e78968aaa17b4a2c4a8eaac29b314f4fa148542a
[openssl.git] / crypto / cmp / cmp_int.h
1 /*
2  * Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved.
3  * Copyright Nokia 2007-2019
4  * Copyright Siemens AG 2015-2019
5  *
6  * Licensed under the Apache License 2.0 (the "License").  You may not use
7  * this file except in compliance with the License.  You can obtain a copy
8  * in the file LICENSE in the source distribution or at
9  * https://www.openssl.org/source/license.html
10  *
11  * CMP implementation by Martin Peylo, Miikka Viljanen, and David von Oheimb.
12  */
13
14 #ifndef OSSL_HEADER_CMP_INT_H
15 # define OSSL_HEADER_CMP_INT_H
16
17 # include "internal/cryptlib.h"
18
19 # include <openssl/cmp.h>
20 # include <openssl/err.h>
21
22 /* explicit #includes not strictly needed since implied by the above: */
23 # include <openssl/crmf.h>
24 # include <openssl/ossl_typ.h>
25 # include <openssl/safestack.h>
26 # include <openssl/x509.h>
27 # include <openssl/x509v3.h>
28
29 /*
30  * ##########################################################################
31  * ASN.1 DECLARATIONS
32  * ##########################################################################
33  */
34
35 /*-
36  *   RevAnnContent ::= SEQUENCE {
37  *       status              PKIStatus,
38  *       certId              CertId,
39  *       willBeRevokedAt     GeneralizedTime,
40  *       badSinceDate        GeneralizedTime,
41  *       crlDetails          Extensions  OPTIONAL
42  *       -- extra CRL details (e.g., crl number, reason, location, etc.)
43  *   }
44  */
45 typedef struct OSSL_cmp_revanncontent_st {
46     ASN1_INTEGER *status;
47     OSSL_CRMF_CERTID *certId;
48     ASN1_GENERALIZEDTIME *willBeRevokedAt;
49     ASN1_GENERALIZEDTIME *badSinceDate;
50     X509_EXTENSIONS *crlDetails;
51 } OSSL_CMP_REVANNCONTENT;
52 DECLARE_ASN1_FUNCTIONS(OSSL_CMP_REVANNCONTENT)
53
54 /*-
55  *   Challenge ::= SEQUENCE {
56  *       owf                 AlgorithmIdentifier  OPTIONAL,
57  *
58  *       -- MUST be present in the first Challenge; MAY be omitted in
59  *       -- any subsequent Challenge in POPODecKeyChallContent (if
60  *       -- omitted, then the owf used in the immediately preceding
61  *       -- Challenge is to be used).
62  *
63  *       witness             OCTET STRING,
64  *       -- the result of applying the one-way function (owf) to a
65  *       -- randomly-generated INTEGER, A.  [Note that a different
66  *       -- INTEGER MUST be used for each Challenge.]
67  *       challenge           OCTET STRING
68  *       -- the encryption (under the public key for which the cert.
