */ |
| 71 | int pbm_itercnt; /* currently fixed to 500 */ |
| 72 | int pbm_mac; /* NID of MAC algorithm, default: HMAC-SHA1 as per RFC 4210 */ |
| 73 | |
| 74 | /* CMP message header and extra certificates */ |
| 75 | X509_NAME *recipient; /* to set in recipient in pkiheader */ |
| 76 | int digest; /* NID of digest used in MSG_SIG_ALG and POPO, default SHA256 */ |
| 77 | ASN1_OCTET_STRING *transactionID; /* the current transaction ID */ |
| 78 | ASN1_OCTET_STRING *senderNonce; /* last nonce sent */ |
| 79 | ASN1_OCTET_STRING *recipNonce; /* last nonce received */ |
| 80 | ASN1_UTF8STRING *freeText; /* optional string to include each msg */ |
| 81 | STACK_OF(OSSL_CMP_ITAV) *geninfo_ITAVs; |
| 82 | int implicitConfirm; /* set implicitConfirm in IR/KUR/CR messages */ |
| 83 | int disableConfirm; /* disable certConf in IR/KUR/CR for broken servers */ |
| 84 | STACK_OF(X509) *extraCertsOut; /* to be included in request messages */ |
| 85 | |
| 86 | /* certificate template */ |
| 87 | EVP_PKEY *newPkey; /* explicit new private/public key for cert enrollment */ |
| 88 | int newPkey_priv; /* flag indicating if newPkey contains private key */ |
| 89 | X509_NAME *issuer; /* issuer name to used in cert template */ |
| 90 | int days; /* Number of days new certificates are asked to be valid for */ |
| 91 | X509_NAME *subjectName; /* subject name to be used in the cert template */ |
| 92 | STACK_OF(GENERAL_NAME) *subjectAltNames; /* to add to the cert template */ |
| 93 | int SubjectAltName_nodefault; |
| 94 | int setSubjectAltNameCritical; |
| 95 | X509_EXTENSIONS *reqExtensions; /* exts to be added to cert template */ |
| 96 | CERTIFICATEPOLICIES *policies; /* policies to be included in extensions */ |
| 97 | int setPoliciesCritical; |
| 98 | int popoMethod; /* Proof-of-possession mechanism; default: signature */ |
| 99 | X509 *oldCert; /* cert to be updated (via KUR) or to be revoked (via RR) */ |
| 100 | X509_REQ *p10CSR; /* for P10CR: PKCS#10 CSR to be sent */ |
| 101 | |
| 102 | /* misc body contents */ |
| 103 | int revocationReason; /* revocation reason code to be included in RR */ |
| 104 | STACK_OF(OSSL_CMP_ITAV) *genm_ITAVs; /* content of general message */ |
| 105 | |
| 106 | /* result returned in responses */ |
| 107 | int status; /* PKIStatus of last received IP/CP/KUP/RP/error or -1 */ |
| 108 | /* TODO: this should be a stack since there could be more than one */ |
| 109 | OSSL_CMP_PKIFREETEXT *statusString; /* of last IP/CP/KUP/RP/error */ |
| 110 | int failInfoCode; /* failInfoCode of last received IP/CP/KUP/error, or -1 */ |
| 111 | /* TODO: this should be a stack since there could be more than one */ |
| 112 | X509 *newCert; /* newly enrolled cert received from the CA */ |
| 113 | /* TODO: this should be a stack since there could be more than one */ |
| 114 | STACK_OF(X509) *caPubs; /* CA certs received from server (in IP message) */ |
| 115 | STACK_OF(X509) *extraCertsIn; /* extraCerts received from server */ |
| 116 | |
| 117 | /* certificate confirmation */ |
| 118 | OSSL_cmp_certConf_cb_t certConf_cb; /* callback for app checking new cert */ |
| 119 | void *certConf_cb_arg; /* allows to store an argument individual to cb */ |
| 120 | } /* OSSL_CMP_CTX */; |
| 121 | |
| 122 | /* |
| 123 | * ########################################################################## |
| 124 | * ASN.1 DECLARATIONS |
| 125 | * ########################################################################## |
| 126 | */ |
| 127 | |
| 128 | /*- |
| 129 | * RevAnnContent ::= SEQUENCE { |
| 130 | * status PKIStatus, |
| 131 | * certId CertId, |
| 132 | * willBeRevokedAt GeneralizedTime, |
| 133 | * badSinceDate GeneralizedTime, |
| 134 | * crlDetails Extensions OPTIONAL |
| 135 | * -- extra CRL details (e.g., crl number, reason, location, etc.) |
| 136 | * } |
| 137 | */ |
| 138 | typedef struct ossl_cmp_revanncontent_st { |
| 139 | ASN1_INTEGER *status; |
| 140 | OSSL_CRMF_CERTID *certId; |
| 141 | ASN1_GENERALIZEDTIME *willBeRevokedAt; |
| 142 | ASN1_GENERALIZEDTIME *badSinceDate; |
| 143 | X509_EXTENSIONS *crlDetails; |
| 144 | } OSSL_CMP_REVANNCONTENT; |
| 145 | DECLARE_ASN1_FUNCTIONS(OSSL_CMP_REVANNCONTENT) |
| 146 | |
| 147 | /*- |
| 148 | * Challenge ::= SEQUENCE { |
| 149 | * owf AlgorithmIdentifier OPTIONAL, |
| 150 | * |
| 151 | * -- MUST be present in the first Challenge; MAY be omitted in |
| 152 | * -- any subsequent Challenge in POPODecKeyChallContent (if |
| 153 | * -- omitted, then the owf used in the immediately preceding |
| 154 | * -- Challenge is to be used). |
| 155 | * |
| 156 | * witness OCTET STRING, |
