X509_STORE *ts =
load_trusted(opt_srv_trusted, 0, "certs trusted by mock server");
- if (ts == NULL || !OSSL_CMP_CTX_set0_trustedStore(ctx, ts)) {
+ if (ts == NULL || !OSSL_CMP_CTX_set0_trusted(ctx, ts)) {
X509_STORE_free(ts);
goto err;
}
*/
ts = load_trusted(opt_trusted, 0, "certs trusted by client");
- if (ts == NULL || !OSSL_CMP_CTX_set0_trustedStore(ctx, ts)) {
+ if (ts == NULL || !OSSL_CMP_CTX_set0_trusted(ctx, ts)) {
X509_STORE_free(ts);
return 0;
}
/*
* Get current certificate store containing trusted root CA certs
*/
-DEFINE_OSSL_CMP_CTX_get0_NAME(trustedStore, trusted, X509_STORE)
+DEFINE_OSSL_CMP_CTX_get0_NAME(trusted, trusted, X509_STORE)
#define DEFINE_OSSL_set0(PREFIX, FIELD, TYPE) \
DEFINE_OSSL_set0_NAME(PREFIX, FIELD, FIELD, TYPE)
* and a cert verification callback function used for CMP server authentication.
* Any already existing store entry is freed. Given NULL, the entry is reset.
*/
-DEFINE_OSSL_set0_NAME(OSSL_CMP_CTX, trustedStore, trusted, X509_STORE)
+DEFINE_OSSL_set0_NAME(OSSL_CMP_CTX, trusted, trusted, X509_STORE)
/* Get current list of non-trusted intermediate certs */
DEFINE_OSSL_CMP_CTX_get0(untrusted, STACK_OF(X509))
Moreover, according to RFC 4210 section 5.3.2, if the message protection is
PBM-based then any certificates in the caPubs field are added to the list of
-trusted certificates (if set via L<OSSL_CMP_CTX_set0_trustedStore(3)>).
+trusted certificates (if set via L<OSSL_CMP_CTX_set0_trusted(3)>).
This way these certs are available for validating subsequent messages in the
same context and could apply to any Polling Response (pollRep), error, or PKI
Confirmation (PKIConf) messages following in the same or future transactions.
OSSL_CMP_CTX_get_transfer_cb_arg,
OSSL_CMP_CTX_set1_srvCert,
OSSL_CMP_CTX_set1_expected_sender,
+OSSL_CMP_CTX_set0_trusted,
OSSL_CMP_CTX_set0_trustedStore,
+OSSL_CMP_CTX_get0_trusted,
OSSL_CMP_CTX_get0_trustedStore,
OSSL_CMP_CTX_set1_untrusted,
OSSL_CMP_CTX_get0_untrusted,
int OSSL_CMP_CTX_set1_srvCert(OSSL_CMP_CTX *ctx, X509 *cert);
int OSSL_CMP_CTX_set1_expected_sender(OSSL_CMP_CTX *ctx,
const X509_NAME *name);
+ #define OSSL_CMP_CTX_set0_trusted OSSL_CMP_CTX_set0_trustedStore
int OSSL_CMP_CTX_set0_trustedStore(OSSL_CMP_CTX *ctx, X509_STORE *store);
+ #define OSSL_CMP_CTX_get0_trusted OSSL_CMP_CTX_get0_trustedStore
X509_STORE *OSSL_CMP_CTX_get0_trustedStore(const OSSL_CMP_CTX *ctx);
int OSSL_CMP_CTX_set1_untrusted(OSSL_CMP_CTX *ctx, STACK_OF(X509) *certs);
STACK_OF(X509) *OSSL_CMP_CTX_get0_untrusted(const OSSL_CMP_CTX *ctx);
OSSL_CMP_CTX_set1_srvCert() sets the expected server cert in I<ctx> and trusts
it directly (even if it is expired) when verifying signed response messages.
-May be used alternatively to OSSL_CMP_CTX_set0_trustedStore()
+May be used alternatively to OSSL_CMP_CTX_set0_trusted()
to pin the accepted server.
Any previously set value is freed.
The I<cert> argument may be NULL to clear the entry.
which pins the server to the holder of a particular certificate, while the
expected sender name will continue to match after updates of the server cert.
-OSSL_CMP_CTX_set0_trustedStore() sets the certificate store of type X509_STORE
+OSSL_CMP_CTX_set0_trusted() is an alias of the original
+OSSL_CMP_CTX_set0_trustedStore().