69  *       -- request is being made) of Rand, where Rand is specified as
70  *       --   Rand ::= SEQUENCE {
71  *       --      int      INTEGER,
72  *       --       - the randomly-generated INTEGER A (above)
73  *       --      sender   GeneralName
74  *       --       - the sender's name (as included in PKIHeader)
75  *       --   }
76  *   }
77  */
78 typedef struct OSSL_cmp_challenge_st {
79     X509_ALGOR *owf;
80     ASN1_OCTET_STRING *witness;
81     ASN1_OCTET_STRING *challenge;
82 } OSSL_CMP_CHALLENGE;
83 DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CHALLENGE)
84
85 /*-
86  *  CAKeyUpdAnnContent ::= SEQUENCE {
87  *     oldWithNew         Certificate,
88  *     newWithOld         Certificate,
89  *     newWithNew         Certificate
90  *  }
91  */
92 typedef struct OSSL_cmp_cakeyupdanncontent_st {
93     X509 *oldWithNew;
94     X509 *newWithOld;
95     X509 *newWithNew;
96 } OSSL_CMP_CAKEYUPDANNCONTENT;
97 DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CAKEYUPDANNCONTENT)
98
99 /*-
100  * declared already here as it will be used in OSSL_CMP_MSG (nested) and
101  * infoType and infoValue
102  */
103 typedef STACK_OF(OSSL_CMP_MSG) OSSL_CMP_MSGS;
104 DECLARE_ASN1_FUNCTIONS(OSSL_CMP_MSGS)
105
106 /*-
107  *   InfoTypeAndValue ::= SEQUENCE {
108  *       infoType               OBJECT IDENTIFIER,
109  *       infoValue              ANY DEFINED BY infoType  OPTIONAL
110  *   }
111  */
112 struct OSSL_cmp_itav_st {
113     ASN1_OBJECT *infoType;
114     union {
115         char *ptr;
116         /* NID_id_it_caProtEncCert - CA Protocol Encryption Certificate */
117         X509 *caProtEncCert;
118         /* NID_id_it_signKeyPairTypes - Signing Key Pair Types */
119         STACK_OF(X509_ALGOR) *signKeyPairTypes;
120         /* NID_id_it_encKeyPairTypes - Encryption/Key Agreement Key Pair Types */
121         STACK_OF(X509_ALGOR) *encKeyPairTypes;
122         /* NID_id_it_preferredSymmAlg - Preferred Symmetric Algorithm */
123         X509_ALGOR *preferredSymmAlg;
124         /* NID_id_it_caKeyUpdateInfo - Updated CA Key Pair */
125         OSSL_CMP_CAKEYUPDANNCONTENT *caKeyUpdateInfo;
126         /* NID_id_it_currentCRL - CRL */
127         X509_CRL *currentCRL;
128         /* NID_id_it_unsupportedOIDs - Unsupported Object Identifiers */
129         STACK_OF(ASN1_OBJECT) *unsupportedOIDs;
130         /* NID_id_it_keyPairParamReq - Key Pair Parameters Request */
131         ASN1_OBJECT *keyPairParamReq;
132         /* NID_id_it_keyPairParamRep - Key Pair Parameters Response */
133         X509_ALGOR *keyPairParamRep;
134         /* NID_id_it_revPassphrase - Revocation Passphrase */
135         OSSL_CRMF_ENCRYPTEDVALUE *revPassphrase;
136         /* NID_id_it_implicitConfirm - ImplicitConfirm */
137         ASN1_NULL *implicitConfirm;
138         /* NID_id_it_confirmWaitTime - ConfirmWaitTime */
139         ASN1_GENERALIZEDTIME *confirmWaitTime;
140         /* NID_id_it_origPKIMessage - origPKIMessage */
141         OSSL_CMP_MSGS *origPKIMessage;
142         /* NID_id_it_suppLangTags - Supported Language Tags */
143         STACK_OF(ASN1_UTF8STRING) *suppLangTagsValue;
144         /* this is to be used for so far undeclared objects */
145         ASN1_TYPE *other;
146     } infoValue;
147 } /* OSSL_CMP_ITAV */;
148 DECLARE_ASN1_FUNCTIONS(OSSL_CMP_ITAV)
149 DECLARE_ASN1_DUP_FUNCTION(OSSL_CMP_ITAV)