| 157 | * -- the result of applying the one-way function (owf) to a |
| 158 | * -- randomly-generated INTEGER, A. [Note that a different |
| 159 | * -- INTEGER MUST be used for each Challenge.] |
| 160 | * challenge OCTET STRING |
| 161 | * -- the encryption (under the public key for which the cert. |
| 162 | * -- request is being made) of Rand, where Rand is specified as |
| 163 | * -- Rand ::= SEQUENCE { |
| 164 | * -- int INTEGER, |
| 165 | * -- - the randomly-generated INTEGER A (above) |
| 166 | * -- sender GeneralName |
| 167 | * -- - the sender's name (as included in PKIHeader) |
| 168 | * -- } |
| 169 | * } |
| 170 | */ |
| 171 | typedef struct ossl_cmp_challenge_st { |
| 172 | X509_ALGOR *owf; |
| 173 | ASN1_OCTET_STRING *witness; |
| 174 | ASN1_OCTET_STRING *challenge; |
| 175 | } OSSL_CMP_CHALLENGE; |
| 176 | DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CHALLENGE) |
| 177 | |
| 178 | /*- |
| 179 | * CAKeyUpdAnnContent ::= SEQUENCE { |
| 180 | * oldWithNew Certificate, |
| 181 | * newWithOld Certificate, |
| 182 | * newWithNew Certificate |
| 183 | * } |
| 184 | */ |
| 185 | typedef struct ossl_cmp_cakeyupdanncontent_st { |
| 186 | X509 *oldWithNew; |
| 187 | X509 *newWithOld; |
| 188 | X509 *newWithNew; |
| 189 | } OSSL_CMP_CAKEYUPDANNCONTENT; |
| 190 | DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CAKEYUPDANNCONTENT) |
| 191 | |
| 192 | /*- |
| 193 | * declared already here as it will be used in OSSL_CMP_MSG (nested) and |
| 194 | * infoType and infoValue |
| 195 | */ |
| 196 | typedef STACK_OF(OSSL_CMP_MSG) OSSL_CMP_MSGS; |
| 197 | DECLARE_ASN1_FUNCTIONS(OSSL_CMP_MSGS) |
| 198 | |
| 199 | /*- |
| 200 | * InfoTypeAndValue ::= SEQUENCE { |
| 201 | * infoType OBJECT IDENTIFIER, |
| 202 | * infoValue ANY DEFINED BY infoType OPTIONAL |
| 203 | * } |
| 204 | */ |
| 205 | struct ossl_cmp_itav_st { |
| 206 | ASN1_OBJECT *infoType; |
| 207 | union { |
| 208 | char *ptr; |
| 209 | /* NID_id_it_caProtEncCert - CA Protocol Encryption Certificate */ |
| 210 | X509 *caProtEncCert; |
| 211 | /* NID_id_it_signKeyPairTypes - Signing Key Pair Types */ |
| 212 | STACK_OF(X509_ALGOR) *signKeyPairTypes; |
| 213 | /* NID_id_it_encKeyPairTypes - Encryption/Key Agreement Key Pair Types */ |
| 214 | STACK_OF(X509_ALGOR) *encKeyPairTypes; |
| 215 | /* NID_id_it_preferredSymmAlg - Preferred Symmetric Algorithm */ |
| 216 | X509_ALGOR *preferredSymmAlg; |
| 217 | /* NID_id_it_caKeyUpdateInfo - Updated CA Key Pair */ |
| 218 | OSSL_CMP_CAKEYUPDANNCONTENT *caKeyUpdateInfo; |
| 219 | /* NID_id_it_currentCRL - CRL */ |
| 220 | X509_CRL *currentCRL; |
| 221 | /* NID_id_it_unsupportedOIDs - Unsupported Object Identifiers */ |
| 222 | STACK_OF(ASN1_OBJECT) *unsupportedOIDs; |
| 223 | /* NID_id_it_keyPairParamReq - Key Pair Parameters Request */ |
| 224 | ASN1_OBJECT *keyPairParamReq; |
| 225 | /* NID_id_it_keyPairParamRep - Key Pair Parameters Response */ |
| 226 | X509_ALGOR *keyPairParamRep; |
| 227 | /* NID_id_it_revPassphrase - Revocation Passphrase */ |
| 228 | OSSL_CRMF_ENCRYPTEDVALUE *revPassphrase; |
| 229 | /* NID_id_it_implicitConfirm - ImplicitConfirm */ |
| 230 | ASN1_NULL *implicitConfirm; |
| 231 | /* NID_id_it_confirmWaitTime - ConfirmWaitTime */ |
| 232 | ASN1_GENERALIZEDTIME *confirmWaitTime; |
| 233 | /* NID_id_it_origPKIMessage - origPKIMessage */ |
| 234 | OSSL_CMP_MSGS *origPKIMessage; |
| 235 | /* NID_id_it_suppLangTags - Supported Language Tags */ |
| 236 | STACK_OF(ASN1_UTF8STRING) *suppLangTagsValue; |
| 237 | /* this is to be used for so far undeclared objects */ |
| 238 | ASN1_TYPE *other; |
| 239 | } infoValue; |
| 240 | } /* OSSL_CMP_ITAV */; |
| 241 | DECLARE_ASN1_FUNCTIONS(OSSL_CMP_ITAV) |
| 242 | DECLARE_ASN1_DUP_FUNCTION(OSSL_CMP_ITAV) |
| 243 | |
| 244 | typedef struct ossl_cmp_certorenccert_st { |
| 245 | int type; |
| 246 | union { |
| 247 | X509 *certificate; |
| 248 | OSSL_CRMF_ENCRYPTEDVALUE *encryptedCert; |
| 249 | } value; |
| 250 | } OSSL_CMP_CERTORENCCERT; |
| 251 | DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CERTORENCCERT) |
| 252 | |
| 253 | /*- |
| 254 | * CertifiedKeyPair ::= SEQUENCE { |
| 255 | * certOrEncCert CertOrEncCert, |
| 256 | * privateKey [0] EncryptedValue OPTIONAL, |
| 257 | * -- see [CRMF] for comment on encoding |
| 258 | * publicationInfo [1] PKIPublicationInfo OPTIONAL |
| 259 | * } |
| 260 | */ |
| 261 | typedef struct ossl_cmp_certifiedkeypair_st { |
| 262 | OSSL_CMP_CERTORENCCERT *certOrEncCert; |
| 263 | OSSL_CRMF_ENCRYPTEDVALUE *privateKey; |
| 264 | OSSL_CRMF_PKIPUBLICATIONINFO *publicationInfo; |
| 265 | } OSSL_CMP_CERTIFIEDKEYPAIR; |
| 266 | DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CERTIFIEDKEYPAIR) |
