1a7dcca3bd99bff897afe33e0206d8c064d6780c
[openssl.git] / crypto / cmp / cmp_local.h
1 /*
2  * Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved.
3  * Copyright Nokia 2007-2019
4  * Copyright Siemens AG 2015-2019
5  *
6  * Licensed under the Apache License 2.0 (the "License").  You may not use
7  * this file except in compliance with the License.  You can obtain a copy
8  * in the file LICENSE in the source distribution or at
9  * https://www.openssl.org/source/license.html
10  */
11
12 #ifndef OSSL_CRYPTO_CMP_LOCAL_H
13 # define OSSL_CRYPTO_CMP_LOCAL_H
14
15 # include "internal/cryptlib.h"
16
17 # include <openssl/cmp.h>
18 # include <openssl/err.h>
19
20 /* explicit #includes not strictly needed since implied by the above: */
21 # include <openssl/crmf.h>
22 # include <openssl/types.h>
23 # include <openssl/safestack.h>
24 # include <openssl/x509.h>
25 # include <openssl/x509v3.h>
26
27 /*
28  * this structure is used to store the context for CMP sessions
29  */
30 struct ossl_cmp_ctx_st {
31     OSSL_cmp_log_cb_t log_cb; /* log callback for error/debug/etc. output */
32     OSSL_CMP_severity log_verbosity; /* level of verbosity of log output */
33
34     /* message transfer */
35     OSSL_cmp_transfer_cb_t transfer_cb; /* default: OSSL_CMP_MSG_http_perform */
36     void *transfer_cb_arg; /* allows to store optional argument to cb */
37     /* HTTP-based transfer */
38     char *serverPath;
39     char *serverName;
40     int serverPort;
41     char *proxyName;
42     int proxyPort;
43     int msgtimeout; /* max seconds to wait for each CMP message round trip */
44     int totaltimeout; /* maximum number seconds an enrollment may take, incl. */
45       /* attempts polling for a response if a 'waiting' PKIStatus is received */
46     time_t end_time; /* session start time + totaltimeout */
47     OSSL_cmp_http_cb_t http_cb;
48     void *http_cb_arg; /* allows to store optional argument to cb */
49
50     /* server authentication */
51     int unprotectedErrors; /* accept neg. response with no/invalid protection */
52                            /* to cope with broken server */
53     X509 *srvCert; /* certificate used to identify the server */
54     X509 *validatedSrvCert; /* caches any already validated server cert */
55     X509_NAME *expected_sender; /* expected sender in pkiheader of response */
56     X509_STORE *trusted; /* trust store maybe w CRLs and cert verify callback */
57     STACK_OF(X509) *untrusted_certs; /* untrusted (intermediate) certs */
58     int ignore_keyusage; /* ignore key usage entry when validating certs */
59     int permitTAInExtraCertsForIR; /* allow use of root certs in extracerts */
60              /* when validating message protection; used for 3GPP-style E.7 */
61
62     /* client authentication */
63     int unprotectedSend; /* send unprotected PKI messages */
64     X509 *clCert; /* client cert used to identify and sign for MSG_SIG_ALG */
65     EVP_PKEY *pkey; /* the key pair corresponding to clCert */
66     ASN1_OCTET_STRING *referenceValue; /* optional user name for MSG_MAC_ALG */
67     ASN1_OCTET_STRING *secretValue; /* password/shared secret for MSG_MAC_ALG */
68     /* PBMParameters for MSG_MAC_ALG */
69     size_t pbm_slen; /* currently fixed to 16 */
70     int pbm_owf; /* NID of one-way function (OWF), default: SHA256 */
71     int pbm_itercnt; /* currently fixed to 500 */
72     int pbm_mac; /* NID of MAC algorithm, default: HMAC-SHA1 as per RFC 4210 */
73
74     /* CMP message header and extra certificates */
75     X509_NAME *recipient; /* to set in recipient in pkiheader */
76     int digest; /* NID of digest used in MSG_SIG_ALG and POPO, default SHA256 */
77     ASN1_OCTET_STRING *transactionID; /* the current transaction ID */
78     ASN1_OCTET_STRING *senderNonce; /* last nonce sent */
79     ASN1_OCTET_STRING *recipNonce; /* last nonce received */
80     STACK_OF(OSSL_CMP_ITAV) *geninfo_ITAVs;
81     int implicitConfirm; /* set implicitConfirm in IR/KUR/CR messages */
82     int disableConfirm; /* disable certConf in IR/KUR/CR for broken servers */
83     STACK_OF(X509) *extraCertsOut; /* to be included in request messages */
84
85     /* certificate template */
86     EVP_PKEY *newPkey; /* explicit new private/public key for cert enrollment */