150
151
152 typedef struct OSSL_cmp_certorenccert_st {
153     int type;
154     union {
155         X509 *certificate;
156         OSSL_CRMF_ENCRYPTEDVALUE *encryptedCert;
157     } value;
158 } OSSL_CMP_CERTORENCCERT;
159 DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CERTORENCCERT)
160
161 /*-
162  *   CertifiedKeyPair ::= SEQUENCE {
163  *       certOrEncCert       CertOrEncCert,
164  *       privateKey      [0] EncryptedValue      OPTIONAL,
165  *       -- see [CRMF] for comment on encoding
166  *       publicationInfo [1] PKIPublicationInfo  OPTIONAL
167  *   }
168  */
169 typedef struct OSSL_cmp_certifiedkeypair_st {
170     OSSL_CMP_CERTORENCCERT *certOrEncCert;
171     OSSL_CRMF_ENCRYPTEDVALUE *privateKey;
172     OSSL_CRMF_PKIPUBLICATIONINFO *publicationInfo;
173 } OSSL_CMP_CERTIFIEDKEYPAIR;
174 DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CERTIFIEDKEYPAIR)
175
176 /*-
177  *   PKIStatusInfo ::= SEQUENCE {
178  *       status        PKIStatus,
179  *       statusString  PKIFreeText     OPTIONAL,
180  *       failInfo      PKIFailureInfo  OPTIONAL
181  *   }
182  */
183 struct OSSL_cmp_pkisi_st {
184     OSSL_CMP_PKISTATUS *status;
185     OSSL_CMP_PKIFREETEXT *statusString;
186     OSSL_CMP_PKIFAILUREINFO *failInfo;
187 } /* OSSL_CMP_PKISI */;
188 DECLARE_ASN1_FUNCTIONS(OSSL_CMP_PKISI)
189 DECLARE_ASN1_DUP_FUNCTION(OSSL_CMP_PKISI)
190
191 /*-
192  *  RevReqContent ::= SEQUENCE OF RevDetails
193  *
194  *  RevDetails ::= SEQUENCE {
195  *      certDetails         CertTemplate,
196  *      crlEntryDetails     Extensions       OPTIONAL
197  *  }
198  */
199 typedef struct OSSL_cmp_revdetails_st {
200     OSSL_CRMF_CERTTEMPLATE *certDetails;
201     X509_EXTENSIONS *crlEntryDetails;
202 } OSSL_CMP_REVDETAILS;
203 DECLARE_ASN1_FUNCTIONS(OSSL_CMP_REVDETAILS)
204 DEFINE_STACK_OF(OSSL_CMP_REVDETAILS)
205
206 /*-
207  *   RevRepContent ::= SEQUENCE {
208  *       status       SEQUENCE SIZE (1..MAX) OF PKIStatusInfo,
209  *       -- in same order as was sent in RevReqContent
210  *       revCerts [0] SEQUENCE SIZE (1..MAX) OF CertId
211  *                                           OPTIONAL,
212  *       -- IDs for which revocation was requested
213  *       -- (same order as status)
214  *       crls     [1] SEQUENCE SIZE (1..MAX) OF CertificateList
215  *                                           OPTIONAL
216  *       -- the resulting CRLs (there may be more than one)
217  *   }
218  */
219 struct OSSL_cmp_revrepcontent_st {
220     STACK_OF(OSSL_CMP_PKISI) *status;
221     STACK_OF(OSSL_CRMF_CERTID) *revCerts;
222     STACK_OF(X509_CRL) *crls;
223 } /* OSSL_CMP_REVREPCONTENT */;
224 DECLARE_ASN1_FUNCTIONS(OSSL_CMP_REVREPCONTENT)
225
226 /*-
227  *  KeyRecRepContent ::= SEQUENCE {
228  *      status          PKIStatusInfo,
229  *      newSigCert  [0] Certificate                   OPTIONAL,
230  *      caCerts     [1] SEQUENCE SIZE (1..MAX) OF
231  *                                   Certificate      OPTIONAL,
232  *      keyPairHist [2] SEQUENCE SIZE (1..MAX) OF
233  *                                   CertifiedKeyPair OPTIONAL
234  *   }
235  */
236 typedef struct OSSL_cmp_keyrecrepcontent_st {
237     OSSL_CMP_PKISI *status;
238     X509 *newSigCert;
239     STACK_OF(X509) *caCerts;
240     STACK_OF(OSSL_CMP_CERTIFIEDKEYPAIR) *keyPairHist;
241 } OSSL_CMP_KEYRECREPCONTENT;
