Add documentation of OSSL_CRMF_CERTID_dup()
[openssl.git] / doc / man3 / OSSL_CRMF_MSG_set0_validity.pod
1 =pod
2
3 =head1 NAME
4
5 OSSL_CRMF_MSG_set0_validity,
6 OSSL_CRMF_MSG_set_certReqId,
7 OSSL_CRMF_CERTTEMPLATE_fill,
8 OSSL_CRMF_MSG_set0_extensions,
9 OSSL_CRMF_MSG_push0_extension,
10 OSSL_CRMF_MSG_create_popo,
11 OSSL_CRMF_MSGS_verify_popo
12 - functions populating and verifying CRMF CertReqMsg structures
13
14 =head1 SYNOPSIS
15
16  #include <openssl/crmf.h>
17
18  int OSSL_CRMF_MSG_set0_validity(OSSL_CRMF_MSG *crm,
19                                  ASN1_TIME *notBefore, ASN1_TIME *notAfter);
20
21  int OSSL_CRMF_MSG_set_certReqId(OSSL_CRMF_MSG *crm, int rid);
22
23  int OSSL_CRMF_CERTTEMPLATE_fill(OSSL_CRMF_CERTTEMPLATE *tmpl,
24                                  EVP_PKEY *pubkey,
25                                  const X509_NAME *subject,
26                                  const X509_NAME *issuer,
27                                  const ASN1_INTEGER *serial);
28
29  int OSSL_CRMF_MSG_set0_extensions(OSSL_CRMF_MSG *crm, X509_EXTENSIONS *exts);
30
31  int OSSL_CRMF_MSG_push0_extension(OSSL_CRMF_MSG *crm, X509_EXTENSION *ext);
32
33  int OSSL_CRMF_MSG_create_popo(OSSL_CRMF_MSG *crm, EVP_PKEY *pkey,
34                                int dgst, int ppmtd);
35
36  int OSSL_CRMF_MSGS_verify_popo(const OSSL_CRMF_MSGS *reqs,
37                                 int rid, int acceptRAVerified);
38
39 =head1 DESCRIPTION
40
41 OSSL_CRMF_MSG_set0_validity() sets the I<notBefore> and I<notAfter> fields
42 as validity constraints in the certTemplate of I<crm>.
43 Any of the I<notBefore> and I<notAfter> parameters may be NULL,
44 which means no constraint for the respective field.
45 On success ownership of I<notBefore> and I<notAfter> is transferred to I<crm>.
46
47 OSSL_CRMF_MSG_set_certReqId() sets I<rid> as the certReqId of I<crm>.
48
49 OSSL_CRMF_CERTTEMPLATE_fill() sets those fields of the certTemplate I<tmpl>
50 for which non-NULL values are provided: I<pubkey>, I<subject>, I<issuer>,
51 and/or I<serial>.
52 On success the reference counter of the I<pubkey> (if given) is incremented,
53 while the I<subject>, I<issuer>, and I<serial> structures (if given) are copied.
54
55 OSSL_CRMF_MSG_set0_extensions() sets I<exts> as the extensions in the
56 certTemplate of I<crm>. Frees any pre-existing ones and consumes I<exts>.
57
58 OSSL_CRMF_MSG_push0_extension() pushes the X509 extension I<ext> to the
59 extensions in the certTemplate of I<crm>.  Consumes I<ext>.
60
61 OSSL_CRMF_MSG_create_popo() creates and sets the Proof-of-Possession (POPO)
62 according to the method I<ppmtd> in I<crm>.
63 In case the method is OSSL_CRMF_POPO_SIGNATURE the POPO is calculated
64 using the private I<pkey> and the digest algorithm NID I<dgst>.
65
66 I<ppmtd> can be one of the following:
67
68 =over 8
69
70 =item * OSSL_CRMF_POPO_NONE       - RFC 4211, section 4, POP field omitted.
71 CA/RA uses out-of-band method to verify POP. Note that servers may fail in this
72 case, resulting for instance in HTTP error code 500 (Internal error).
73
74 =item * OSSL_CRMF_POPO_RAVERIFIED - RFC 4211, section 4, explicit indication
75 that the RA has already verified the POP.
76
77 =item * OSSL_CRMF_POPO_SIGNATURE  - RFC 4211, section 4.1, only case 3 supported
78 so far.
79
80 =item * OSSL_CRMF_POPO_KEYENC     - RFC 4211, section 4.2, only indirect method
81 (subsequentMessage/enccert) supported,
82 challenge-response exchange (challengeResp) not yet supported.
83
84 =item * OSSL_CRMF_POPO_KEYAGREE   - RFC 4211, section 4.3, not yet supported.
85
86 =back
87
88 OSSL_CRMF_MSGS_verify_popo verifies the Proof-of-Possession of the request with
89 the given I<rid> in the list of I<reqs>. Optionally accepts RAVerified.
90
91 =head1 RETURN VALUES
92
93 All functions return 1 on success, 0 on error.
94
95 =head1 SEE ALSO
96
97 RFC 4211
98
99 =head1 HISTORY
100
101 The OpenSSL CRMF support was added in OpenSSL 3.0.
102
103 =head1 COPYRIGHT
104
105 Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved.
106
107 Licensed under the Apache License 2.0 (the "License").  You may not use
108 this file except in compliance with the License.  You can obtain a copy
109 in the file LICENSE in the source distribution or at
110 L<https://www.openssl.org/source/license.html>.
111
112 =cut