87     int newPkey_priv; /* flag indicating if newPkey contains private key */
88     X509_NAME *issuer; /* issuer name to used in cert template */
89     int days; /* Number of days new certificates are asked to be valid for */
90     X509_NAME *subjectName; /* subject name to be used in the cert template */
91     STACK_OF(GENERAL_NAME) *subjectAltNames; /* to add to the cert template */
92     int SubjectAltName_nodefault;
93     int setSubjectAltNameCritical;
94     X509_EXTENSIONS *reqExtensions; /* exts to be added to cert template */
95     CERTIFICATEPOLICIES *policies; /* policies to be included in extensions */
96     int setPoliciesCritical;
97     int popoMethod; /* Proof-of-possession mechanism; default: signature */
98     X509 *oldCert; /* cert to be updated (via KUR) or to be revoked (via RR) */
99     X509_REQ *p10CSR; /* for P10CR: PKCS#10 CSR to be sent */
100
101     /* misc body contents */
102     int revocationReason; /* revocation reason code to be included in RR */
103     STACK_OF(OSSL_CMP_ITAV) *genm_ITAVs; /* content of general message */
104
105     /* result returned in responses */
106     int status; /* PKIStatus of last received IP/CP/KUP/RP/error or -1 */
107     /* TODO: this should be a stack since there could be more than one */
108     OSSL_CMP_PKIFREETEXT *statusString; /* of last IP/CP/KUP/RP/error */
109     int failInfoCode; /* failInfoCode of last received IP/CP/KUP/error, or -1 */
110     /* TODO: this should be a stack since there could be more than one */
111     X509 *newCert; /* newly enrolled cert received from the CA */
112     /* TODO: this should be a stack since there could be more than one */
113     STACK_OF(X509) *caPubs; /* CA certs received from server (in IP message) */
114     STACK_OF(X509) *extraCertsIn; /* extraCerts received from server */
115
116     /* certificate confirmation */
117     OSSL_cmp_certConf_cb_t certConf_cb; /* callback for app checking new cert */
118     void *certConf_cb_arg; /* allows to store an argument individual to cb */
119 } /* OSSL_CMP_CTX */;
120
121 /*
122  * ##########################################################################
123  * ASN.1 DECLARATIONS
124  * ##########################################################################
125  */
126
127 /*-
128  *   RevAnnContent ::= SEQUENCE {
129  *       status              PKIStatus,
130  *       certId              CertId,
131  *       willBeRevokedAt     GeneralizedTime,
132  *       badSinceDate        GeneralizedTime,
133  *       crlDetails          Extensions  OPTIONAL
134  *       -- extra CRL details (e.g., crl number, reason, location, etc.)
135  *   }
136  */
137 typedef struct ossl_cmp_revanncontent_st {
138     ASN1_INTEGER *status;
139     OSSL_CRMF_CERTID *certId;
140     ASN1_GENERALIZEDTIME *willBeRevokedAt;
141     ASN1_GENERALIZEDTIME *badSinceDate;
142     X509_EXTENSIONS *crlDetails;
143 } OSSL_CMP_REVANNCONTENT;
144 DECLARE_ASN1_FUNCTIONS(OSSL_CMP_REVANNCONTENT)
145
146 /*-
147  *   Challenge ::= SEQUENCE {
148  *       owf                 AlgorithmIdentifier  OPTIONAL,
149  *
150  *       -- MUST be present in the first Challenge; MAY be omitted in
151  *       -- any subsequent Challenge in POPODecKeyChallContent (if
152  *       -- omitted, then the owf used in the immediately preceding
153  *       -- Challenge is to be used).
154  *
155  *       witness             OCTET STRING,
156  *       -- the result of applying the one-way function (owf) to a
157  *       -- randomly-generated INTEGER, A.  [Note that a different
158  *       -- INTEGER MUST be used for each Challenge.]
159  *       challenge           OCTET STRING
160  *       -- the encryption (under the public key for which the cert.
161  *       -- request is being made) of Rand, where Rand is specified as
162  *       --   Rand ::= SEQUENCE {
163  *       --      int      INTEGER,
164  *       --       - the randomly-generated INTEGER A (above)
165  *       --      sender   GeneralName
166  *       --       - the sender's name (as included in PKIHeader)
167  *       --   }
168  *   }
169  */
170 typedef struct ossl_cmp_challenge_st {
171     X509_ALGOR *owf;
172     ASN1_OCTET_STRING *witness;
173     ASN1_OCTET_STRING *challenge;
