2 * Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved.
3 * Copyright Nokia 2007-2019
4 * Copyright Siemens AG 2015-2019
6 * Licensed under the Apache License 2.0 (the "License"). You may not use
7 * this file except in compliance with the License. You can obtain a copy
8 * in the file LICENSE in the source distribution or at
9 * https://www.openssl.org/source/license.html
13 # define OPENSSL_CMP_H
15 # include <openssl/opensslconf.h>
16 # ifndef OPENSSL_NO_CMP
18 # include <openssl/crmf.h>
19 # include <openssl/cmperr.h>
20 # include <openssl/cmp_util.h>
22 /* explicit #includes not strictly needed since implied by the above: */
23 # include <openssl/types.h>
24 # include <openssl/safestack.h>
25 # include <openssl/x509.h>
26 # include <openssl/x509v3.h>
32 # define OSSL_CMP_PVNO 2
35 * PKIFailureInfo ::= BIT STRING {
36 * -- since we can fail in more than one way!
37 * -- More codes may be added in the future if/when required.
39 * -- unrecognized or unsupported Algorithm Identifier
40 * badMessageCheck (1),
41 * -- integrity check failed (e.g., signature did not verify)
43 * -- transaction not permitted or supported
45 * -- messageTime was not sufficiently close to the system time,
46 * -- as defined by local policy
48 * -- no certificate could be found matching the provided criteria
50 * -- the data submitted has the wrong format
52 * -- the authority indicated in the request is different from the
53 * -- one creating the response token
55 * -- the requester's data is incorrect (for notary services)
56 * missingTimeStamp (8),
57 * -- when the timestamp is missing but should be there
60 * -- the proof-of-possession failed
62 * -- the certificate has already been revoked
64 * -- the certificate has already been confirmed
65 * wrongIntegrity (12),
66 * -- invalid integrity, password based instead of signature or
68 * badRecipientNonce (13),
69 * -- invalid recipient nonce, either missing or wrong value
70 * timeNotAvailable (14),
71 * -- the TSA's time source is not available
72 * unacceptedPolicy (15),
73 * -- the requested TSA policy is not supported by the TSA.
74 * unacceptedExtension (16),
75 * -- the requested extension is not supported by the TSA.
76 * addInfoNotAvailable (17),
77 * -- the additional information requested could not be
78 * -- understood or is not available
79 * badSenderNonce (18),
80 * -- invalid sender nonce, either missing or wrong size
81 * badCertTemplate (19),
82 * -- invalid cert. template or missing mandatory information
83 * signerNotTrusted (20),
84 * -- signer of the message unknown or not trusted
