X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=doc%2Fman3%2FOSSL_CMP_CTX_new.pod;h=e8237b46e7478c212eede74ff85c91d785a322e1;hp=b8acf692f8b2ae06b94b94dd56ddcdd63cdb695e;hb=dc4e74ef6c10a13d8a8947c71e9ee70a0abe642e;hpb=0d17c2f4bc81552202dcf359e7552f3a64ecf4f2 diff --git a/doc/man3/OSSL_CMP_CTX_new.pod b/doc/man3/OSSL_CMP_CTX_new.pod index b8acf692f8..e8237b46e7 100644 --- a/doc/man3/OSSL_CMP_CTX_new.pod +++ b/doc/man3/OSSL_CMP_CTX_new.pod @@ -73,7 +73,7 @@ OSSL_CMP_CTX_set1_senderNonce /* logging and error reporting: */ int OSSL_CMP_CTX_set_log_cb(OSSL_CMP_CTX *ctx, OSSL_CMP_log_cb_t cb); #define OSSL_CMP_CTX_set_log_verbosity(ctx, level) - void OSSL_CMP_CTX_print_errors(OSSL_CMP_CTX *ctx); + void OSSL_CMP_CTX_print_errors(const OSSL_CMP_CTX *ctx); /* message transfer: */ int OSSL_CMP_CTX_set1_serverPath(OSSL_CMP_CTX *ctx, const char *path); @@ -306,7 +306,7 @@ B to print to STDERR (unless OPENSSL_NO_STDIO is defined). OSSL_CMP_CTX_set1_serverPath() sets the HTTP path of the CMP server on the host, also known as "CMP alias". -The default is "/". +The default is I. OSSL_CMP_CTX_set1_server() sets the given server B
(which may be a hostname or IP address or NULL) in the given B. @@ -323,7 +323,7 @@ Otherwise defaults to the value of B if set, else B. An empty proxy string specifies not to use a proxy. Else the format is I<[http[s]://]address[:port][/path]>, where any path given is ignored. -The default port number is 80, or 443 in case "https:" is given. +The default port number is 80, or 443 in case I is given. OSSL_CMP_CTX_set1_no_proxy() sets the list of server hostnames not to use an HTTP proxy for. The names may be separated by commas and/or whitespace. @@ -337,7 +337,7 @@ function, which has the prototype The callback may modify the BIO B provided by OSSL_CMP_MSG_http_perform(), whereby it may make use of a custom defined argument B stored in the OSSL_CMP_CTX by means of OSSL_CMP_CTX_set_http_cb_arg(). -During connection establishment, just after calling BIO_connect_retry(), +During connection establishment, just after calling BIO_do_connect_retry(), the function is invoked with the B argument being 1 and the B argument being 1 if HTTPS is requested, i.e., SSL/TLS should be enabled. On disconnect B is 0 and B is 1 in case no error occurred, else 0. @@ -391,7 +391,7 @@ as default value for the recipient of CMP requests and as default value for the expected sender of CMP responses. OSSL_CMP_CTX_set1_expected_sender() sets the Distinguished Name (DN) -expected in the sender field of signature-protected response messages. +expected in the sender field of CMP response messages. Defaults to the subject of the pinned server certificate B<-srvcert>, if any. This can be used to make sure that only a particular entity is accepted as CMP message signer, and attackers are not able to use arbitrary certificates @@ -411,8 +411,9 @@ OSSL_CMP_CTX_get0_trustedStore() returns a pointer to the currently set certificate store containing trusted cert etc., or an empty store if unset. OSSL_CMP_CTX_set1_untrusted_certs() sets up a list of non-trusted certificates -of intermediate CAs that may be useful for path construction when authenticating -the CMP server and when verifying newly enrolled certificates. +of intermediate CAs that may be useful for path construction for the CMP client +certificate, for the TLS client certificate (if any), when verifying +the CMP server certificate, and when verifying newly enrolled certificates. The reference counts of those certificates handled successfully are increased. OSSL_CMP_CTX_get0_untrusted_certs(OSSL_CMP_CTX *ctx) returns a pointer to the @@ -423,9 +424,9 @@ The public key of this B must correspond to the private key set via B. When using signature-based protection of CMP request messages this "protection certificate" will be included first in the extraCerts field. -The subject of this B will be used as the "sender" field -of outgoing CMP messages, with the fallback being -the B set via B. +The subject of this B will be used as the sender field of outgoing +messages, while the subject of any cert set via B +and any value set via B are used as fallback. The B argument may be NULL to clear the entry. OSSL_CMP_CTX_set1_pkey() sets the private key corresponding to the @@ -444,9 +445,9 @@ PBM-based protection takes precedence over signature-based protection. OSSL_CMP_CTX_set1_referenceValue() sets the given referenceValue B with length B in the given B or clears it if the B argument is NULL. -According to RFC 4210 section 5.1.1, if no value for the "sender" field in +According to RFC 4210 section 5.1.1, if no value for the sender field in CMP message headers can be determined (i.e., no protection certificate B -and no B is given) then the "sender" field will contain the NULL-DN +and no B is given) then the sender field will contain the NULL-DN and the senderKID field of the CMP message header must be set. When signature-based protection is used the senderKID will be set to the subjectKeyIdentifier of the protection B as far as present. @@ -490,8 +491,8 @@ the CertTemplate structure when requesting a new cert. For Key Update Requests (KUR), it defaults to the subject DN of the B, see B. This default is used for Initialization Requests (IR) and Certification Requests (CR) only if no SANs are set. -The B is also used as the "sender" field for outgoing CMP messages -if no B has been set (e.g., in case requests are protected using PBM). +The B is also used as fallback for the sender field +of outgoing CMP messages if no B and no B are available. OSSL_CMP_CTX_push1_subjectAltName() adds the given X509 name to the list of alternate names on the certificate template request. This cannot be used if @@ -520,7 +521,8 @@ Key Update Requests (KUR) or to be revoked in Revocation Requests (RR). It must be given for RR, else it defaults to the protection B. The B determined in this way, if any, is also used for deriving default subject DN and Subject Alternative Names for IR, CR, and KUR. -Its issuer, if any, is used as default recipient in the CMP message header. +Its subject is used as sender in CMP message headers if no protection cert is given. +Its issuer is used as default recipient in CMP message headers. OSSL_CMP_CTX_set1_p10CSR() sets the PKCS#10 CSR to be used in P10CR.