| 267 | |
| 268 | /*- |
| 269 | * PKIStatusInfo ::= SEQUENCE { |
| 270 | * status PKIStatus, |
| 271 | * statusString PKIFreeText OPTIONAL, |
| 272 | * failInfo PKIFailureInfo OPTIONAL |
| 273 | * } |
| 274 | */ |
| 275 | struct ossl_cmp_pkisi_st { |
| 276 | OSSL_CMP_PKISTATUS *status; |
| 277 | OSSL_CMP_PKIFREETEXT *statusString; |
| 278 | OSSL_CMP_PKIFAILUREINFO *failInfo; |
| 279 | } /* OSSL_CMP_PKISI */; |
| 280 | DECLARE_ASN1_FUNCTIONS(OSSL_CMP_PKISI) |
| 281 | DECLARE_ASN1_DUP_FUNCTION(OSSL_CMP_PKISI) |
| 282 | DECLARE_ASN1_DUP_FUNCTION(OSSL_CRMF_CERTID) |
| 283 | |
| 284 | /*- |
| 285 | * RevReqContent ::= SEQUENCE OF RevDetails |
| 286 | * |
| 287 | * RevDetails ::= SEQUENCE { |
| 288 | * certDetails CertTemplate, |
| 289 | * crlEntryDetails Extensions OPTIONAL |
| 290 | * } |
| 291 | */ |
| 292 | typedef struct ossl_cmp_revdetails_st { |
| 293 | OSSL_CRMF_CERTTEMPLATE *certDetails; |
| 294 | X509_EXTENSIONS *crlEntryDetails; |
| 295 | } OSSL_CMP_REVDETAILS; |
| 296 | DECLARE_ASN1_FUNCTIONS(OSSL_CMP_REVDETAILS) |
| 297 | DEFINE_STACK_OF(OSSL_CMP_REVDETAILS) |
| 298 | |
| 299 | /*- |
| 300 | * RevRepContent ::= SEQUENCE { |
| 301 | * status SEQUENCE SIZE (1..MAX) OF PKIStatusInfo, |
| 302 | * -- in same order as was sent in RevReqContent |
| 303 | * revCerts [0] SEQUENCE SIZE (1..MAX) OF CertId |
| 304 | * OPTIONAL, |
| 305 | * -- IDs for which revocation was requested |
| 306 | * -- (same order as status) |
| 307 | * crls [1] SEQUENCE SIZE (1..MAX) OF CertificateList |
| 308 | * OPTIONAL |
| 309 | * -- the resulting CRLs (there may be more than one) |
| 310 | * } |
| 311 | */ |
| 312 | struct ossl_cmp_revrepcontent_st { |
| 313 | STACK_OF(OSSL_CMP_PKISI) *status; |
| 314 | STACK_OF(OSSL_CRMF_CERTID) *revCerts; |
| 315 | STACK_OF(X509_CRL) *crls; |
| 316 | } /* OSSL_CMP_REVREPCONTENT */; |
| 317 | DECLARE_ASN1_FUNCTIONS(OSSL_CMP_REVREPCONTENT) |
| 318 | |
| 319 | /*- |
| 320 | * KeyRecRepContent ::= SEQUENCE { |
| 321 | * status PKIStatusInfo, |
| 322 | * newSigCert [0] Certificate OPTIONAL, |
| 323 | * caCerts [1] SEQUENCE SIZE (1..MAX) OF |
| 324 | * Certificate OPTIONAL, |
| 325 | * keyPairHist [2] SEQUENCE SIZE (1..MAX) OF |
| 326 | * CertifiedKeyPair OPTIONAL |
| 327 | * } |
| 328 | */ |
| 329 | typedef struct ossl_cmp_keyrecrepcontent_st { |
| 330 | OSSL_CMP_PKISI *status; |
| 331 | X509 *newSigCert; |
| 332 | STACK_OF(X509) *caCerts; |
| 333 | STACK_OF(OSSL_CMP_CERTIFIEDKEYPAIR) *keyPairHist; |
| 334 | } OSSL_CMP_KEYRECREPCONTENT; |
| 335 | DECLARE_ASN1_FUNCTIONS(OSSL_CMP_KEYRECREPCONTENT) |
| 336 | |
| 337 | /*- |
| 338 | * ErrorMsgContent ::= SEQUENCE { |
| 339 | * pKIStatusInfo PKIStatusInfo, |
| 340 | * errorCode INTEGER OPTIONAL, |
| 341 | * -- implementation-specific error codes |
| 342 | * errorDetails PKIFreeText OPTIONAL |
| 343 | * -- implementation-specific error details |
| 344 | * } |
| 345 | */ |
| 346 | typedef struct ossl_cmp_errormsgcontent_st { |
| 347 | OSSL_CMP_PKISI *pKIStatusInfo; |
| 348 | ASN1_INTEGER *errorCode; |
| 349 | OSSL_CMP_PKIFREETEXT *errorDetails; |
| 350 | } OSSL_CMP_ERRORMSGCONTENT; |
| 351 | DECLARE_ASN1_FUNCTIONS(OSSL_CMP_ERRORMSGCONTENT) |
| 352 | |
| 353 | /*- |
| 354 | * CertConfirmContent ::= SEQUENCE OF CertStatus |
| 355 | * |
| 356 | * CertStatus ::= SEQUENCE { |
| 357 | * certHash OCTET STRING, |
| 358 | * -- the hash of the certificate, using the same hash algorithm |
| 359 | * -- as is used to create and verify the certificate signature |
| 360 | * certReqId INTEGER, |
| 361 | * -- to match this confirmation with the corresponding req/rep |
| 362 | * statusInfo PKIStatusInfo OPTIONAL |
| 363 | * } |
| 364 | */ |
| 365 | struct ossl_cmp_certstatus_st { |
| 366 | ASN1_OCTET_STRING *certHash; |
| 367 | ASN1_INTEGER *certReqId; |
| 368 | OSSL_CMP_PKISI *statusInfo; |
| 369 | } /* OSSL_CMP_CERTSTATUS */; |
| 370 | DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CERTSTATUS) |
| 371 | |
| 372 | typedef STACK_OF(OSSL_CMP_CERTSTATUS) OSSL_CMP_CERTCONFIRMCONTENT; |
| 373 | DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CERTCONFIRMCONTENT) |
| 374 | |
| 375 | /*- |
| 376 | * CertResponse ::= SEQUENCE { |
| 377 | * certReqId INTEGER, |
| 378 | * -- to match this response with corresponding request (a value |
| 379 | * -- of -1 is to be used if certReqId is not specified in the |
| 380 | * -- corresponding request) |
| 381 | * status PKIStatusInfo, |
| 382 | * certifiedKeyPair CertifiedKeyPair OPTIONAL, |
| 383 | * rspInfo OCTET STRING OPTIONAL |
| 384 | * -- analogous to the id-regInfo-utf8Pairs string defined |
| 385 | * -- for regInfo in CertReqMsg [CRMF] |