242 DECLARE_ASN1_FUNCTIONS(OSSL_CMP_KEYRECREPCONTENT)
243
244 /*-
245  *   ErrorMsgContent ::= SEQUENCE {
246  *       pKIStatusInfo          PKIStatusInfo,
247  *       errorCode              INTEGER           OPTIONAL,
248  *       -- implementation-specific error codes
249  *       errorDetails           PKIFreeText       OPTIONAL
250  *       -- implementation-specific error details
251  *   }
252  */
253 typedef struct OSSL_cmp_errormsgcontent_st {
254     OSSL_CMP_PKISI *pKIStatusInfo;
255     ASN1_INTEGER *errorCode;
256     OSSL_CMP_PKIFREETEXT *errorDetails;
257 } OSSL_CMP_ERRORMSGCONTENT;
258 DECLARE_ASN1_FUNCTIONS(OSSL_CMP_ERRORMSGCONTENT)
259
260 /*-
261  *   CertConfirmContent ::= SEQUENCE OF CertStatus
262  *
263  *   CertStatus ::= SEQUENCE {
264  *      certHash    OCTET STRING,
265  *      -- the hash of the certificate, using the same hash algorithm
266  *      -- as is used to create and verify the certificate signature
267  *      certReqId   INTEGER,
268  *      -- to match this confirmation with the corresponding req/rep
269  *      statusInfo  PKIStatusInfo OPTIONAL
270  *   }
271  */
272 struct OSSL_cmp_certstatus_st {
273     ASN1_OCTET_STRING *certHash;
274     ASN1_INTEGER *certReqId;
275     OSSL_CMP_PKISI *statusInfo;
276 } /* OSSL_CMP_CERTSTATUS */;
277 DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CERTSTATUS)
278
279 typedef STACK_OF(OSSL_CMP_CERTSTATUS) OSSL_CMP_CERTCONFIRMCONTENT;
280 DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CERTCONFIRMCONTENT)
281
282 /*-
283  *   CertResponse ::= SEQUENCE {
284  *       certReqId           INTEGER,
285  *       -- to match this response with corresponding request (a value
286  *       -- of -1 is to be used if certReqId is not specified in the
287  *       -- corresponding request)
288  *       status              PKIStatusInfo,
289  *       certifiedKeyPair    CertifiedKeyPair    OPTIONAL,
290  *       rspInfo             OCTET STRING        OPTIONAL
291  *       -- analogous to the id-regInfo-utf8Pairs string defined
292  *       -- for regInfo in CertReqMsg [CRMF]
293  *   }
294  */
295 struct OSSL_cmp_certresponse_st {
296     ASN1_INTEGER *certReqId;
297     OSSL_CMP_PKISI *status;
298     OSSL_CMP_CERTIFIEDKEYPAIR *certifiedKeyPair;
299     ASN1_OCTET_STRING *rspInfo;
300 } /* OSSL_CMP_CERTRESPONSE */;
301 DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CERTRESPONSE)
302
303 /*-
304  *   CertRepMessage ::= SEQUENCE {
305  *       caPubs       [1] SEQUENCE SIZE (1..MAX) OF CMPCertificate
306  *                        OPTIONAL,
307  *       response         SEQUENCE OF CertResponse
308  *   }
309  */
310 struct OSSL_cmp_certrepmessage_st {
311     STACK_OF(X509) *caPubs;
312     STACK_OF(OSSL_CMP_CERTRESPONSE) *response;
313 } /* OSSL_CMP_CERTREPMESSAGE */;
314 DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CERTREPMESSAGE)
315
316 /*-
317  *   PollReqContent ::= SEQUENCE OF SEQUENCE {
318  *         certReqId                              INTEGER
319  *   }
320  */
321 typedef struct OSSL_cmp_pollreq_st {
322     ASN1_INTEGER *certReqId;
323 } OSSL_CMP_POLLREQ;
324 DECLARE_ASN1_FUNCTIONS(OSSL_CMP_POLLREQ)
325 DEFINE_STACK_OF(OSSL_CMP_POLLREQ)
326 typedef STACK_OF(OSSL_CMP_POLLREQ) OSSL_CMP_POLLREQCONTENT;
327 DECLARE_ASN1_FUNCTIONS(OSSL_CMP_POLLREQCONTENT)
328
329 /*-
330  * PollRepContent ::= SEQUENCE OF SEQUENCE {
