/*
- * Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved.
* Copyright Nokia 2007-2019
* Copyright Siemens AG 2015-2019
*
# include <openssl/x509v3.h>
# include "crypto/x509.h"
-#define IS_NULL_DN(name) (X509_NAME_get_entry(name, 0) == NULL)
+# define IS_NULL_DN(name) (X509_NAME_get_entry(name, 0) == NULL)
/*
* this structure is used to store the context for CMP sessions
int keep_alive; /* persistent connection: 0=no, 1=prefer, 2=require */
int msg_timeout; /* max seconds to wait for each CMP message round trip */
int total_timeout; /* max number of seconds an enrollment may take, incl. */
+ int tls_used; /* whether to use TLS for client-side HTTP connections */
/* attempts polling for a response if a 'waiting' PKIStatus is received */
time_t end_time; /* session start time + totaltimeout */
+# ifndef OPENSSL_NO_HTTP
OSSL_HTTP_bio_cb_t http_cb;
void *http_cb_arg; /* allows to store optional argument to cb */
+# endif
/* server authentication */
/*
X509 *cert; /* protection cert used to identify and sign for MSG_SIG_ALG */
STACK_OF(X509) *chain; /* (cached) chain of protection cert including it */
EVP_PKEY *pkey; /* the key pair corresponding to cert */
- ASN1_OCTET_STRING *referenceValue; /* optional user name for MSG_MAC_ALG */
+ ASN1_OCTET_STRING *referenceValue; /* optional username for MSG_MAC_ALG */
ASN1_OCTET_STRING *secretValue; /* password/shared secret for MSG_MAC_ALG */
/* PBMParameters for MSG_MAC_ALG */
size_t pbm_slen; /* salt length, currently fixed to 16 */
ASN1_OCTET_STRING *transactionID; /* the current transaction ID */
ASN1_OCTET_STRING *senderNonce; /* last nonce sent */
ASN1_OCTET_STRING *recipNonce; /* last nonce received */
+ ASN1_OCTET_STRING *first_senderNonce; /* sender nonce when starting to poll */
ASN1_UTF8STRING *freeText; /* optional string to include each msg */
STACK_OF(OSSL_CMP_ITAV) *geninfo_ITAVs;
int implicitConfirm; /* set implicitConfirm in IR/KUR/CR messages */
/* certificate template */
EVP_PKEY *newPkey; /* explicit new private/public key for cert enrollment */
int newPkey_priv; /* flag indicating if newPkey contains private key */
- X509_NAME *issuer; /* issuer name to used in cert template */
+ X509_NAME *issuer; /* issuer name to used in cert template, also in rr */
+ ASN1_INTEGER *serialNumber; /* certificate serial number to use in rr */
int days; /* Number of days new certificates are asked to be valid for */
X509_NAME *subjectName; /* subject name to be used in cert template */
STACK_OF(GENERAL_NAME) *subjectAltNames; /* to add to the cert template */
int revocationReason; /* revocation reason code to be included in RR */
STACK_OF(OSSL_CMP_ITAV) *genm_ITAVs; /* content of general message */
- /* result returned in responses */
+ /* result returned in responses, so far supporting only one certResponse */
int status; /* PKIStatus of last received IP/CP/KUP/RP/error or -1 */
OSSL_CMP_PKIFREETEXT *statusString; /* of last IP/CP/KUP/RP/error */
int failInfoCode; /* failInfoCode of last received IP/CP/KUP/error, or -1 */
} OSSL_CMP_CAKEYUPDANNCONTENT;
DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CAKEYUPDANNCONTENT)
+typedef struct ossl_cmp_rootcakeyupdate_st OSSL_CMP_ROOTCAKEYUPDATE;
+DECLARE_ASN1_FUNCTIONS(OSSL_CMP_ROOTCAKEYUPDATE)
+
/*-
* declared already here as it will be used in OSSL_CMP_MSG (nested) and
* infoType and infoValue