| 386 | * } |
| 387 | */ |
| 388 | struct ossl_cmp_certresponse_st { |
| 389 | ASN1_INTEGER *certReqId; |
| 390 | OSSL_CMP_PKISI *status; |
| 391 | OSSL_CMP_CERTIFIEDKEYPAIR *certifiedKeyPair; |
| 392 | ASN1_OCTET_STRING *rspInfo; |
| 393 | } /* OSSL_CMP_CERTRESPONSE */; |
| 394 | DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CERTRESPONSE) |
| 395 | |
| 396 | /*- |
| 397 | * CertRepMessage ::= SEQUENCE { |
| 398 | * caPubs [1] SEQUENCE SIZE (1..MAX) OF CMPCertificate |
| 399 | * OPTIONAL, |
| 400 | * response SEQUENCE OF CertResponse |
| 401 | * } |
| 402 | */ |
| 403 | struct ossl_cmp_certrepmessage_st { |
| 404 | STACK_OF(X509) *caPubs; |
| 405 | STACK_OF(OSSL_CMP_CERTRESPONSE) *response; |
| 406 | } /* OSSL_CMP_CERTREPMESSAGE */; |
| 407 | DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CERTREPMESSAGE) |
| 408 | |
| 409 | /*- |
| 410 | * PollReqContent ::= SEQUENCE OF SEQUENCE { |
| 411 | * certReqId INTEGER |
| 412 | * } |
| 413 | */ |
| 414 | typedef struct ossl_cmp_pollreq_st { |
| 415 | ASN1_INTEGER *certReqId; |
| 416 | } OSSL_CMP_POLLREQ; |
| 417 | DECLARE_ASN1_FUNCTIONS(OSSL_CMP_POLLREQ) |
| 418 | DEFINE_STACK_OF(OSSL_CMP_POLLREQ) |
| 419 | typedef STACK_OF(OSSL_CMP_POLLREQ) OSSL_CMP_POLLREQCONTENT; |
| 420 | DECLARE_ASN1_FUNCTIONS(OSSL_CMP_POLLREQCONTENT) |
| 421 | |
| 422 | /*- |
| 423 | * PollRepContent ::= SEQUENCE OF SEQUENCE { |
| 424 | * certReqId INTEGER, |
| 425 | * checkAfter INTEGER, -- time in seconds |
| 426 | * reason PKIFreeText OPTIONAL |
| 427 | * } |
| 428 | */ |
| 429 | struct ossl_cmp_pollrep_st { |
| 430 | ASN1_INTEGER *certReqId; |
| 431 | ASN1_INTEGER *checkAfter; |
| 432 | OSSL_CMP_PKIFREETEXT *reason; |
| 433 | } /* OSSL_CMP_POLLREP */; |
| 434 | DECLARE_ASN1_FUNCTIONS(OSSL_CMP_POLLREP) |
| 435 | DEFINE_STACK_OF(OSSL_CMP_POLLREP) |
| 436 | DECLARE_ASN1_FUNCTIONS(OSSL_CMP_POLLREPCONTENT) |
| 437 | |
| 438 | /*- |
| 439 | * PKIHeader ::= SEQUENCE { |
| 440 | * pvno INTEGER { cmp1999(1), cmp2000(2) }, |
| 441 | * sender GeneralName, |
| 442 | * -- identifies the sender |
| 443 | * recipient GeneralName, |
| 444 | * -- identifies the intended recipient |
| 445 | * messageTime [0] GeneralizedTime OPTIONAL, |
| 446 | * -- time of production of this message (used when sender |
| 447 | * -- believes that the transport will be "suitable"; i.e., |
| 448 | * -- that the time will still be meaningful upon receipt) |
| 449 | * protectionAlg [1] AlgorithmIdentifier OPTIONAL, |
| 450 | * -- algorithm used for calculation of protection bits |
| 451 | * senderKID [2] KeyIdentifier OPTIONAL, |
| 452 | * recipKID [3] KeyIdentifier OPTIONAL, |
| 453 | * -- to identify specific keys used for protection |
| 454 | * transactionID [4] OCTET STRING OPTIONAL, |
| 455 | * -- identifies the transaction; i.e., this will be the same in |
| 456 | * -- corresponding request, response, certConf, and PKIConf |
| 457 | * -- messages |
| 458 | * senderNonce [5] OCTET STRING OPTIONAL, |
| 459 | * recipNonce [6] OCTET STRING OPTIONAL, |
| 460 | * -- nonces used to provide replay protection, senderNonce |
| 461 | * -- is inserted by the creator of this message; recipNonce |
| 462 | * -- is a nonce previously inserted in a related message by |
| 463 | * -- the intended recipient of this message |
| 464 | * freeText [7] PKIFreeText OPTIONAL, |
| 465 | * -- this may be used to indicate context-specific instructions |
| 466 | * -- (this field is intended for human consumption) |
| 467 | * generalInfo [8] SEQUENCE SIZE (1..MAX) OF |
| 468 | * InfoTypeAndValue OPTIONAL |
| 469 | * -- this may be used to convey context-specific information |
| 470 | * -- (this field not primarily intended for human consumption) |
| 471 | * } |
| 472 | */ |
| 473 | struct ossl_cmp_pkiheader_st { |
| 474 | ASN1_INTEGER *pvno; |
| 475 | GENERAL_NAME *sender; |
| 476 | GENERAL_NAME *recipient; |
| 477 | ASN1_GENERALIZEDTIME *messageTime; /* 0 */ |
| 478 | X509_ALGOR *protectionAlg; /* 1 */ |
| 479 | ASN1_OCTET_STRING *senderKID; /* 2 */ |
| 480 | ASN1_OCTET_STRING *recipKID; /* 3 */ |
| 481 | ASN1_OCTET_STRING *transactionID; /* 4 */ |
| 482 | ASN1_OCTET_STRING *senderNonce; /* 5 */ |
| 483 | ASN1_OCTET_STRING *recipNonce; /* 6 */ |
| 484 | OSSL_CMP_PKIFREETEXT *freeText; /* 7 */ |
| 485 | STACK_OF(OSSL_CMP_ITAV) *generalInfo; /* 8 */ |
| 486 | } /* OSSL_CMP_PKIHEADER */; |
| 487 | |
| 488 | typedef STACK_OF(OSSL_CMP_CHALLENGE) OSSL_CMP_POPODECKEYCHALLCONTENT; |
| 489 | DECLARE_ASN1_FUNCTIONS(OSSL_CMP_POPODECKEYCHALLCONTENT) |
| 490 | typedef STACK_OF(ASN1_INTEGER) OSSL_CMP_POPODECKEYRESPCONTENT; |
| 491 | DECLARE_ASN1_FUNCTIONS(OSSL_CMP_POPODECKEYRESPCONTENT) |