331  *         certReqId                              INTEGER,
332  *         checkAfter                             INTEGER,  -- time in seconds
333  *         reason                                 PKIFreeText OPTIONAL
334  * }
335  */
336 struct OSSL_cmp_pollrep_st {
337     ASN1_INTEGER *certReqId;
338     ASN1_INTEGER *checkAfter;
339     OSSL_CMP_PKIFREETEXT *reason;
340 } /* OSSL_CMP_POLLREP */;
341 DECLARE_ASN1_FUNCTIONS(OSSL_CMP_POLLREP)
342 DEFINE_STACK_OF(OSSL_CMP_POLLREP)
343 DECLARE_ASN1_FUNCTIONS(OSSL_CMP_POLLREPCONTENT)
344
345 /*-
346  * PKIHeader ::= SEQUENCE {
347  *     pvno                INTEGER     { cmp1999(1), cmp2000(2) },
348  *     sender              GeneralName,
349  *     -- identifies the sender
350  *     recipient           GeneralName,
351  *     -- identifies the intended recipient
352  *     messageTime     [0] GeneralizedTime         OPTIONAL,
353  *     -- time of production of this message (used when sender
354  *     -- believes that the transport will be "suitable"; i.e.,
355  *     -- that the time will still be meaningful upon receipt)
356  *     protectionAlg   [1] AlgorithmIdentifier     OPTIONAL,
357  *     -- algorithm used for calculation of protection bits
358  *     senderKID       [2] KeyIdentifier           OPTIONAL,
359  *     recipKID        [3] KeyIdentifier           OPTIONAL,
360  *     -- to identify specific keys used for protection
361  *     transactionID   [4] OCTET STRING            OPTIONAL,
362  *     -- identifies the transaction; i.e., this will be the same in
363  *     -- corresponding request, response, certConf, and PKIConf
364  *     -- messages
365  *     senderNonce     [5] OCTET STRING            OPTIONAL,
366  *     recipNonce      [6] OCTET STRING            OPTIONAL,
367  *     -- nonces used to provide replay protection, senderNonce
368  *     -- is inserted by the creator of this message; recipNonce
369  *     -- is a nonce previously inserted in a related message by
370  *     -- the intended recipient of this message
371  *     freeText        [7] PKIFreeText             OPTIONAL,
372  *     -- this may be used to indicate context-specific instructions
373  *     -- (this field is intended for human consumption)
374  *     generalInfo     [8] SEQUENCE SIZE (1..MAX) OF
375  *                            InfoTypeAndValue     OPTIONAL
376  *     -- this may be used to convey context-specific information
377  *     -- (this field not primarily intended for human consumption)
378  *   }
379  */
380 struct OSSL_cmp_pkiheader_st {
381     ASN1_INTEGER *pvno;
382     GENERAL_NAME *sender;
383     GENERAL_NAME *recipient;
384     ASN1_GENERALIZEDTIME *messageTime; /* 0 */
385     X509_ALGOR *protectionAlg; /* 1 */
386     ASN1_OCTET_STRING *senderKID; /* 2 */
387     ASN1_OCTET_STRING *recipKID; /* 3 */
388     ASN1_OCTET_STRING *transactionID; /* 4 */
389     ASN1_OCTET_STRING *senderNonce; /* 5 */
390     ASN1_OCTET_STRING *recipNonce; /* 6 */
391     OSSL_CMP_PKIFREETEXT *freeText; /* 7 */
392     STACK_OF(OSSL_CMP_ITAV) *generalInfo; /* 8 */
393 } /* OSSL_CMP_PKIHEADER */;
394
395 typedef STACK_OF(OSSL_CMP_CHALLENGE) OSSL_CMP_POPODECKEYCHALLCONTENT;
396 DECLARE_ASN1_FUNCTIONS(OSSL_CMP_POPODECKEYCHALLCONTENT)
397 typedef STACK_OF(ASN1_INTEGER) OSSL_CMP_POPODECKEYRESPCONTENT;
398 DECLARE_ASN1_FUNCTIONS(OSSL_CMP_POPODECKEYRESPCONTENT)