+It sets in the CMP context I<ctx> the certificate store of type X509_STORE
containing trusted (root) CA certificates.
The store may also hold CRLs and
a certificate verification callback function used for CMP server authentication.
Any store entry already set before is freed.
When given a NULL parameter the entry is cleared.
-OSSL_CMP_CTX_get0_trustedStore() returns a pointer to the currently set
+OSSL_CMP_CTX_get0_trusted() is an alias of the original
+OSSL_CMP_CTX_get0_trustedStore().
+It extracts from the CMP context I<ctx> the pointer to the currently set
certificate store containing trusted cert etc., or an empty store if unset.
OSSL_CMP_CTX_set1_untrusted() sets up a list of non-trusted certificates
OSSL_CMP_CTX_new(),
OSSL_CMP_CTX_get_http_cb_arg(),
OSSL_CMP_CTX_get_transfer_cb_arg(),
-OSSL_CMP_CTX_get0_trustedStore(),
+OSSL_CMP_CTX_get0_trusted(),
OSSL_CMP_CTX_get0_untrusted(),
OSSL_CMP_CTX_get0_newPkey(),
OSSL_CMP_CTX_get_certConf_cb_arg(),
OSSL_CMP_CTX_set1_server(cmp_ctx, name_or_address);
OSSL_CMP_CTX_set1_serverPort(cmp_ctx, port_string);
OSSL_CMP_CTX_set1_serverPath(cmp_ctx, path_or_alias);
- OSSL_CMP_CTX_set0_trustedStore(cmp_ctx, ts);
+ OSSL_CMP_CTX_set0_trusted(cmp_ctx, ts);
Set up client credentials for password-based protection (PBM):
The OpenSSL CMP support was added in OpenSSL 3.0.
+OSSL_CMP_CTX_get0_trustedStore() was renamed to OSSL_CMP_CTX_get0_trusted() and
+OSSL_CMP_CTX_set0_trustedStore() was renamed to OSSL_CMP_CTX_set0_trusted(),
+using macros, while keeping the old names for backward compatibility,
+in OpenSSL 3.1.
+
=head1 COPYRIGHT
Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved.
If no such sender cert has been pinned then candidate sender certificates are
taken from the list of certificates received in the I<msg> extraCerts, then any
certificates provided before via L<OSSL_CMP_CTX_set1_untrusted(3)>, and
-then all trusted certificates provided via L<OSSL_CMP_CTX_set0_trustedStore(3)>,
+then all trusted certificates provided via L<OSSL_CMP_CTX_set0_trusted(3)>,
where a candidate is acceptable only if has not expired, its subject DN matches
the I<msg> sender DN (as far as present), and its subject key identifier
is present and matches the senderKID (as far as the latter present).
Each acceptable cert is tried in the given order to see if the message
signature check succeeds and the cert and its path can be verified
-using any trust store set via L<OSSL_CMP_CTX_set0_trustedStore(3)>.
+using any trust store set via L<OSSL_CMP_CTX_set0_trusted(3)>.
If the option OSSL_CMP_OPT_PERMIT_TA_IN_EXTRACERTS_FOR_IR was set by calling
L<OSSL_CMP_CTX_set_option(3)>, for an Initialization Response (IP) message
int OSSL_CMP_CTX_set1_srvCert(OSSL_CMP_CTX *ctx, X509 *cert);
int OSSL_CMP_CTX_set1_expected_sender(OSSL_CMP_CTX *ctx, const X509_NAME *name);
int OSSL_CMP_CTX_set0_trustedStore(OSSL_CMP_CTX *ctx, X509_STORE *store);
+#define OSSL_CMP_CTX_set0_trusted OSSL_CMP_CTX_set0_trustedStore
X509_STORE *OSSL_CMP_CTX_get0_trustedStore(const OSSL_CMP_CTX *ctx);