174 } OSSL_CMP_CHALLENGE;
175 DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CHALLENGE)
176
177 /*-
178  *  CAKeyUpdAnnContent ::= SEQUENCE {
179  *     oldWithNew         Certificate,
180  *     newWithOld         Certificate,
181  *     newWithNew         Certificate
182  *  }
183  */
184 typedef struct ossl_cmp_cakeyupdanncontent_st {
185     X509 *oldWithNew;
186     X509 *newWithOld;
187     X509 *newWithNew;
188 } OSSL_CMP_CAKEYUPDANNCONTENT;
189 DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CAKEYUPDANNCONTENT)
190
191 /*-
192  * declared already here as it will be used in OSSL_CMP_MSG (nested) and
193  * infoType and infoValue
194  */
195 typedef STACK_OF(OSSL_CMP_MSG) OSSL_CMP_MSGS;
196 DECLARE_ASN1_FUNCTIONS(OSSL_CMP_MSGS)
197
198 /*-
199  *   InfoTypeAndValue ::= SEQUENCE {
200  *       infoType               OBJECT IDENTIFIER,
201  *       infoValue              ANY DEFINED BY infoType  OPTIONAL
202  *   }
203  */
204 struct ossl_cmp_itav_st {
205     ASN1_OBJECT *infoType;
206     union {
207         char *ptr;
208         /* NID_id_it_caProtEncCert - CA Protocol Encryption Certificate */
209         X509 *caProtEncCert;
210         /* NID_id_it_signKeyPairTypes - Signing Key Pair Types */
211         STACK_OF(X509_ALGOR) *signKeyPairTypes;
212         /* NID_id_it_encKeyPairTypes - Encryption/Key Agreement Key Pair Types */
213         STACK_OF(X509_ALGOR) *encKeyPairTypes;
214         /* NID_id_it_preferredSymmAlg - Preferred Symmetric Algorithm */
215         X509_ALGOR *preferredSymmAlg;
216         /* NID_id_it_caKeyUpdateInfo - Updated CA Key Pair */
217         OSSL_CMP_CAKEYUPDANNCONTENT *caKeyUpdateInfo;
218         /* NID_id_it_currentCRL - CRL */
219         X509_CRL *currentCRL;
220         /* NID_id_it_unsupportedOIDs - Unsupported Object Identifiers */
221         STACK_OF(ASN1_OBJECT) *unsupportedOIDs;
222         /* NID_id_it_keyPairParamReq - Key Pair Parameters Request */
223         ASN1_OBJECT *keyPairParamReq;
224         /* NID_id_it_keyPairParamRep - Key Pair Parameters Response */
225         X509_ALGOR *keyPairParamRep;
226         /* NID_id_it_revPassphrase - Revocation Passphrase */
227         OSSL_CRMF_ENCRYPTEDVALUE *revPassphrase;
228         /* NID_id_it_implicitConfirm - ImplicitConfirm */
229         ASN1_NULL *implicitConfirm;
230         /* NID_id_it_confirmWaitTime - ConfirmWaitTime */
231         ASN1_GENERALIZEDTIME *confirmWaitTime;
232         /* NID_id_it_origPKIMessage - origPKIMessage */
233         OSSL_CMP_MSGS *origPKIMessage;
234         /* NID_id_it_suppLangTags - Supported Language Tags */
235         STACK_OF(ASN1_UTF8STRING) *suppLangTagsValue;
236         /* this is to be used for so far undeclared objects */
237         ASN1_TYPE *other;
238     } infoValue;
239 } /* OSSL_CMP_ITAV */;
240 DECLARE_ASN1_FUNCTIONS(OSSL_CMP_ITAV)
241 DECLARE_ASN1_DUP_FUNCTION(OSSL_CMP_ITAV)
242
243 typedef struct ossl_cmp_certorenccert_st {
244     int type;
245     union {
246         X509 *certificate;
247         OSSL_CRMF_ENCRYPTEDVALUE *encryptedCert;
248     } value;
249 } OSSL_CMP_CERTORENCCERT;
250 DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CERTORENCCERT)
251
252 /*-
253  *   CertifiedKeyPair ::= SEQUENCE {
254  *       certOrEncCert       CertOrEncCert,
255  *       privateKey      [0] EncryptedValue      OPTIONAL,
256  *       -- see [CRMF] for comment on encoding
257  *       publicationInfo [1] PKIPublicationInfo  OPTIONAL
258  *   }
259  */
260 typedef struct ossl_cmp_certifiedkeypair_st {
261     OSSL_CMP_CERTORENCCERT *certOrEncCert;
262     OSSL_CRMF_ENCRYPTEDVALUE *privateKey;
263     OSSL_CRMF_PKIPUBLICATIONINFO *publicationInfo;
264 } OSSL_CMP_CERTIFIEDKEYPAIR;
265 DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CERTIFIEDKEYPAIR)
266
267 /*-
268  *   PKIStatusInfo ::= SEQUENCE {
269  *       status        PKIStatus,
270  *       statusString  PKIFreeText     OPTIONAL,
271  *       failInfo      PKIFailureInfo  OPTIONAL
272  *   }
273  */
274 struct ossl_cmp_pkisi_st {
275     OSSL_CMP_PKISTATUS *status;
276     OSSL_CMP_PKIFREETEXT *statusString;
277     OSSL_CMP_PKIFAILUREINFO *failInfo;
278 } /* OSSL_CMP_PKISI */;
279 DECLARE_ASN1_FUNCTIONS(OSSL_CMP_PKISI)