399 typedef STACK_OF(OSSL_CMP_REVDETAILS) OSSL_CMP_REVREQCONTENT;
400 DECLARE_ASN1_FUNCTIONS(OSSL_CMP_REVREQCONTENT)
401 typedef STACK_OF(X509_CRL) OSSL_CMP_CRLANNCONTENT;
402 DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CRLANNCONTENT)
403 typedef STACK_OF(OSSL_CMP_ITAV) OSSL_CMP_GENMSGCONTENT;
404 DECLARE_ASN1_FUNCTIONS(OSSL_CMP_GENMSGCONTENT)
405 typedef STACK_OF(OSSL_CMP_ITAV) OSSL_CMP_GENREPCONTENT;
406 DECLARE_ASN1_FUNCTIONS(OSSL_CMP_GENREPCONTENT)
407
408 /*-
409  *   PKIBody ::= CHOICE {           -- message-specific body elements
410  *           ir       [0]  CertReqMessages,            --Initialization Request
411  *           ip       [1]  CertRepMessage,             --Initialization Response
412  *           cr       [2]  CertReqMessages,            --Certification Request
413  *           cp       [3]  CertRepMessage,             --Certification Response
414  *           p10cr    [4]  CertificationRequest,       --imported from [PKCS10]
415  *           popdecc  [5]  POPODecKeyChallContent,     --pop Challenge
416  *           popdecr  [6]  POPODecKeyRespContent,      --pop Response
417  *           kur      [7]  CertReqMessages,            --Key Update Request
418  *           kup      [8]  CertRepMessage,             --Key Update Response
419  *           krr      [9]  CertReqMessages,            --Key Recovery Request
420  *           krp      [10] KeyRecRepContent,           --Key Recovery Response
421  *           rr       [11] RevReqContent,              --Revocation Request
422  *           rp       [12] RevRepContent,              --Revocation Response
423  *           ccr      [13] CertReqMessages,            --Cross-Cert. Request
424  *           ccp      [14] CertRepMessage,             --Cross-Cert. Response
425  *           ckuann   [15] CAKeyUpdAnnContent,         --CA Key Update Ann.
426  *           cann     [16] CertAnnContent,             --Certificate Ann.
427  *           rann     [17] RevAnnContent,              --Revocation Ann.
428  *           crlann   [18] CRLAnnContent,              --CRL Announcement
429  *           pkiconf  [19] PKIConfirmContent,          --Confirmation
430  *           nested   [20] NestedMessageContent,       --Nested Message
431  *           genm     [21] GenMsgContent,              --General Message
432  *           genp     [22] GenRepContent,              --General Response
433  *           error    [23] ErrorMsgContent,            --Error Message
434  *           certConf [24] CertConfirmContent,         --Certificate confirm
435  *           pollReq  [25] PollReqContent,             --Polling request
436  *           pollRep  [26] PollRepContent              --Polling response
437  */
438 typedef struct OSSL_cmp_pkibody_st {
439     int type;
440     union {
441         OSSL_CRMF_MSGS *ir; /* 0 */
442         OSSL_CMP_CERTREPMESSAGE *ip; /* 1 */
443         OSSL_CRMF_MSGS *cr; /* 2 */
444         OSSL_CMP_CERTREPMESSAGE *cp; /* 3 */
445         /* p10cr      [4]  CertificationRequest,     --imported from [PKCS10] */
446         /*
447          * PKCS10_CERTIFICATIONREQUEST is effectively X509_REQ
448          * so it is used directly
449          */
450         X509_REQ *p10cr; /* 4 */
451         /* popdecc    [5]  POPODecKeyChallContent, --pop Challenge */
452         /* POPODecKeyChallContent ::= SEQUENCE OF Challenge */