85 * transactionIdInUse (21),
86 * -- the transaction identifier is already in use
87 * unsupportedVersion (22),
88 * -- the version of the message is not supported
90 * -- the sender was not authorized to make the preceding
91 * -- request or perform the preceding action
93 * -- the request cannot be handled due to system unavailability
95 * -- the request cannot be handled due to system failure
96 * duplicateCertReq (26)
97 * -- certificate cannot be issued because a duplicate
98 * -- certificate already exists
101 # define OSSL_CMP_PKIFAILUREINFO_badAlg 0
102 # define OSSL_CMP_PKIFAILUREINFO_badMessageCheck 1
103 # define OSSL_CMP_PKIFAILUREINFO_badRequest 2
104 # define OSSL_CMP_PKIFAILUREINFO_badTime 3
105 # define OSSL_CMP_PKIFAILUREINFO_badCertId 4
106 # define OSSL_CMP_PKIFAILUREINFO_badDataFormat 5
107 # define OSSL_CMP_PKIFAILUREINFO_wrongAuthority 6
108 # define OSSL_CMP_PKIFAILUREINFO_incorrectData 7
109 # define OSSL_CMP_PKIFAILUREINFO_missingTimeStamp 8
110 # define OSSL_CMP_PKIFAILUREINFO_badPOP 9
111 # define OSSL_CMP_PKIFAILUREINFO_certRevoked 10
112 # define OSSL_CMP_PKIFAILUREINFO_certConfirmed 11
113 # define OSSL_CMP_PKIFAILUREINFO_wrongIntegrity 12
114 # define OSSL_CMP_PKIFAILUREINFO_badRecipientNonce 13
115 # define OSSL_CMP_PKIFAILUREINFO_timeNotAvailable 14
116 # define OSSL_CMP_PKIFAILUREINFO_unacceptedPolicy 15
117 # define OSSL_CMP_PKIFAILUREINFO_unacceptedExtension 16
118 # define OSSL_CMP_PKIFAILUREINFO_addInfoNotAvailable 17
119 # define OSSL_CMP_PKIFAILUREINFO_badSenderNonce 18
120 # define OSSL_CMP_PKIFAILUREINFO_badCertTemplate 19
121 # define OSSL_CMP_PKIFAILUREINFO_signerNotTrusted 20
122 # define OSSL_CMP_PKIFAILUREINFO_transactionIdInUse 21
123 # define OSSL_CMP_PKIFAILUREINFO_unsupportedVersion 22
124 # define OSSL_CMP_PKIFAILUREINFO_notAuthorized 23
125 # define OSSL_CMP_PKIFAILUREINFO_systemUnavail 24
126 # define OSSL_CMP_PKIFAILUREINFO_systemFailure 25
127 # define OSSL_CMP_PKIFAILUREINFO_duplicateCertReq 26
128 # define OSSL_CMP_PKIFAILUREINFO_MAX 26
129 # define OSSL_CMP_PKIFAILUREINFO_MAX_BIT_PATTERN \
130 ( (1<<(OSSL_CMP_PKIFAILUREINFO_MAX+1)) - 1)
131 # if OSSL_CMP_PKIFAILUREINFO_MAX_BIT_PATTERN > INT_MAX
132 # error CMP_PKIFAILUREINFO_MAX bit pattern does not fit in type int
135 typedef ASN1_BIT_STRING OSSL_CMP_PKIFAILUREINFO;
137 # define OSSL_CMP_CTX_FAILINFO_badAlg (1 << 0)
138 # define OSSL_CMP_CTX_FAILINFO_badMessageCheck (1 << 1)
139 # define OSSL_CMP_CTX_FAILINFO_badRequest (1 << 2)
140 # define OSSL_CMP_CTX_FAILINFO_badTime (1 << 3)
141 # define OSSL_CMP_CTX_FAILINFO_badCertId (1 << 4)