280 DECLARE_ASN1_DUP_FUNCTION(OSSL_CMP_PKISI)
281
282 /*-
283  *  RevReqContent ::= SEQUENCE OF RevDetails
284  *
285  *  RevDetails ::= SEQUENCE {
286  *      certDetails         CertTemplate,
287  *      crlEntryDetails     Extensions       OPTIONAL
288  *  }
289  */
290 typedef struct ossl_cmp_revdetails_st {
291     OSSL_CRMF_CERTTEMPLATE *certDetails;
292     X509_EXTENSIONS *crlEntryDetails;
293 } OSSL_CMP_REVDETAILS;
294 DECLARE_ASN1_FUNCTIONS(OSSL_CMP_REVDETAILS)
295 DEFINE_STACK_OF(OSSL_CMP_REVDETAILS)
296
297 /*-
298  *   RevRepContent ::= SEQUENCE {
299  *       status       SEQUENCE SIZE (1..MAX) OF PKIStatusInfo,
300  *       -- in same order as was sent in RevReqContent
301  *       revCerts [0] SEQUENCE SIZE (1..MAX) OF CertId
302  *                                           OPTIONAL,
303  *       -- IDs for which revocation was requested
304  *       -- (same order as status)
305  *       crls     [1] SEQUENCE SIZE (1..MAX) OF CertificateList
306  *                                           OPTIONAL
307  *       -- the resulting CRLs (there may be more than one)
308  *   }
309  */
310 struct ossl_cmp_revrepcontent_st {
311     STACK_OF(OSSL_CMP_PKISI) *status;
312     STACK_OF(OSSL_CRMF_CERTID) *revCerts;
313     STACK_OF(X509_CRL) *crls;
314 } /* OSSL_CMP_REVREPCONTENT */;
315 DECLARE_ASN1_FUNCTIONS(OSSL_CMP_REVREPCONTENT)
316
317 /*-
318  *  KeyRecRepContent ::= SEQUENCE {
319  *      status          PKIStatusInfo,
320  *      newSigCert  [0] Certificate                   OPTIONAL,
321  *      caCerts     [1] SEQUENCE SIZE (1..MAX) OF
322  *                                   Certificate      OPTIONAL,
323  *      keyPairHist [2] SEQUENCE SIZE (1..MAX) OF
324  *                                   CertifiedKeyPair OPTIONAL
325  *   }
326  */
327 typedef struct ossl_cmp_keyrecrepcontent_st {
328     OSSL_CMP_PKISI *status;
329     X509 *newSigCert;
330     STACK_OF(X509) *caCerts;
331     STACK_OF(OSSL_CMP_CERTIFIEDKEYPAIR) *keyPairHist;
332 } OSSL_CMP_KEYRECREPCONTENT;
333 DECLARE_ASN1_FUNCTIONS(OSSL_CMP_KEYRECREPCONTENT)
334
335 /*-
336  *   ErrorMsgContent ::= SEQUENCE {
337  *       pKIStatusInfo          PKIStatusInfo,
338  *       errorCode              INTEGER           OPTIONAL,
339  *       -- implementation-specific error codes
340  *       errorDetails           PKIFreeText       OPTIONAL
341  *       -- implementation-specific error details
342  *   }
343  */
344 typedef struct ossl_cmp_errormsgcontent_st {
345     OSSL_CMP_PKISI *pKIStatusInfo;
346     ASN1_INTEGER *errorCode;
347     OSSL_CMP_PKIFREETEXT *errorDetails;
348 } OSSL_CMP_ERRORMSGCONTENT;
349 DECLARE_ASN1_FUNCTIONS(OSSL_CMP_ERRORMSGCONTENT)
350
351 /*-
352  *   CertConfirmContent ::= SEQUENCE OF CertStatus
353  *
354  *   CertStatus ::= SEQUENCE {
355  *      certHash    OCTET STRING,
356  *      -- the hash of the certificate, using the same hash algorithm
357  *      -- as is used to create and verify the certificate signature
358  *      certReqId   INTEGER,
359  *      -- to match this confirmation with the corresponding req/rep
360  *      statusInfo  PKIStatusInfo OPTIONAL
361  *   }
362  */
363 struct ossl_cmp_certstatus_st {
364     ASN1_OCTET_STRING *certHash;
365     ASN1_INTEGER *certReqId;
366     OSSL_CMP_PKISI *statusInfo;
367 } /* OSSL_CMP_CERTSTATUS */;
368 DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CERTSTATUS)
369
370 typedef STACK_OF(OSSL_CMP_CERTSTATUS) OSSL_CMP_CERTCONFIRMCONTENT;
371 DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CERTCONFIRMCONTENT)
372
373 /*-
374  *   CertResponse ::= SEQUENCE {
375  *       certReqId           INTEGER,
376  *       -- to match this response with corresponding request (a value
377  *       -- of -1 is to be used if certReqId is not specified in the
378  *       -- corresponding request)
379  *       status              PKIStatusInfo,
380  *       certifiedKeyPair    CertifiedKeyPair    OPTIONAL,
381  *       rspInfo             OCTET STRING        OPTIONAL
382  *       -- analogous to the id-regInfo-utf8Pairs string defined
383  *       -- for regInfo in CertReqMsg [CRMF]
384  *   }
385  */
386 struct ossl_cmp_certresponse_st {
387     ASN1_INTEGER *certReqId;
388     OSSL_CMP_PKISI *status;
389     OSSL_CMP_CERTIFIEDKEYPAIR *certifiedKeyPair;