| 492 | typedef STACK_OF(OSSL_CMP_REVDETAILS) OSSL_CMP_REVREQCONTENT; |
| 493 | DECLARE_ASN1_FUNCTIONS(OSSL_CMP_REVREQCONTENT) |
| 494 | typedef STACK_OF(X509_CRL) OSSL_CMP_CRLANNCONTENT; |
| 495 | DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CRLANNCONTENT) |
| 496 | typedef STACK_OF(OSSL_CMP_ITAV) OSSL_CMP_GENMSGCONTENT; |
| 497 | DECLARE_ASN1_FUNCTIONS(OSSL_CMP_GENMSGCONTENT) |
| 498 | typedef STACK_OF(OSSL_CMP_ITAV) OSSL_CMP_GENREPCONTENT; |
| 499 | DECLARE_ASN1_FUNCTIONS(OSSL_CMP_GENREPCONTENT) |
| 500 | |
| 501 | /*- |
| 502 | * PKIBody ::= CHOICE { -- message-specific body elements |
| 503 | * ir [0] CertReqMessages, --Initialization Request |
| 504 | * ip [1] CertRepMessage, --Initialization Response |
| 505 | * cr [2] CertReqMessages, --Certification Request |
| 506 | * cp [3] CertRepMessage, --Certification Response |
| 507 | * p10cr [4] CertificationRequest, --imported from [PKCS10] |
| 508 | * popdecc [5] POPODecKeyChallContent, --pop Challenge |
| 509 | * popdecr [6] POPODecKeyRespContent, --pop Response |
| 510 | * kur [7] CertReqMessages, --Key Update Request |
| 511 | * kup [8] CertRepMessage, --Key Update Response |
| 512 | * krr [9] CertReqMessages, --Key Recovery Request |
| 513 | * krp [10] KeyRecRepContent, --Key Recovery Response |
| 514 | * rr [11] RevReqContent, --Revocation Request |
| 515 | * rp [12] RevRepContent, --Revocation Response |
| 516 | * ccr [13] CertReqMessages, --Cross-Cert. Request |
| 517 | * ccp [14] CertRepMessage, --Cross-Cert. Response |
| 518 | * ckuann [15] CAKeyUpdAnnContent, --CA Key Update Ann. |
| 519 | * cann [16] CertAnnContent, --Certificate Ann. |
| 520 | * rann [17] RevAnnContent, --Revocation Ann. |
| 521 | * crlann [18] CRLAnnContent, --CRL Announcement |
| 522 | * pkiconf [19] PKIConfirmContent, --Confirmation |
| 523 | * nested [20] NestedMessageContent, --Nested Message |
| 524 | * genm [21] GenMsgContent, --General Message |
| 525 | * genp [22] GenRepContent, --General Response |
| 526 | * error [23] ErrorMsgContent, --Error Message |
| 527 | * certConf [24] CertConfirmContent, --Certificate confirm |
| 528 | * pollReq [25] PollReqContent, --Polling request |
| 529 | * pollRep [26] PollRepContent --Polling response |
| 530 | * } |
| 531 | */ |
| 532 | typedef struct ossl_cmp_pkibody_st { |
| 533 | int type; |
| 534 | union { |
| 535 | OSSL_CRMF_MSGS *ir; /* 0 */ |
| 536 | OSSL_CMP_CERTREPMESSAGE *ip; /* 1 */ |
| 537 | OSSL_CRMF_MSGS *cr; /* 2 */ |
| 538 | OSSL_CMP_CERTREPMESSAGE *cp; /* 3 */ |
| 539 | /* p10cr [4] CertificationRequest, --imported from [PKCS10] */ |
| 540 | /* |
| 541 | * PKCS10_CERTIFICATIONREQUEST is effectively X509_REQ |
| 542 | * so it is used directly |
| 543 | */ |
| 544 | X509_REQ *p10cr; /* 4 */ |
| 545 | /* popdecc [5] POPODecKeyChallContent, --pop Challenge */ |
| 546 | /* POPODecKeyChallContent ::= SEQUENCE OF Challenge */ |
| 547 | OSSL_CMP_POPODECKEYCHALLCONTENT *popdecc; /* 5 */ |
| 548 | /* popdecr [6] POPODecKeyRespContent, --pop Response */ |
| 549 | /* POPODecKeyRespContent ::= SEQUENCE OF INTEGER */ |
| 550 | OSSL_CMP_POPODECKEYRESPCONTENT *popdecr; /* 6 */ |
| 551 | OSSL_CRMF_MSGS *kur; /* 7 */ |
| 552 | OSSL_CMP_CERTREPMESSAGE *kup; /* 8 */ |
| 553 | OSSL_CRMF_MSGS *krr; /* 9 */ |
| 554 | |
| 555 | /* krp [10] KeyRecRepContent, --Key Recovery Response */ |
| 556 | OSSL_CMP_KEYRECREPCONTENT *krp; /* 10 */ |
| 557 | /* rr [11] RevReqContent, --Revocation Request */ |
| 558 | OSSL_CMP_REVREQCONTENT *rr; /* 11 */ |
| 559 | /* rp [12] RevRepContent, --Revocation Response */ |
| 560 | OSSL_CMP_REVREPCONTENT *rp; /* 12 */ |
| 561 | /* ccr [13] CertReqMessages, --Cross-Cert. Request */ |
| 562 | OSSL_CRMF_MSGS *ccr; /* 13 */ |
| 563 | /* ccp [14] CertRepMessage, --Cross-Cert. Response */ |
| 564 | OSSL_CMP_CERTREPMESSAGE *ccp; /* 14 */ |
| 565 | /* ckuann [15] CAKeyUpdAnnContent, --CA Key Update Ann. */ |
| 566 | OSSL_CMP_CAKEYUPDANNCONTENT *ckuann; /* 15 */ |
| 567 | /* cann [16] CertAnnContent, --Certificate Ann. */ |
| 568 | /* OSSL_CMP_CMPCERTIFICATE is effectively X509 so it is used directly */ |
| 569 | X509 *cann; /* 16 */ |
| 570 | /* rann [17] RevAnnContent, --Revocation Ann. */ |
| 571 | OSSL_CMP_REVANNCONTENT *rann; /* 17 */ |
| 572 | /* crlann [18] CRLAnnContent, --CRL Announcement */ |
| 573 | /* CRLAnnContent ::= SEQUENCE OF CertificateList */ |
| 574 | OSSL_CMP_CRLANNCONTENT *crlann; |
| 575 | /* PKIConfirmContent ::= NULL */ |
| 576 | /* pkiconf [19] PKIConfirmContent, --Confirmation */ |
| 577 | /* OSSL_CMP_PKICONFIRMCONTENT would be only a typedef of ASN1_NULL */ |