142 # define OSSL_CMP_CTX_FAILINFO_badDataFormat (1 << 5)
143 # define OSSL_CMP_CTX_FAILINFO_wrongAuthority (1 << 6)
144 # define OSSL_CMP_CTX_FAILINFO_incorrectData (1 << 7)
145 # define OSSL_CMP_CTX_FAILINFO_missingTimeStamp (1 << 8)
146 # define OSSL_CMP_CTX_FAILINFO_badPOP (1 << 9)
147 # define OSSL_CMP_CTX_FAILINFO_certRevoked (1 << 10)
148 # define OSSL_CMP_CTX_FAILINFO_certConfirmed (1 << 11)
149 # define OSSL_CMP_CTX_FAILINFO_wrongIntegrity (1 << 12)
150 # define OSSL_CMP_CTX_FAILINFO_badRecipientNonce (1 << 13)
151 # define OSSL_CMP_CTX_FAILINFO_timeNotAvailable (1 << 14)
152 # define OSSL_CMP_CTX_FAILINFO_unacceptedPolicy (1 << 15)
153 # define OSSL_CMP_CTX_FAILINFO_unacceptedExtension (1 << 16)
154 # define OSSL_CMP_CTX_FAILINFO_addInfoNotAvailable (1 << 17)
155 # define OSSL_CMP_CTX_FAILINFO_badSenderNonce (1 << 18)
156 # define OSSL_CMP_CTX_FAILINFO_badCertTemplate (1 << 19)
157 # define OSSL_CMP_CTX_FAILINFO_signerNotTrusted (1 << 20)
158 # define OSSL_CMP_CTX_FAILINFO_transactionIdInUse (1 << 21)
159 # define OSSL_CMP_CTX_FAILINFO_unsupportedVersion (1 << 22)
160 # define OSSL_CMP_CTX_FAILINFO_notAuthorized (1 << 23)
161 # define OSSL_CMP_CTX_FAILINFO_systemUnavail (1 << 24)
162 # define OSSL_CMP_CTX_FAILINFO_systemFailure (1 << 25)
163 # define OSSL_CMP_CTX_FAILINFO_duplicateCertReq (1 << 26)
166 * PKIStatus ::= INTEGER {
168 * -- you got exactly what you asked for
169 * grantedWithMods (1),
170 * -- you got something like what you asked for; the
171 * -- requester is responsible for ascertaining the differences
173 * -- you don't get it, more information elsewhere in the message
175 * -- the request body part has not yet been processed; expect to
176 * -- hear more later (note: proper handling of this status
177 * -- response MAY use the polling req/rep PKIMessages specified
178 * -- in Section 5.3.22; alternatively, polling in the underlying
179 * -- transport layer MAY have some utility in this regard)
180 * revocationWarning (4),
181 * -- this message contains a warning that a revocation is
183 * revocationNotification (5),
184 * -- notification that a revocation has occurred
185 * keyUpdateWarning (6)
186 * -- update already done for the oldCertId specified in
190 # define OSSL_CMP_PKISTATUS_accepted 0
191 # define OSSL_CMP_PKISTATUS_grantedWithMods 1
192 # define OSSL_CMP_PKISTATUS_rejection 2
193 # define OSSL_CMP_PKISTATUS_waiting 3
194 # define OSSL_CMP_PKISTATUS_revocationWarning 4
195 # define OSSL_CMP_PKISTATUS_revocationNotification 5
196 # define OSSL_CMP_PKISTATUS_keyUpdateWarning 6
198 typedef ASN1_INTEGER OSSL_CMP_PKISTATUS;