390     ASN1_OCTET_STRING *rspInfo;
391 } /* OSSL_CMP_CERTRESPONSE */;
392 DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CERTRESPONSE)
393
394 /*-
395  *   CertRepMessage ::= SEQUENCE {
396  *       caPubs       [1] SEQUENCE SIZE (1..MAX) OF CMPCertificate
397  *                        OPTIONAL,
398  *       response         SEQUENCE OF CertResponse
399  *   }
400  */
401 struct ossl_cmp_certrepmessage_st {
402     STACK_OF(X509) *caPubs;
403     STACK_OF(OSSL_CMP_CERTRESPONSE) *response;
404 } /* OSSL_CMP_CERTREPMESSAGE */;
405 DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CERTREPMESSAGE)
406
407 /*-
408  *   PollReqContent ::= SEQUENCE OF SEQUENCE {
409  *         certReqId                              INTEGER
410  *   }
411  */
412 typedef struct ossl_cmp_pollreq_st {
413     ASN1_INTEGER *certReqId;
414 } OSSL_CMP_POLLREQ;
415 DECLARE_ASN1_FUNCTIONS(OSSL_CMP_POLLREQ)
416 DEFINE_STACK_OF(OSSL_CMP_POLLREQ)
417 typedef STACK_OF(OSSL_CMP_POLLREQ) OSSL_CMP_POLLREQCONTENT;
418 DECLARE_ASN1_FUNCTIONS(OSSL_CMP_POLLREQCONTENT)
419
420 /*-
421  * PollRepContent ::= SEQUENCE OF SEQUENCE {
422  *         certReqId                              INTEGER,
423  *         checkAfter                             INTEGER,  -- time in seconds
424  *         reason                                 PKIFreeText OPTIONAL
425  * }
426  */
427 struct ossl_cmp_pollrep_st {
428     ASN1_INTEGER *certReqId;
429     ASN1_INTEGER *checkAfter;
430     OSSL_CMP_PKIFREETEXT *reason;
431 } /* OSSL_CMP_POLLREP */;
432 DECLARE_ASN1_FUNCTIONS(OSSL_CMP_POLLREP)
433 DEFINE_STACK_OF(OSSL_CMP_POLLREP)
434 DECLARE_ASN1_FUNCTIONS(OSSL_CMP_POLLREPCONTENT)
435
436 /*-
437  * PKIHeader ::= SEQUENCE {
438  *     pvno                INTEGER     { cmp1999(1), cmp2000(2) },
439  *     sender              GeneralName,
440  *     -- identifies the sender
441  *     recipient           GeneralName,
442  *     -- identifies the intended recipient
443  *     messageTime     [0] GeneralizedTime         OPTIONAL,
444  *     -- time of production of this message (used when sender
445  *     -- believes that the transport will be "suitable"; i.e.,
446  *     -- that the time will still be meaningful upon receipt)
447  *     protectionAlg   [1] AlgorithmIdentifier     OPTIONAL,
448  *     -- algorithm used for calculation of protection bits
449  *     senderKID       [2] KeyIdentifier           OPTIONAL,
450  *     recipKID        [3] KeyIdentifier           OPTIONAL,
451  *     -- to identify specific keys used for protection
452  *     transactionID   [4] OCTET STRING            OPTIONAL,
453  *     -- identifies the transaction; i.e., this will be the same in
454  *     -- corresponding request, response, certConf, and PKIConf
455  *     -- messages
456  *     senderNonce     [5] OCTET STRING            OPTIONAL,
457  *     recipNonce      [6] OCTET STRING            OPTIONAL,
458  *     -- nonces used to provide replay protection, senderNonce
459  *     -- is inserted by the creator of this message; recipNonce
460  *     -- is a nonce previously inserted in a related message by
461  *     -- the intended recipient of this message
462  *     freeText        [7] PKIFreeText             OPTIONAL,
463  *     -- this may be used to indicate context-specific instructions
464  *     -- (this field is intended for human consumption)
465  *     generalInfo     [8] SEQUENCE SIZE (1..MAX) OF
466  *                            InfoTypeAndValue     OPTIONAL
467  *     -- this may be used to convey context-specific information
468  *     -- (this field not primarily intended for human consumption)
469  *   }
470  */
471 struct ossl_cmp_pkiheader_st {
472     ASN1_INTEGER *pvno;
473     GENERAL_NAME *sender;
474     GENERAL_NAME *recipient;
475     ASN1_GENERALIZEDTIME *messageTime; /* 0 */
476     X509_ALGOR *protectionAlg; /* 1 */
477     ASN1_OCTET_STRING *senderKID; /* 2 */
478     ASN1_OCTET_STRING *recipKID; /* 3 */
479     ASN1_OCTET_STRING *transactionID; /* 4 */
480     ASN1_OCTET_STRING *senderNonce; /* 5 */
481     ASN1_OCTET_STRING *recipNonce; /* 6 */
482     OSSL_CMP_PKIFREETEXT *freeText; /* 7 */
483     STACK_OF(OSSL_CMP_ITAV) *generalInfo; /* 8 */
484 } /* OSSL_CMP_PKIHEADER */;
485
