=pod

=head1 NAME

OSSL_CRMF_MSG_set_validity,
OSSL_CRMF_MSG_set_certReqId,
OSSL_CRMF_CERTTEMPLATE_fill,
OSSL_CRMF_MSG_set0_extensions,
OSSL_CRMF_MSG_push0_extension,
OSSL_CRMF_MSG_create_popo,
OSSL_CRMF_MSGS_verify_popo
- functions populating and verifying CRMF CertReqMsg structures

=head1 SYNOPSIS

 #include <openssl/crmf.h>

 int OSSL_CRMF_MSG_set_validity(OSSL_CRMF_MSG *crm, time_t from, time_t to);

 int OSSL_CRMF_MSG_set_certReqId(OSSL_CRMF_MSG *crm, const int rid);

 int OSSL_CRMF_CERTTEMPLATE_fill(OSSL_CRMF_CERTTEMPLATE *tmpl,
                                 const EVP_PKEY *pubkey,
                                 const X509_NAME *subject,
                                 const X509_NAME *issuer,
                                 const ASN1_INTEGER *serial);

 int OSSL_CRMF_MSG_set0_extensions(OSSL_CRMF_MSG *crm,
                                   X509_EXTENSIONS *exts);

 int OSSL_CRMF_MSG_push0_extension(OSSL_CRMF_MSG *crm,
                                   const X509_EXTENSION *ext);

 int OSSL_CRMF_MSG_create_popo(OSSL_CRMF_MSG *crm, const EVP_PKEY *pkey,
                               int dgst, int ppmtd);

 int OSSL_CRMF_MSGS_verify_popo(const OSSL_CRMF_MSGS *reqs,
                                int rid, int acceptRAVerified);

=head1 DESCRIPTION

OSSL_CRMF_MSG_set_validity() sets B<from> as notBefore and B<to> as notAfter
as the validity in the certTemplate of B<crm>.

OSSL_CRMF_MSG_set_certReqId() sets B<rid> as the certReqId of B<crm>.

OSSL_CRMF_CERTTEMPLATE_fill() sets those fields of the certTemplate B<tmpl>
for which non-NULL values are provided: B<pubkey>, B<subject>, B<issuer>,
and/or B<serial>. The arguments are not consumed.

OSSL_CRMF_MSG_set0_extensions() sets B<exts> as the extensions in the
certTemplate of B<crm>. Consumes B<exts>.

OSSL_CRMF_MSG_push0_extension() pushes the X509 extension B<ext> to the
extensions in the certTemplate of B<crm>.  Consumes B<ext>.

OSSL_CRMF_MSG_create_popo() creates and sets the Proof-of-Possession (POP)
according to the method B<ppmtd> for B<pkey> to B<crm>. In case the method is
OSSL_CRMF_POPO_SIGNATURE, POP is calculated using the B<dgst>.

B<ppmtd> can be one of the following:

=over 8

=item * OSSL_CRMF_POPO_NONE       - RFC 4211, section 4, POP field omitted.
CA/RA uses out-of-band method to verify POP. Note that servers may fail in this
case, resulting for instance in HTTP error code 500 (Internal error).

=item * OSSL_CRMF_POPO_RAVERIFIED - RFC 4211, section 4, explicit indication
that the RA has already verified the POP.

=item * OSSL_CRMF_POPO_SIGNATURE  - RFC 4211, section 4.1, only case 3 supported
so far.

=item * OSSL_CRMF_POPO_KEYENC     - RFC 4211, section 4.2, only indirect method
(subsequentMessage/enccert) supported,
challenge-response exchange (challengeResp) not yet supported.

=item * OSSL_CRMF_POPO_KEYAGREE   - RFC 4211, section 4.3, not yet supported.

=back

OSSL_CRMF_MSGS_verify_popo verifies the Proof-of-Possession of the request with
the given B<rid> in the list of B<reqs>. Optionally accepts RAVerified.

=head1 RETURN VALUES

All functions return 1 on success, 0 on error.

=head1 SEE ALSO

RFC 4211

=head1 COPYRIGHT

Copyright 2007-2018 The OpenSSL Project Authors. All Rights Reserved.

Licensed under the OpenSSL license (the "License").  You may not use
this file except in compliance with the License.  You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.

=cut