199 DECLARE_ASN1_ITEM(OSSL_CMP_PKISTATUS)
201 # define OSSL_CMP_CERTORENCCERT_CERTIFICATE 0
202 # define OSSL_CMP_CERTORENCCERT_ENCRYPTEDCERT 1
204 /* data type declarations */
205 typedef struct ossl_cmp_ctx_st OSSL_CMP_CTX;
206 typedef struct ossl_cmp_pkiheader_st OSSL_CMP_PKIHEADER;
207 DECLARE_ASN1_FUNCTIONS(OSSL_CMP_PKIHEADER)
208 typedef struct ossl_cmp_msg_st OSSL_CMP_MSG;
209 DECLARE_ASN1_ENCODE_FUNCTIONS(OSSL_CMP_MSG, OSSL_CMP_MSG, OSSL_CMP_MSG)
210 typedef struct ossl_cmp_certstatus_st OSSL_CMP_CERTSTATUS;
211 DEFINE_STACK_OF(OSSL_CMP_CERTSTATUS)
212 typedef struct ossl_cmp_itav_st OSSL_CMP_ITAV;
213 DEFINE_STACK_OF(OSSL_CMP_ITAV)
214 typedef struct ossl_cmp_revrepcontent_st OSSL_CMP_REVREPCONTENT;
215 typedef struct ossl_cmp_pkisi_st OSSL_CMP_PKISI;
216 DEFINE_STACK_OF(OSSL_CMP_PKISI)
217 typedef struct ossl_cmp_certrepmessage_st OSSL_CMP_CERTREPMESSAGE;
218 DEFINE_STACK_OF(OSSL_CMP_CERTREPMESSAGE)
219 typedef struct ossl_cmp_pollrep_st OSSL_CMP_POLLREP;
220 typedef STACK_OF(OSSL_CMP_POLLREP) OSSL_CMP_POLLREPCONTENT;
221 typedef struct ossl_cmp_certresponse_st OSSL_CMP_CERTRESPONSE;
222 DEFINE_STACK_OF(OSSL_CMP_CERTRESPONSE)
223 typedef STACK_OF(ASN1_UTF8STRING) OSSL_CMP_PKIFREETEXT;
226 * function DECLARATIONS
230 OSSL_CMP_ITAV *OSSL_CMP_ITAV_create(ASN1_OBJECT *type, ASN1_TYPE *value);
231 void OSSL_CMP_ITAV_set0(OSSL_CMP_ITAV *itav, ASN1_OBJECT *type,
233 ASN1_OBJECT *OSSL_CMP_ITAV_get0_type(const OSSL_CMP_ITAV *itav);
234 ASN1_TYPE *OSSL_CMP_ITAV_get0_value(const OSSL_CMP_ITAV *itav);
235 int OSSL_CMP_ITAV_push0_stack_item(STACK_OF(OSSL_CMP_ITAV) **itav_sk_p,
236 OSSL_CMP_ITAV *itav);
237 void OSSL_CMP_ITAV_free(OSSL_CMP_ITAV *itav);
238 void OSSL_CMP_MSG_free(OSSL_CMP_MSG *msg);
241 OSSL_CMP_CTX *OSSL_CMP_CTX_new(void);
242 void OSSL_CMP_CTX_free(OSSL_CMP_CTX *ctx);
243 int OSSL_CMP_CTX_reinit(OSSL_CMP_CTX *ctx);
244 /* various CMP options: */
245 # define OSSL_CMP_OPT_LOG_VERBOSITY 0
246 # define OSSL_CMP_OPT_MSGTIMEOUT 1
247 # define OSSL_CMP_OPT_TOTALTIMEOUT 2
248 # define OSSL_CMP_OPT_VALIDITYDAYS 3
249 # define OSSL_CMP_OPT_SUBJECTALTNAME_NODEFAULT 4
250 # define OSSL_CMP_OPT_SUBJECTALTNAME_CRITICAL 5
251 # define OSSL_CMP_OPT_POLICIES_CRITICAL 6
252 # define OSSL_CMP_OPT_POPOMETHOD 7
253 # define OSSL_CMP_OPT_DIGEST_ALGNID 8
254 # define OSSL_CMP_OPT_OWF_ALGNID 9
255 # define OSSL_CMP_OPT_MAC_ALGNID 10
256 # define OSSL_CMP_OPT_REVOCATION_REASON 11
257 # define OSSL_CMP_OPT_IMPLICITCONFIRM 12
258 # define OSSL_CMP_OPT_DISABLECONFIRM 13
259 # define OSSL_CMP_OPT_UNPROTECTED_SEND 14
260 # define OSSL_CMP_OPT_UNPROTECTED_ERRORS 15