486 typedef STACK_OF(OSSL_CMP_CHALLENGE) OSSL_CMP_POPODECKEYCHALLCONTENT;
487 DECLARE_ASN1_FUNCTIONS(OSSL_CMP_POPODECKEYCHALLCONTENT)
488 typedef STACK_OF(ASN1_INTEGER) OSSL_CMP_POPODECKEYRESPCONTENT;
489 DECLARE_ASN1_FUNCTIONS(OSSL_CMP_POPODECKEYRESPCONTENT)
490 typedef STACK_OF(OSSL_CMP_REVDETAILS) OSSL_CMP_REVREQCONTENT;
491 DECLARE_ASN1_FUNCTIONS(OSSL_CMP_REVREQCONTENT)
492 typedef STACK_OF(X509_CRL) OSSL_CMP_CRLANNCONTENT;
493 DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CRLANNCONTENT)
494 typedef STACK_OF(OSSL_CMP_ITAV) OSSL_CMP_GENMSGCONTENT;
495 DECLARE_ASN1_FUNCTIONS(OSSL_CMP_GENMSGCONTENT)
496 typedef STACK_OF(OSSL_CMP_ITAV) OSSL_CMP_GENREPCONTENT;
497 DECLARE_ASN1_FUNCTIONS(OSSL_CMP_GENREPCONTENT)
498
499 /*-
500  *   PKIBody ::= CHOICE {           -- message-specific body elements
501  *           ir       [0]  CertReqMessages,            --Initialization Request
502  *           ip       [1]  CertRepMessage,             --Initialization Response
503  *           cr       [2]  CertReqMessages,            --Certification Request
504  *           cp       [3]  CertRepMessage,             --Certification Response
505  *           p10cr    [4]  CertificationRequest,       --imported from [PKCS10]
506  *           popdecc  [5]  POPODecKeyChallContent,     --pop Challenge
507  *           popdecr  [6]  POPODecKeyRespContent,      --pop Response
508  *           kur      [7]  CertReqMessages,            --Key Update Request
509  *           kup      [8]  CertRepMessage,             --Key Update Response
510  *           krr      [9]  CertReqMessages,            --Key Recovery Request
511  *           krp      [10] KeyRecRepContent,           --Key Recovery Response
512  *           rr       [11] RevReqContent,              --Revocation Request
513  *           rp       [12] RevRepContent,              --Revocation Response
514  *           ccr      [13] CertReqMessages,            --Cross-Cert. Request
515  *           ccp      [14] CertRepMessage,             --Cross-Cert. Response
516  *           ckuann   [15] CAKeyUpdAnnContent,         --CA Key Update Ann.
517  *           cann     [16] CertAnnContent,             --Certificate Ann.
518  *           rann     [17] RevAnnContent,              --Revocation Ann.
519  *           crlann   [18] CRLAnnContent,              --CRL Announcement
520  *           pkiconf  [19] PKIConfirmContent,          --Confirmation
521  *           nested   [20] NestedMessageContent,       --Nested Message
522  *           genm     [21] GenMsgContent,              --General Message
523  *           genp     [22] GenRepContent,              --General Response
524  *           error    [23] ErrorMsgContent,            --Error Message
525  *           certConf [24] CertConfirmContent,         --Certificate confirm
526  *           pollReq  [25] PollReqContent,             --Polling request
527  *           pollRep  [26] PollRepContent              --Polling response
528  */
529 typedef struct ossl_cmp_pkibody_st {
530     int type;
531     union {
532         OSSL_CRMF_MSGS *ir; /* 0 */
533         OSSL_CMP_CERTREPMESSAGE *ip; /* 1 */
534         OSSL_CRMF_MSGS *cr; /* 2 */
535         OSSL_CMP_CERTREPMESSAGE *cp; /* 3 */
536         /* p10cr      [4]  CertificationRequest,     --imported from [PKCS10] */
537         /*
538          * PKCS10_CERTIFICATIONREQUEST is effectively X509_REQ
539          * so it is used directly
540          */
541         X509_REQ *p10cr; /* 4 */
542         /* popdecc    [5]  POPODecKeyChallContent, --pop Challenge */
543         /* POPODecKeyChallContent ::= SEQUENCE OF Challenge */
544         OSSL_CMP_POPODECKEYCHALLCONTENT *popdecc; /* 5 */
545         /* popdecr    [6]  POPODecKeyRespContent,  --pop Response */
546         /* POPODecKeyRespContent ::= SEQUENCE OF INTEGER */
547         OSSL_CMP_POPODECKEYRESPCONTENT *popdecr; /* 6 */
548         OSSL_CRMF_MSGS *kur; /* 7 */
549         OSSL_CMP_CERTREPMESSAGE *kup; /* 8 */
550         OSSL_CRMF_MSGS *krr; /* 9 */
551
552         /* krp        [10] KeyRecRepContent,         --Key Recovery Response */
553         OSSL_CMP_KEYRECREPCONTENT *krp; /* 10 */
554         /* rr         [11] RevReqContent,            --Revocation Request */
555         OSSL_CMP_REVREQCONTENT *rr; /* 11 */