| 578 | /* OSSL_CMP_CONFIRMCONTENT *pkiconf; */ |
| 579 | /* |
| 580 | * NOTE: this should ASN1_NULL according to the RFC |
| 581 | * but there might be a struct in it when sent from faulty servers... |
| 582 | */ |
| 583 | ASN1_TYPE *pkiconf; /* 19 */ |
| 584 | /* nested [20] NestedMessageContent, --Nested Message */ |
| 585 | /* NestedMessageContent ::= PKIMessages */ |
| 586 | OSSL_CMP_MSGS *nested; /* 20 */ |
| 587 | /* genm [21] GenMsgContent, --General Message */ |
| 588 | /* GenMsgContent ::= SEQUENCE OF InfoTypeAndValue */ |
| 589 | OSSL_CMP_GENMSGCONTENT *genm; /* 21 */ |
| 590 | /* genp [22] GenRepContent, --General Response */ |
| 591 | /* GenRepContent ::= SEQUENCE OF InfoTypeAndValue */ |
| 592 | OSSL_CMP_GENREPCONTENT *genp; /* 22 */ |
| 593 | /* error [23] ErrorMsgContent, --Error Message */ |
| 594 | OSSL_CMP_ERRORMSGCONTENT *error; /* 23 */ |
| 595 | /* certConf [24] CertConfirmContent, --Certificate confirm */ |
| 596 | OSSL_CMP_CERTCONFIRMCONTENT *certConf; /* 24 */ |
| 597 | /* pollReq [25] PollReqContent, --Polling request */ |
| 598 | OSSL_CMP_POLLREQCONTENT *pollReq; |
| 599 | /* pollRep [26] PollRepContent --Polling response */ |
| 600 | OSSL_CMP_POLLREPCONTENT *pollRep; |
| 601 | } value; |
| 602 | } OSSL_CMP_PKIBODY; |
| 603 | DECLARE_ASN1_FUNCTIONS(OSSL_CMP_PKIBODY) |
| 604 | |
| 605 | /*- |
| 606 | * PKIProtection ::= BIT STRING |
| 607 | * |
| 608 | * PKIMessages ::= SEQUENCE SIZE (1..MAX) OF PKIMessage |
| 609 | * |
| 610 | * PKIMessage ::= SEQUENCE { |
| 611 | * header PKIHeader, |
| 612 | * body PKIBody, |
| 613 | * protection [0] PKIProtection OPTIONAL, |
| 614 | * extraCerts [1] SEQUENCE SIZE (1..MAX) OF CMPCertificate |
| 615 | * OPTIONAL |
| 616 | * } |
| 617 | */ |
| 618 | struct ossl_cmp_msg_st { |
| 619 | OSSL_CMP_PKIHEADER *header; |
| 620 | OSSL_CMP_PKIBODY *body; |
| 621 | ASN1_BIT_STRING *protection; /* 0 */ |
| 622 | /* OSSL_CMP_CMPCERTIFICATE is effectively X509 so it is used directly */ |
| 623 | STACK_OF(X509) *extraCerts; /* 1 */ |
| 624 | } /* OSSL_CMP_MSG */; |
| 625 | DECLARE_ASN1_FUNCTIONS(OSSL_CMP_MSG) |
| 626 | DECLARE_ASN1_DUP_FUNCTION(OSSL_CMP_MSG) |
| 627 | |
| 628 | /*- |
| 629 | * ProtectedPart ::= SEQUENCE { |
| 630 | * header PKIHeader, |
| 631 | * body PKIBody |
| 632 | * } |
| 633 | */ |
| 634 | typedef struct cmp_protectedpart_st { |
| 635 | OSSL_CMP_PKIHEADER *header; |
| 636 | OSSL_CMP_PKIBODY *body; |
| 637 | } CMP_PROTECTEDPART; |
| 638 | DECLARE_ASN1_FUNCTIONS(CMP_PROTECTEDPART) |
| 639 | |
| 640 | /*- |
| 641 | * this is not defined here as it is already in CRMF: |
| 642 | * id-PasswordBasedMac OBJECT IDENTIFIER ::= {1 2 840 113533 7 66 13} |
| 643 | * PBMParameter ::= SEQUENCE { |
| 644 | * salt OCTET STRING, |
| 645 | * -- note: implementations MAY wish to limit acceptable sizes |
| 646 | * -- of this string to values appropriate for their environment |
| 647 | * -- in order to reduce the risk of denial-of-service attacks |
| 648 | * owf AlgorithmIdentifier, |
| 649 | * -- AlgId for a One-Way Function (SHA-1 recommended) |
| 650 | * iterationCount INTEGER, |
| 651 | * -- number of times the OWF is applied |
| 652 | * -- note: implementations MAY wish to limit acceptable sizes |
| 653 | * -- of this integer to values appropriate for their environment |
| 654 | * -- in order to reduce the risk of denial-of-service attacks |
| 655 | * mac AlgorithmIdentifier |
| 656 | * -- the MAC AlgId (e.g., DES-MAC, Triple-DES-MAC [PKCS11], |
| 657 | * } -- or HMAC [RFC2104, RFC2202]) |
| 658 | */ |
| 659 | /*- |
| 660 | * TODO: this is not yet defined here - but DH is anyway not used yet |
| 661 | * |
| 662 | * id-DHBasedMac OBJECT IDENTIFIER ::= {1 2 840 113533 7 66 30} |
| 663 | * DHBMParameter ::= SEQUENCE { |
| 664 | * owf AlgorithmIdentifier, |
| 665 | * -- AlgId for a One-Way Function (SHA-1 recommended) |
| 666 | * mac AlgorithmIdentifier |
| 667 | * -- the MAC AlgId (e.g., DES-MAC, Triple-DES-MAC [PKCS11], |
| 668 | * } -- or HMAC [RFC2104, RFC2202]) |
| 669 | */ |
| 670 | /*- |
| 671 | * The following is not cared for, because it is described in section 5.2.5 |
| 672 | * that this is beyond the scope of CMP |
| 673 | * OOBCert ::= CMPCertificate |
| 674 | * |
| 675 | * OOBCertHash ::= SEQUENCE { |
| 676 | * hashAlg [0] AlgorithmIdentifier OPTIONAL, |
| 677 | * certId [1] CertId OPTIONAL, |
| 678 | * hashVal BIT STRING |
| 679 | * -- hashVal is calculated over the DER encoding of the |
| 680 | * -- self-signed certificate with the identifier certID. |
| 681 | * } |
| 682 | */ |
| 683 | |
| 684 | /* |
| 685 | * constants |
| 686 | */ |
| 687 | /* certReqId for the first - and so far only - certificate request */ |