+#define OSSL_CMP_CTX_get0_trusted OSSL_CMP_CTX_get0_trustedStore
int OSSL_CMP_CTX_set1_untrusted(OSSL_CMP_CTX *ctx, STACK_OF(X509) *certs);
STACK_OF(X509) *OSSL_CMP_CTX_get0_untrusted(const OSSL_CMP_CTX *ctx);
/* client authentication: */
return ret; \
}
+/* cannot use PREFIX instead of OSSL_CMP and CTX due to #define OSSL_CMP_CTX */
#define DEFINE_SET_GET_TEST(OSSL_CMP, CTX, N, M, DUP, FIELD, TYPE) \
DEFINE_SET_GET_BASE_TEST(OSSL_CMP##_##CTX, set##N, get##M, DUP, FIELD, \
TYPE *, NULL, IS_0, TYPE##_new(), TYPE##_free)
DEFINE_SET_TEST(OSSL_CMP, CTX, 1, 0, srvCert, X509)
DEFINE_SET_TEST(ossl_cmp, ctx, 0, 0, validatedSrvCert, X509)
DEFINE_SET_TEST(OSSL_CMP, CTX, 1, 1, expected_sender, X509_NAME)
-DEFINE_SET_GET_BASE_TEST(OSSL_CMP_CTX, set0, get0, 0, trustedStore,
+DEFINE_SET_GET_BASE_TEST(OSSL_CMP_CTX, set0, get0, 0, trusted,
X509_STORE *, NULL,
DEFAULT_STORE, X509_STORE_new_1(), X509_STORE_free)
DEFINE_SET_GET_SK_X509_TEST(OSSL_CMP, CTX, 1, 0, untrusted)
ADD_TEST(test_CTX_set1_get0_srvCert);
ADD_TEST(test_CTX_set0_get0_validatedSrvCert);
ADD_TEST(test_CTX_set1_get0_expected_sender);
- ADD_TEST(test_CTX_set0_get0_trustedStore);
+ ADD_TEST(test_CTX_set0_get0_trusted);
ADD_TEST(test_CTX_set1_get0_untrusted);
/* client authentication: */
ADD_TEST(test_CTX_set1_get0_cert);
fixture->test_case_name = test_case_name;
if (ts == NULL
|| !TEST_ptr(fixture->cmp_ctx = OSSL_CMP_CTX_new(libctx, NULL))
- || !OSSL_CMP_CTX_set0_trustedStore(fixture->cmp_ctx, ts)
+ || !OSSL_CMP_CTX_set0_trusted(fixture->cmp_ctx, ts)
|| !OSSL_CMP_CTX_set_log_cb(fixture->cmp_ctx, print_to_bio_out)) {
tear_down(fixture);
X509_STORE_free(ts);
static int execute_validate_cert_path_test(CMP_VFY_TEST_FIXTURE *fixture)
{
- X509_STORE *ts = OSSL_CMP_CTX_get0_trustedStore(fixture->cmp_ctx);
+ X509_STORE *ts = OSSL_CMP_CTX_get0_trusted(fixture->cmp_ctx);
int res = TEST_int_eq(fixture->expected,
OSSL_CMP_validate_cert_path(fixture->cmp_ctx,
ts, fixture->cert));
static int add_trusted(OSSL_CMP_CTX *ctx, X509 *cert)
{
- return X509_STORE_add_cert(OSSL_CMP_CTX_get0_trustedStore(ctx), cert);
+ return X509_STORE_add_cert(OSSL_CMP_CTX_get0_trusted(ctx), cert);
}
static int add_untrusted(OSSL_CMP_CTX *ctx, X509 *cert)
SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up);
- ts = OSSL_CMP_CTX_get0_trustedStore(fixture->cmp_ctx);
+ ts = OSSL_CMP_CTX_get0_trusted(fixture->cmp_ctx);
fixture->expected = !expired;
if (ts == NULL
|| !TEST_ptr(fixture->msg = load_pkimsg(ir_protected_f, libctx))
(*fixture)->cert = endentity2;
(*fixture)->expected = wrong == NULL && !expired;
if (expired) {
- X509_STORE *ts = OSSL_CMP_CTX_get0_trustedStore((*fixture)->cmp_ctx);
+ X509_STORE *ts = OSSL_CMP_CTX_get0_trusted((*fixture)->cmp_ctx);
X509_VERIFY_PARAM *vpm = X509_STORE_get0_param(ts);
X509_VERIFY_PARAM_set_time(vpm, test_time_after_expiration);
}
OSSL_CMP_exec_CR_ses define
OSSL_CMP_exec_P10CR_ses define
OSSL_CMP_exec_KUR_ses define
+OSSL_CMP_CTX_get0_trusted define
+OSSL_CMP_CTX_set0_trusted define
OSSL_CMP_CTX_set_log_verbosity define
OSSL_CMP_CR define
OSSL_CMP_IR define
projects / openssl.git / commitdiff