556         /* rp         [12] RevRepContent,            --Revocation Response */
557         OSSL_CMP_REVREPCONTENT *rp; /* 12 */
558         /* ccr        [13] CertReqMessages,          --Cross-Cert. Request */
559         OSSL_CRMF_MSGS *ccr; /* 13 */
560         /* ccp        [14] CertRepMessage,           --Cross-Cert. Response */
561         OSSL_CMP_CERTREPMESSAGE *ccp; /* 14 */
562         /* ckuann     [15] CAKeyUpdAnnContent,       --CA Key Update Ann. */
563         OSSL_CMP_CAKEYUPDANNCONTENT *ckuann; /* 15 */
564         /* cann       [16] CertAnnContent,           --Certificate Ann. */
565         /* OSSL_CMP_CMPCERTIFICATE is effectively X509 so it is used directly */
566         X509 *cann;         /* 16 */
567         /* rann       [17] RevAnnContent,            --Revocation Ann. */
568         OSSL_CMP_REVANNCONTENT *rann; /* 17 */
569         /* crlann     [18] CRLAnnContent,            --CRL Announcement */
570         /* CRLAnnContent ::= SEQUENCE OF CertificateList */
571         OSSL_CMP_CRLANNCONTENT *crlann;
572         /* PKIConfirmContent ::= NULL */
573         /* pkiconf    [19] PKIConfirmContent,        --Confirmation */
574         /* OSSL_CMP_PKICONFIRMCONTENT would be only a typedef of ASN1_NULL */
575         /* OSSL_CMP_CONFIRMCONTENT *pkiconf; */
576         /*
577          * NOTE: this should ASN1_NULL according to the RFC
578          * but there might be a struct in it when sent from faulty servers...
579          */
580         ASN1_TYPE *pkiconf; /* 19 */
581         /* nested     [20] NestedMessageContent,     --Nested Message */
582         /* NestedMessageContent ::= PKIMessages */
583         OSSL_CMP_MSGS *nested; /* 20 */
584         /* genm       [21] GenMsgContent,            --General Message */
585         /* GenMsgContent ::= SEQUENCE OF InfoTypeAndValue */
586         OSSL_CMP_GENMSGCONTENT *genm; /* 21 */
587         /* genp       [22] GenRepContent,            --General Response */
588         /* GenRepContent ::= SEQUENCE OF InfoTypeAndValue */
589         OSSL_CMP_GENREPCONTENT *genp; /* 22 */
590         /* error      [23] ErrorMsgContent,          --Error Message */
591         OSSL_CMP_ERRORMSGCONTENT *error; /* 23 */
592         /* certConf [24] CertConfirmContent,     --Certificate confirm */
593         OSSL_CMP_CERTCONFIRMCONTENT *certConf; /* 24 */
594         /* pollReq    [25] PollReqContent,           --Polling request */
595         OSSL_CMP_POLLREQCONTENT *pollReq;
596         /* pollRep    [26] PollRepContent            --Polling response */
597         OSSL_CMP_POLLREPCONTENT *pollRep;
598     } value;
599 } OSSL_CMP_PKIBODY;
600 DECLARE_ASN1_FUNCTIONS(OSSL_CMP_PKIBODY)
601
602 /*-
603  *   PKIProtection ::= BIT STRING
604  *
605  *   PKIMessages ::= SEQUENCE SIZE (1..MAX) OF PKIMessage
606  *
607  *    PKIMessage ::= SEQUENCE {
608  *           header           PKIHeader,
609  *           body             PKIBody,
610  *           protection   [0] PKIProtection OPTIONAL,
611  *           extraCerts   [1] SEQUENCE SIZE (1..MAX) OF CMPCertificate
612  *                                            OPTIONAL
613  *   }
614  */
615 struct ossl_cmp_msg_st {
616     OSSL_CMP_PKIHEADER *header;
617     OSSL_CMP_PKIBODY *body;
618     ASN1_BIT_STRING *protection; /* 0 */
619     /* OSSL_CMP_CMPCERTIFICATE is effectively X509 so it is used directly */
620     STACK_OF(X509) *extraCerts; /* 1 */
621 } /* OSSL_CMP_MSG */;
622 DECLARE_ASN1_FUNCTIONS(OSSL_CMP_MSG)
623 DECLARE_ASN1_DUP_FUNCTION(OSSL_CMP_MSG)
624
625 /*-
626  * ProtectedPart ::= SEQUENCE {
627  * header    PKIHeader,
628  * body      PKIBody
629  * }
630  */
631 typedef struct cmp_protectedpart_st {
632     OSSL_CMP_PKIHEADER *header;
633     OSSL_CMP_PKIBODY *body;
634 } CMP_PROTECTEDPART;
635 DECLARE_ASN1_FUNCTIONS(CMP_PROTECTEDPART)
636
637 /*-
638  *  this is not defined here as it is already in CRMF:
639  *   id-PasswordBasedMac OBJECT IDENTIFIER ::= {1 2 840 113533 7 66 13}
640  *   PBMParameter ::= SEQUENCE {
641  *           salt                OCTET STRING,
642  *           -- note:  implementations MAY wish to limit acceptable sizes
643  *           -- of this string to values appropriate for their environment
644  *           -- in order to reduce the risk of denial-of-service attacks