| 688 | # define OSSL_CMP_CERTREQID 0 |
| 689 | /* sequence id for the first - and so far only - revocation request */ |
| 690 | # define OSSL_CMP_REVREQSID 0 |
| 691 | /* |
| 692 | * functions |
| 693 | */ |
| 694 | |
| 695 | /* from cmp_asn.c */ |
| 696 | int ossl_cmp_asn1_get_int(const ASN1_INTEGER *a); |
| 697 | |
| 698 | /* from cmp_util.c */ |
| 699 | const char *ossl_cmp_log_parse_metadata(const char *buf, |
| 700 | OSSL_CMP_severity *level, char **func, |
| 701 | char **file, int *line); |
| 702 | /* workaround for 4096 bytes limitation of ERR_print_errors_cb() */ |
| 703 | void ossl_cmp_add_error_txt(const char *separator, const char *txt); |
| 704 | # define ossl_cmp_add_error_data(txt) ossl_cmp_add_error_txt(" : ", txt) |
| 705 | # define ossl_cmp_add_error_line(txt) ossl_cmp_add_error_txt("\n", txt) |
| 706 | /* functions manipulating lists of certificates etc could be generally useful */ |
| 707 | int ossl_cmp_sk_X509_add1_cert (STACK_OF(X509) *sk, X509 *cert, |
| 708 | int no_dup, int prepend); |
| 709 | int ossl_cmp_sk_X509_add1_certs(STACK_OF(X509) *sk, STACK_OF(X509) *certs, |
| 710 | int no_self_signed, int no_dups, int prepend); |
| 711 | int ossl_cmp_X509_STORE_add1_certs(X509_STORE *store, STACK_OF(X509) *certs, |
| 712 | int only_self_signed); |
| 713 | STACK_OF(X509) *ossl_cmp_X509_STORE_get1_certs(X509_STORE *store); |
| 714 | int ossl_cmp_asn1_octet_string_set1(ASN1_OCTET_STRING **tgt, |
| 715 | const ASN1_OCTET_STRING *src); |
| 716 | int ossl_cmp_asn1_octet_string_set1_bytes(ASN1_OCTET_STRING **tgt, |
| 717 | const unsigned char *bytes, int len); |
| 718 | STACK_OF(X509) *ossl_cmp_build_cert_chain(STACK_OF(X509) *certs, X509 *cert); |
| 719 | |
| 720 | /* from cmp_ctx.c */ |
| 721 | int ossl_cmp_ctx_set0_validatedSrvCert(OSSL_CMP_CTX *ctx, X509 *cert); |
| 722 | int ossl_cmp_ctx_set_status(OSSL_CMP_CTX *ctx, int status); |
| 723 | int ossl_cmp_ctx_set0_statusString(OSSL_CMP_CTX *ctx, |
| 724 | OSSL_CMP_PKIFREETEXT *text); |
| 725 | int ossl_cmp_ctx_set_failInfoCode(OSSL_CMP_CTX *ctx, int fail_info); |
| 726 | int ossl_cmp_ctx_set0_newCert(OSSL_CMP_CTX *ctx, X509 *cert); |
| 727 | int ossl_cmp_ctx_set1_caPubs(OSSL_CMP_CTX *ctx, STACK_OF(X509) *caPubs); |
| 728 | int ossl_cmp_ctx_set1_extraCertsIn(OSSL_CMP_CTX *ctx, |
| 729 | STACK_OF(X509) *extraCertsIn); |
| 730 | int ossl_cmp_ctx_set1_recipNonce(OSSL_CMP_CTX *ctx, |
| 731 | const ASN1_OCTET_STRING *nonce); |
| 732 | |
| 733 | /* from cmp_status.c */ |
| 734 | OSSL_CMP_PKISI * |
| 735 | ossl_cmp_statusinfo_new(int status, int fail_info, const char *text); |
| 736 | int ossl_cmp_pkisi_get_pkistatus(const OSSL_CMP_PKISI *statusInfo); |
| 737 | const char *ossl_cmp_PKIStatus_to_string(int status); |
| 738 | OSSL_CMP_PKIFREETEXT *ossl_cmp_pkisi_get0_statusstring(const OSSL_CMP_PKISI *si); |
| 739 | int ossl_cmp_pkisi_get_pkifailureinfo(const OSSL_CMP_PKISI *si); |
| 740 | int ossl_cmp_pkisi_pkifailureinfo_check(const OSSL_CMP_PKISI *si, int bit_index); |
| 741 | |
| 742 | /* from cmp_hdr.c */ |
| 743 | int ossl_cmp_hdr_set_pvno(OSSL_CMP_PKIHEADER *hdr, int pvno); |
| 744 | int ossl_cmp_hdr_get_pvno(const OSSL_CMP_PKIHEADER *hdr); |
| 745 | ASN1_OCTET_STRING *ossl_cmp_hdr_get0_senderNonce(const OSSL_CMP_PKIHEADER *hdr); |
| 746 | int ossl_cmp_hdr_set1_sender(OSSL_CMP_PKIHEADER *hdr, const X509_NAME *nm); |
| 747 | int ossl_cmp_hdr_set1_recipient(OSSL_CMP_PKIHEADER *hdr, const X509_NAME *nm); |
| 748 | int ossl_cmp_hdr_update_messageTime(OSSL_CMP_PKIHEADER *hdr); |
| 749 | int ossl_cmp_hdr_set1_senderKID(OSSL_CMP_PKIHEADER *hdr, |
| 750 | const ASN1_OCTET_STRING *senderKID); |
| 751 | int ossl_cmp_pkifreetext_push_str(OSSL_CMP_PKIFREETEXT *ft, const char *text); |
| 752 | int ossl_cmp_hdr_push0_freeText(OSSL_CMP_PKIHEADER *hdr, ASN1_UTF8STRING *text); |
| 753 | int ossl_cmp_hdr_push1_freeText(OSSL_CMP_PKIHEADER *hdr, ASN1_UTF8STRING *text); |
| 754 | int ossl_cmp_hdr_generalInfo_push0_item(OSSL_CMP_PKIHEADER *hdr, |
| 755 | OSSL_CMP_ITAV *itav); |
| 756 | int ossl_cmp_hdr_generalInfo_push1_items(OSSL_CMP_PKIHEADER *hdr, |
| 757 | STACK_OF(OSSL_CMP_ITAV) *itavs); |
| 758 | int ossl_cmp_hdr_set_implicitConfirm(OSSL_CMP_PKIHEADER *hdr); |
| 759 | int ossl_cmp_hdr_check_implicitConfirm(const OSSL_CMP_PKIHEADER *hdr); |
| 760 | # define OSSL_CMP_TRANSACTIONID_LENGTH 16 |
| 761 | # define OSSL_CMP_SENDERNONCE_LENGTH 16 |
| 762 | int ossl_cmp_hdr_init(OSSL_CMP_CTX *ctx, OSSL_CMP_PKIHEADER *hdr); |
| 763 | |
| 764 | /* from cmp_msg.c */ |
| 765 | /* OSSL_CMP_MSG bodytype ASN.1 choice IDs */ |
| 766 | # define OSSL_CMP_PKIBODY_IR 0 |