453         OSSL_CMP_POPODECKEYCHALLCONTENT *popdecc; /* 5 */
454         /* popdecr    [6]  POPODecKeyRespContent,  --pop Response */
455         /* POPODecKeyRespContent ::= SEQUENCE OF INTEGER */
456         OSSL_CMP_POPODECKEYRESPCONTENT *popdecr; /* 6 */
457         OSSL_CRMF_MSGS *kur; /* 7 */
458         OSSL_CMP_CERTREPMESSAGE *kup; /* 8 */
459         OSSL_CRMF_MSGS *krr; /* 9 */
460
461         /* krp        [10] KeyRecRepContent,         --Key Recovery Response */
462         OSSL_CMP_KEYRECREPCONTENT *krp; /* 10 */
463         /* rr         [11] RevReqContent,            --Revocation Request */
464         OSSL_CMP_REVREQCONTENT *rr; /* 11 */
465         /* rp         [12] RevRepContent,            --Revocation Response */
466         OSSL_CMP_REVREPCONTENT *rp; /* 12 */
467         /* ccr        [13] CertReqMessages,          --Cross-Cert. Request */
468         OSSL_CRMF_MSGS *ccr; /* 13 */
469         /* ccp        [14] CertRepMessage,           --Cross-Cert. Response */
470         OSSL_CMP_CERTREPMESSAGE *ccp; /* 14 */
471         /* ckuann     [15] CAKeyUpdAnnContent,       --CA Key Update Ann. */
472         OSSL_CMP_CAKEYUPDANNCONTENT *ckuann; /* 15 */
473         /* cann       [16] CertAnnContent,           --Certificate Ann. */
474         /* OSSL_CMP_CMPCERTIFICATE is effectively X509 so it is used directly */
475         X509 *cann;         /* 16 */
476         /* rann       [17] RevAnnContent,            --Revocation Ann. */
477         OSSL_CMP_REVANNCONTENT *rann; /* 17 */
478         /* crlann     [18] CRLAnnContent,            --CRL Announcement */
479         /* CRLAnnContent ::= SEQUENCE OF CertificateList */
480         OSSL_CMP_CRLANNCONTENT *crlann;
481         /* PKIConfirmContent ::= NULL */
482         /* pkiconf    [19] PKIConfirmContent,        --Confirmation */
483         /* OSSL_CMP_PKICONFIRMCONTENT would be only a typedef of ASN1_NULL */
484         /* OSSL_CMP_CONFIRMCONTENT *pkiconf; */
485         /*
486          * NOTE: this should ASN1_NULL according to the RFC
487          * but there might be a struct in it when sent from faulty servers...
488          */
489         ASN1_TYPE *pkiconf; /* 19 */
490         /* nested     [20] NestedMessageContent,     --Nested Message */
491         /* NestedMessageContent ::= PKIMessages */
492         OSSL_CMP_MSGS *nested; /* 20 */
493         /* genm       [21] GenMsgContent,            --General Message */
494         /* GenMsgContent ::= SEQUENCE OF InfoTypeAndValue */
495         OSSL_CMP_GENMSGCONTENT *genm; /* 21 */
496         /* genp       [22] GenRepContent,            --General Response */
497         /* GenRepContent ::= SEQUENCE OF InfoTypeAndValue */
498         OSSL_CMP_GENREPCONTENT *genp; /* 22 */
499         /* error      [23] ErrorMsgContent,          --Error Message */
500         OSSL_CMP_ERRORMSGCONTENT *error; /* 23 */
501         /* certConf [24] CertConfirmContent,     --Certificate confirm */
502         OSSL_CMP_CERTCONFIRMCONTENT *certConf; /* 24 */
503         /* pollReq    [25] PollReqContent,           --Polling request */
504         OSSL_CMP_POLLREQCONTENT *pollReq;
505         /* pollRep    [26] PollRepContent            --Polling response */
506         OSSL_CMP_POLLREPCONTENT *pollRep;
507     } value;
508 } OSSL_CMP_PKIBODY;
509 DECLARE_ASN1_FUNCTIONS(OSSL_CMP_PKIBODY)