261 # define OSSL_CMP_OPT_IGNORE_KEYUSAGE 16
262 # define OSSL_CMP_OPT_PERMIT_TA_IN_EXTRACERTS_FOR_IR 17
263 int OSSL_CMP_CTX_set_option(OSSL_CMP_CTX *ctx, int opt, int val);
264 int OSSL_CMP_CTX_get_option(const OSSL_CMP_CTX *ctx, int opt);
265 /* CMP-specific callback for logging and outputting the error queue: */
266 int OSSL_CMP_CTX_set_log_cb(OSSL_CMP_CTX *ctx, OSSL_cmp_log_cb_t cb);
267 #define OSSL_CMP_CTX_set_log_verbosity(ctx, level) \
268 OSSL_CMP_CTX_set_option(ctx, OSSL_CMP_OPT_LOG_VERBOSITY, level)
269 void OSSL_CMP_CTX_print_errors(OSSL_CMP_CTX *ctx);
270 /* message transfer: */
271 int OSSL_CMP_CTX_set1_serverPath(OSSL_CMP_CTX *ctx, const char *path);
272 int OSSL_CMP_CTX_set1_serverName(OSSL_CMP_CTX *ctx, const char *name);
273 int OSSL_CMP_CTX_set_serverPort(OSSL_CMP_CTX *ctx, int port);
274 int OSSL_CMP_CTX_set1_proxyName(OSSL_CMP_CTX *ctx, const char *name);
275 int OSSL_CMP_CTX_set_proxyPort(OSSL_CMP_CTX *ctx, int port);
276 # define OSSL_CMP_DEFAULT_PORT 80
277 typedef BIO *(*OSSL_cmp_http_cb_t) (OSSL_CMP_CTX *ctx, BIO *hbio,
278 unsigned long detail);
279 int OSSL_CMP_CTX_set_http_cb(OSSL_CMP_CTX *ctx, OSSL_cmp_http_cb_t cb);
280 int OSSL_CMP_CTX_set_http_cb_arg(OSSL_CMP_CTX *ctx, void *arg);
281 void *OSSL_CMP_CTX_get_http_cb_arg(const OSSL_CMP_CTX *ctx);
282 typedef int (*OSSL_cmp_transfer_cb_t) (OSSL_CMP_CTX *ctx,
283 const OSSL_CMP_MSG *req,
285 int OSSL_CMP_CTX_set_transfer_cb(OSSL_CMP_CTX *ctx, OSSL_cmp_transfer_cb_t cb);
286 int OSSL_CMP_CTX_set_transfer_cb_arg(OSSL_CMP_CTX *ctx, void *arg);
287 void *OSSL_CMP_CTX_get_transfer_cb_arg(const OSSL_CMP_CTX *ctx);
288 /* server authentication: */
289 int OSSL_CMP_CTX_set1_srvCert(OSSL_CMP_CTX *ctx, X509 *cert);
290 int OSSL_CMP_CTX_set1_expected_sender(OSSL_CMP_CTX *ctx, const X509_NAME *name);
291 int OSSL_CMP_CTX_set0_trustedStore(OSSL_CMP_CTX *ctx, X509_STORE *store);
292 X509_STORE *OSSL_CMP_CTX_get0_trustedStore(const OSSL_CMP_CTX *ctx);
293 int OSSL_CMP_CTX_set1_untrusted_certs(OSSL_CMP_CTX *ctx, STACK_OF(X509) *certs);
294 STACK_OF(X509) *OSSL_CMP_CTX_get0_untrusted_certs(const OSSL_CMP_CTX *ctx);
295 /* client authentication: */
296 int OSSL_CMP_CTX_set1_clCert(OSSL_CMP_CTX *ctx, X509 *cert);
297 int OSSL_CMP_CTX_set1_pkey(OSSL_CMP_CTX *ctx, EVP_PKEY *pkey);
298 int OSSL_CMP_CTX_set1_referenceValue(OSSL_CMP_CTX *ctx,
299 const unsigned char *ref, int len);
300 int OSSL_CMP_CTX_set1_secretValue(OSSL_CMP_CTX *ctx, const unsigned char *sec,
302 /* CMP message header and extra certificates: */
303 int OSSL_CMP_CTX_set1_recipient(OSSL_CMP_CTX *ctx, const X509_NAME *name);