| 767 | # define OSSL_CMP_PKIBODY_IP 1 |
| 768 | # define OSSL_CMP_PKIBODY_CR 2 |
| 769 | # define OSSL_CMP_PKIBODY_CP 3 |
| 770 | # define OSSL_CMP_PKIBODY_P10CR 4 |
| 771 | # define OSSL_CMP_PKIBODY_POPDECC 5 |
| 772 | # define OSSL_CMP_PKIBODY_POPDECR 6 |
| 773 | # define OSSL_CMP_PKIBODY_KUR 7 |
| 774 | # define OSSL_CMP_PKIBODY_KUP 8 |
| 775 | # define OSSL_CMP_PKIBODY_KRR 9 |
| 776 | # define OSSL_CMP_PKIBODY_KRP 10 |
| 777 | # define OSSL_CMP_PKIBODY_RR 11 |
| 778 | # define OSSL_CMP_PKIBODY_RP 12 |
| 779 | # define OSSL_CMP_PKIBODY_CCR 13 |
| 780 | # define OSSL_CMP_PKIBODY_CCP 14 |
| 781 | # define OSSL_CMP_PKIBODY_CKUANN 15 |
| 782 | # define OSSL_CMP_PKIBODY_CANN 16 |
| 783 | # define OSSL_CMP_PKIBODY_RANN 17 |
| 784 | # define OSSL_CMP_PKIBODY_CRLANN 18 |
| 785 | # define OSSL_CMP_PKIBODY_PKICONF 19 |
| 786 | # define OSSL_CMP_PKIBODY_NESTED 20 |
| 787 | # define OSSL_CMP_PKIBODY_GENM 21 |
| 788 | # define OSSL_CMP_PKIBODY_GENP 22 |
| 789 | # define OSSL_CMP_PKIBODY_ERROR 23 |
| 790 | # define OSSL_CMP_PKIBODY_CERTCONF 24 |
| 791 | # define OSSL_CMP_PKIBODY_POLLREQ 25 |
| 792 | # define OSSL_CMP_PKIBODY_POLLREP 26 |
| 793 | # define OSSL_CMP_PKIBODY_TYPE_MAX OSSL_CMP_PKIBODY_POLLREP |
| 794 | const char *ossl_cmp_bodytype_to_string(int type); |
| 795 | int ossl_cmp_msg_set_bodytype(OSSL_CMP_MSG *msg, int type); |
| 796 | int ossl_cmp_msg_get_bodytype(const OSSL_CMP_MSG *msg); |
| 797 | OSSL_CMP_MSG *ossl_cmp_msg_create(OSSL_CMP_CTX *ctx, int bodytype); |
| 798 | OSSL_CMP_MSG *ossl_cmp_certReq_new(OSSL_CMP_CTX *ctx, int bodytype, |
| 799 | int err_code); |
| 800 | OSSL_CMP_MSG *ossl_cmp_certRep_new(OSSL_CMP_CTX *ctx, int bodytype, |
| 801 | int certReqId, OSSL_CMP_PKISI *si, |
| 802 | X509 *cert, STACK_OF(X509) *chain, |
| 803 | STACK_OF(X509) *caPubs, int encrypted, |
| 804 | int unprotectedErrors); |
| 805 | OSSL_CMP_MSG *ossl_cmp_rr_new(OSSL_CMP_CTX *ctx); |
| 806 | OSSL_CMP_MSG *ossl_cmp_rp_new(OSSL_CMP_CTX *ctx, OSSL_CMP_PKISI *si, |
| 807 | OSSL_CRMF_CERTID *certId, int unprot_err); |
| 808 | OSSL_CMP_MSG *ossl_cmp_pkiconf_new(OSSL_CMP_CTX *ctx); |
| 809 | int ossl_cmp_msg_gen_push0_ITAV(OSSL_CMP_MSG *msg, OSSL_CMP_ITAV *itav); |
| 810 | int ossl_cmp_msg_gen_push1_ITAVs(OSSL_CMP_MSG *msg, |
| 811 | STACK_OF(OSSL_CMP_ITAV) *itavs); |
| 812 | OSSL_CMP_MSG *ossl_cmp_genm_new(OSSL_CMP_CTX *ctx); |
| 813 | OSSL_CMP_MSG *ossl_cmp_genp_new(OSSL_CMP_CTX *ctx); |
| 814 | OSSL_CMP_MSG *ossl_cmp_error_new(OSSL_CMP_CTX *ctx, OSSL_CMP_PKISI *si, |
| 815 | int errorCode, |
| 816 | OSSL_CMP_PKIFREETEXT *errorDetails, |
| 817 | int unprotected); |
| 818 | int ossl_cmp_certstatus_set_certHash(OSSL_CMP_CERTSTATUS *certStatus, |
| 819 | const X509 *cert); |
| 820 | OSSL_CMP_MSG *ossl_cmp_certConf_new(OSSL_CMP_CTX *ctx, int fail_info, |
| 821 | const char *text); |
| 822 | OSSL_CMP_MSG *ossl_cmp_pollReq_new(OSSL_CMP_CTX *ctx, int crid); |
| 823 | OSSL_CMP_MSG *ossl_cmp_pollRep_new(OSSL_CMP_CTX *ctx, int crid, |
| 824 | int64_t poll_after); |
| 825 | OSSL_CMP_PKISI * |
| 826 | ossl_cmp_revrepcontent_get_pkistatusinfo(OSSL_CMP_REVREPCONTENT *rrep, int rsid); |
| 827 | OSSL_CRMF_CERTID *ossl_cmp_revrepcontent_get_CertId(OSSL_CMP_REVREPCONTENT *rrep, |
| 828 | int rsid); |
| 829 | OSSL_CMP_POLLREP * |
| 830 | ossl_cmp_pollrepcontent_get0_pollrep(const OSSL_CMP_POLLREPCONTENT *prc, |
| 831 | int rid); |
| 832 | OSSL_CMP_CERTRESPONSE * |
| 833 | ossl_cmp_certrepmessage_get0_certresponse(const OSSL_CMP_CERTREPMESSAGE *crepmsg, |
| 834 | int rid); |
| 835 | X509 *ossl_cmp_certresponse_get1_certificate(EVP_PKEY *privkey, |
| 836 | const OSSL_CMP_CERTRESPONSE *crep); |
| 837 | OSSL_CMP_MSG *ossl_cmp_msg_load(const char *file); |
| 838 | /* BIO definitions */ |
| 839 | # define OSSL_d2i_CMP_MSG_bio(bp, p) \ |
| 840 | ASN1_d2i_bio_of(OSSL_CMP_MSG, OSSL_CMP_MSG_new, d2i_OSSL_CMP_MSG, bp, p) |
| 841 | # define OSSL_i2d_CMP_MSG_bio(bp, o) \ |
| 842 | ASN1_i2d_bio_of(OSSL_CMP_MSG, i2d_OSSL_CMP_MSG, bp, o) |
| 843 | |
| 844 | /* from cmp_protect.c */ |
| 845 | ASN1_BIT_STRING *ossl_cmp_calc_protection(const OSSL_CMP_MSG *msg, |
| 846 | const ASN1_OCTET_STRING *secret, |
| 847 | EVP_PKEY *pkey); |
| 848 | int ossl_cmp_msg_add_extraCerts(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg); |
| 849 | int ossl_cmp_msg_protect(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg); |
| 850 | |
| 851 | #endif /* !defined OSSL_CRYPTO_CMP_LOCAL_H */ |
| 852 |
Generated while processing ClickHouse/contrib/openssl/crypto/cmp/cmp_asn.c
Generated on 2020-Jan-04 from project ClickHouse revision 19.17.6
Powered by 
Code Browser 2.1
Generator usage only permitted with license.