645  *           owf                 AlgorithmIdentifier,
646  *           -- AlgId for a One-Way Function (SHA-1 recommended)
647  *           iterationCount      INTEGER,
648  *           -- number of times the OWF is applied
649  *           -- note:  implementations MAY wish to limit acceptable sizes
650  *           -- of this integer to values appropriate for their environment
651  *           -- in order to reduce the risk of denial-of-service attacks
652  *           mac                 AlgorithmIdentifier
653  *           -- the MAC AlgId (e.g., DES-MAC, Triple-DES-MAC [PKCS11],
654  *   }       -- or HMAC [RFC2104, RFC2202])
655  */
656 /*-
657  *  TODO: this is not yet defined here - but DH is anyway not used yet
658  *
659  *   id-DHBasedMac OBJECT IDENTIFIER ::= {1 2 840 113533 7 66 30}
660  *   DHBMParameter ::= SEQUENCE {
661  *           owf                 AlgorithmIdentifier,
662  *           -- AlgId for a One-Way Function (SHA-1 recommended)
663  *           mac                 AlgorithmIdentifier
664  *           -- the MAC AlgId (e.g., DES-MAC, Triple-DES-MAC [PKCS11],
665  *   }       -- or HMAC [RFC2104, RFC2202])
666  */
667 /*-
668  * The following is not cared for, because it is described in section 5.2.5
669  * that this is beyond the scope of CMP
670  *   OOBCert ::= CMPCertificate
671  *
672  *   OOBCertHash ::= SEQUENCE {
673  *           hashAlg         [0] AlgorithmIdentifier         OPTIONAL,
674  *           certId          [1] CertId                      OPTIONAL,
675  *           hashVal             BIT STRING
676  *           -- hashVal is calculated over the DER encoding of the
677  *           -- self-signed certificate with the identifier certID.
678  *   }
679  */
680
681 /*
682  * functions
683  */
684
685 /* from cmp_asn.c */
686 int ossl_cmp_asn1_get_int(const ASN1_INTEGER *a);
687
688 /* from cmp_util.c */
689 const char *ossl_cmp_log_parse_metadata(const char *buf,
690                                         OSSL_CMP_severity *level, char **func,
691                                         char **file, int *line);
692 /* workaround for 4096 bytes limitation of ERR_print_errors_cb() */
693 void ossl_cmp_add_error_txt(const char *separator, const char *txt);
694 # define ossl_cmp_add_error_data(txt) ossl_cmp_add_error_txt(" : ", txt)
695 # define ossl_cmp_add_error_line(txt) ossl_cmp_add_error_txt("\n", txt)
696 /* functions manipulating lists of certificates etc could be generally useful */
697 int ossl_cmp_sk_X509_add1_cert (STACK_OF(X509) *sk, X509 *cert,
698                                 int no_dup, int prepend);
699 int ossl_cmp_sk_X509_add1_certs(STACK_OF(X509) *sk, STACK_OF(X509) *certs,
700                                 int no_self_signed, int no_dups, int prepend);
701 int ossl_cmp_X509_STORE_add1_certs(X509_STORE *store, STACK_OF(X509) *certs,
702                                    int only_self_signed);
703 STACK_OF(X509) *ossl_cmp_X509_STORE_get1_certs(X509_STORE *store);
704 int ossl_cmp_asn1_octet_string_set1(ASN1_OCTET_STRING **tgt,
705                                     const ASN1_OCTET_STRING *src);
706 int ossl_cmp_asn1_octet_string_set1_bytes(ASN1_OCTET_STRING **tgt,
707                                           const unsigned char *bytes, int len);
708 STACK_OF(X509) *ossl_cmp_build_cert_chain(STACK_OF(X509) *certs, X509 *cert);
709
710 /* from cmp_ctx.c */
711 int ossl_cmp_ctx_set0_validatedSrvCert(OSSL_CMP_CTX *ctx, X509 *cert);
712 int ossl_cmp_ctx_set_status(OSSL_CMP_CTX *ctx, int status);
713 int ossl_cmp_ctx_set0_statusString(OSSL_CMP_CTX *ctx,
714                                    OSSL_CMP_PKIFREETEXT *text);
715 int ossl_cmp_ctx_set_failInfoCode(OSSL_CMP_CTX *ctx, int fail_info);
716 int ossl_cmp_ctx_set0_newCert(OSSL_CMP_CTX *ctx, X509 *cert);
717 int ossl_cmp_ctx_set1_caPubs(OSSL_CMP_CTX *ctx, STACK_OF(X509) *caPubs);
718 int ossl_cmp_ctx_set1_extraCertsIn(OSSL_CMP_CTX *ctx,
719                                    STACK_OF(X509) *extraCertsIn);
720 int ossl_cmp_ctx_set1_recipNonce(OSSL_CMP_CTX *ctx,
721                                  const ASN1_OCTET_STRING *nonce);
722
723 #  define OSSL_CMP_TRANSACTIONID_LENGTH 16
724
725 #endif /* !defined OSSL_CRYPTO_CMP_LOCAL_H */