304 int OSSL_CMP_CTX_push0_geninfo_ITAV(OSSL_CMP_CTX *ctx, OSSL_CMP_ITAV *itav);
305 int OSSL_CMP_CTX_set1_extraCertsOut(OSSL_CMP_CTX *ctx,
306 STACK_OF(X509) *extraCertsOut);
307 /* certificate template: */
308 int OSSL_CMP_CTX_set0_newPkey(OSSL_CMP_CTX *ctx, int priv, EVP_PKEY *pkey);
309 EVP_PKEY *OSSL_CMP_CTX_get0_newPkey(const OSSL_CMP_CTX *ctx, int priv);
310 int OSSL_CMP_CTX_set1_issuer(OSSL_CMP_CTX *ctx, const X509_NAME *name);
311 int OSSL_CMP_CTX_set1_subjectName(OSSL_CMP_CTX *ctx, const X509_NAME *name);
312 int OSSL_CMP_CTX_push1_subjectAltName(OSSL_CMP_CTX *ctx, const GENERAL_NAME *name);
313 int OSSL_CMP_CTX_set0_reqExtensions(OSSL_CMP_CTX *ctx, X509_EXTENSIONS *exts);
314 int OSSL_CMP_CTX_reqExtensions_have_SAN(OSSL_CMP_CTX *ctx);
315 int OSSL_CMP_CTX_push0_policy(OSSL_CMP_CTX *ctx, POLICYINFO *pinfo);
316 int OSSL_CMP_CTX_set1_oldCert(OSSL_CMP_CTX *ctx, X509 *cert);
317 int OSSL_CMP_CTX_set1_p10CSR(OSSL_CMP_CTX *ctx, const X509_REQ *csr);
318 /* misc body contents: */
319 int OSSL_CMP_CTX_push0_genm_ITAV(OSSL_CMP_CTX *ctx, OSSL_CMP_ITAV *itav);
320 /* certificate confirmation: */
321 typedef int (*OSSL_cmp_certConf_cb_t) (OSSL_CMP_CTX *ctx, X509 *cert,
322 int fail_info, const char **txt);
323 int OSSL_CMP_CTX_set_certConf_cb(OSSL_CMP_CTX *ctx, OSSL_cmp_certConf_cb_t cb);
324 int OSSL_CMP_CTX_set_certConf_cb_arg(OSSL_CMP_CTX *ctx, void *arg);
325 void *OSSL_CMP_CTX_get_certConf_cb_arg(const OSSL_CMP_CTX *ctx);
326 /* result fetching: */
327 int OSSL_CMP_CTX_get_status(const OSSL_CMP_CTX *ctx);
328 OSSL_CMP_PKIFREETEXT *OSSL_CMP_CTX_get0_statusString(const OSSL_CMP_CTX *ctx);
329 int OSSL_CMP_CTX_get_failInfoCode(const OSSL_CMP_CTX *ctx);
330 # define OSSL_CMP_PKISI_BUFLEN 1024
331 X509 *OSSL_CMP_CTX_get0_newCert(const OSSL_CMP_CTX *ctx);
332 STACK_OF(X509) *OSSL_CMP_CTX_get1_caPubs(const OSSL_CMP_CTX *ctx);
333 STACK_OF(X509) *OSSL_CMP_CTX_get1_extraCertsIn(const OSSL_CMP_CTX *ctx);
334 /* support application-level CMP debugging in cmp.c: */
335 int OSSL_CMP_CTX_set1_transactionID(OSSL_CMP_CTX *ctx,
336 const ASN1_OCTET_STRING *id);
337 int OSSL_CMP_CTX_set1_senderNonce(OSSL_CMP_CTX *ctx,
338 const ASN1_OCTET_STRING *nonce);
340 /* from cmp_status.c */
341 char *OSSL_CMP_CTX_snprint_PKIStatus(OSSL_CMP_CTX *ctx, char *buf,
345 /* support application-level CMP debugging in cmp.c: */
346 ASN1_OCTET_STRING *OSSL_CMP_HDR_get0_transactionID(const OSSL_CMP_PKIHEADER *hdr);
347 ASN1_OCTET_STRING *OSSL_CMP_HDR_get0_recipNonce(const OSSL_CMP_PKIHEADER *hdr);
352 # endif /* !defined OPENSSL_NO_CMP */
353 #endif /* !defined OPENSSL_CMP_H */