510
511 /*-
512  *   PKIProtection ::= BIT STRING
513  *
514  *   PKIMessages ::= SEQUENCE SIZE (1..MAX) OF PKIMessage
515  *
516  *    PKIMessage ::= SEQUENCE {
517  *           header           PKIHeader,
518  *           body             PKIBody,
519  *           protection   [0] PKIProtection OPTIONAL,
520  *           extraCerts   [1] SEQUENCE SIZE (1..MAX) OF CMPCertificate
521  *                                            OPTIONAL
522  *   }
523  */
524 struct OSSL_cmp_msg_st {
525     OSSL_CMP_PKIHEADER *header;
526     OSSL_CMP_PKIBODY *body;
527     ASN1_BIT_STRING *protection; /* 0 */
528     /* OSSL_CMP_CMPCERTIFICATE is effectively X509 so it is used directly */
529     STACK_OF(X509) *extraCerts; /* 1 */
530 } /* OSSL_CMP_MSG */;
531 DECLARE_ASN1_FUNCTIONS(OSSL_CMP_MSG)
532
533 /*-
534  * ProtectedPart ::= SEQUENCE {
535  * header    PKIHeader,
536  * body      PKIBody
537  * }
538  */
539 typedef struct cmp_protectedpart_st {
540     OSSL_CMP_PKIHEADER *header;
541     OSSL_CMP_PKIBODY *body;
542 } CMP_PROTECTEDPART;
543 DECLARE_ASN1_FUNCTIONS(CMP_PROTECTEDPART)
544
545 /*-
546  *  this is not defined here as it is already in CRMF:
547  *   id-PasswordBasedMac OBJECT IDENTIFIER ::= {1 2 840 113533 7 66 13}
548  *   PBMParameter ::= SEQUENCE {
549  *           salt                OCTET STRING,
550  *           -- note:  implementations MAY wish to limit acceptable sizes
551  *           -- of this string to values appropriate for their environment
552  *           -- in order to reduce the risk of denial-of-service attacks
553  *           owf                 AlgorithmIdentifier,
554  *           -- AlgId for a One-Way Function (SHA-1 recommended)
555  *           iterationCount      INTEGER,
556  *           -- number of times the OWF is applied
557  *           -- note:  implementations MAY wish to limit acceptable sizes
558  *           -- of this integer to values appropriate for their environment
559  *           -- in order to reduce the risk of denial-of-service attacks
560  *           mac                 AlgorithmIdentifier
561  *           -- the MAC AlgId (e.g., DES-MAC, Triple-DES-MAC [PKCS11],
562  *   }       -- or HMAC [RFC2104, RFC2202])
563  */
564 /*-
565  *  TODO: this is not yet defined here - but DH is anyway not used yet
566  *
567  *   id-DHBasedMac OBJECT IDENTIFIER ::= {1 2 840 113533 7 66 30}
568  *   DHBMParameter ::= SEQUENCE {
569  *           owf                 AlgorithmIdentifier,
570  *           -- AlgId for a One-Way Function (SHA-1 recommended)
571  *           mac                 AlgorithmIdentifier
572  *           -- the MAC AlgId (e.g., DES-MAC, Triple-DES-MAC [PKCS11],
573  *   }       -- or HMAC [RFC2104, RFC2202])
574  */
575 /*-
576  * The following is not cared for, because it is described in section 5.2.5
577  * that this is beyond the scope of CMP
578  *   OOBCert ::= CMPCertificate
579  *
580  *   OOBCertHash ::= SEQUENCE {
581  *           hashAlg         [0] AlgorithmIdentifier         OPTIONAL,
582  *           certId          [1] CertId                      OPTIONAL,
583  *           hashVal             BIT STRING
584  *           -- hashVal is calculated over the DER encoding of the
585  *           -- self-signed certificate with the identifier certID.
586  *   }
587  */
588
589 #endif /* !defined OSSL_HEADER_CMP_INT_H */