OSSL_CMP_MSGS *origPKIMessage;
/* NID_id_it_suppLangTags - Supported Language Tags */
STACK_OF(ASN1_UTF8STRING) *suppLangTagsValue;
+ /* NID_id_it_certProfile - Certificate Profile */
+ STACK_OF(ASN1_UTF8STRING) *certProfile;
+ /* NID_id_it_caCerts - CA Certificates */
+ STACK_OF(X509) *caCerts;
+ /* NID_id_it_rootCaCert - Root CA Certificate */
+ X509 *rootCaCert;
+ /* NID_id_it_rootCaKeyUpdate - Root CA Certificate Update */
+ OSSL_CMP_ROOTCAKEYUPDATE *rootCaKeyUpdate;
/* this is to be used for so far undeclared objects */
ASN1_TYPE *other;
} infoValue;
* -- as is used to create and verify the certificate signature
* certReqId INTEGER,
* -- to match this confirmation with the corresponding req/rep
- * statusInfo PKIStatusInfo OPTIONAL
+ * statusInfo PKIStatusInfo OPTIONAL,
+ * hashAlg [0] AlgorithmIdentifier OPTIONAL
* }
*/
struct ossl_cmp_certstatus_st {
ASN1_OCTET_STRING *certHash;
ASN1_INTEGER *certReqId;
OSSL_CMP_PKISI *statusInfo;
+ X509_ALGOR *hashAlg; /* 0 */
} /* OSSL_CMP_CERTSTATUS */;
DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CERTSTATUS)
typedef STACK_OF(OSSL_CMP_CERTSTATUS) OSSL_CMP_CERTCONFIRMCONTENT;
/*-
* PKIHeader ::= SEQUENCE {
- * pvno INTEGER { cmp1999(1), cmp2000(2) },
+ * pvno INTEGER { cmp1999(1), cmp2000(2), cmp2021(3) },
* sender GeneralName,
* -- identifies the sender
* recipient GeneralName,
* } -- or HMAC [RFC2104, RFC2202])
*/
/*-
+ * Not supported:
* id-DHBasedMac OBJECT IDENTIFIER ::= {1 2 840 113533 7 66 30}
* DHBMParameter ::= SEQUENCE {
* owf AlgorithmIdentifier,
* }
*/
+/*
+ * RootCaKeyUpdateContent ::= SEQUENCE {
+ * newWithNew CMPCertificate,
+ * newWithOld [0] CMPCertificate OPTIONAL,
+ * oldWithNew [1] CMPCertificate OPTIONAL
+ * }
+ */
+
+struct ossl_cmp_rootcakeyupdate_st {
+ X509 *newWithNew;
+ X509 *newWithOld;
+ X509 *oldWithNew;
+} /* OSSL_CMP_ROOTCAKEYUPDATE */;
+DECLARE_ASN1_FUNCTIONS(OSSL_CMP_ROOTCAKEYUPDATE)
+
/* from cmp_asn.c */
int ossl_cmp_asn1_get_int(const ASN1_INTEGER *a);
# define ossl_cmp_info(ctx, msg) ossl_cmp_log(INFO, ctx, msg)
# define ossl_cmp_debug(ctx, msg) ossl_cmp_log(DEBUG, ctx, msg)
# define ossl_cmp_trace(ctx, msg) ossl_cmp_log(TRACE, ctx, msg)
-int ossl_cmp_ctx_set0_validatedSrvCert(OSSL_CMP_CTX *ctx, X509 *cert);
+int ossl_cmp_ctx_set1_validatedSrvCert(OSSL_CMP_CTX *ctx, X509 *cert);
int ossl_cmp_ctx_set_status(OSSL_CMP_CTX *ctx, int status);
int ossl_cmp_ctx_set0_statusString(OSSL_CMP_CTX *ctx,
OSSL_CMP_PKIFREETEXT *text);
STACK_OF(X509) *extraCertsIn);
int ossl_cmp_ctx_set1_recipNonce(OSSL_CMP_CTX *ctx,
const ASN1_OCTET_STRING *nonce);
+EVP_PKEY *ossl_cmp_ctx_get0_newPubkey(const OSSL_CMP_CTX *ctx);
+int ossl_cmp_ctx_set1_first_senderNonce(OSSL_CMP_CTX *ctx,
+ const ASN1_OCTET_STRING *nonce);
/* from cmp_status.c */
int ossl_cmp_pkisi_get_status(const OSSL_CMP_PKISI *si);
# define OSSL_CMP_PKIBODY_POLLREP 26
# define OSSL_CMP_PKIBODY_TYPE_MAX OSSL_CMP_PKIBODY_POLLREP
/* certReqId for the first - and so far only - certificate request */
-# define OSSL_CMP_CERTREQID 0
+# define OSSL_CMP_CERTREQID 0
+# define OSSL_CMP_CERTREQID_NONE -1
+# define OSSL_CMP_CERTREQID_INVALID -2
/* sequence id for the first - and so far only - revocation request */
# define OSSL_CMP_REVREQSID 0
int ossl_cmp_msg_set0_libctx(OSSL_CMP_MSG *msg, OSSL_LIB_CTX *libctx,
int unprotected);
int ossl_cmp_certstatus_set0_certHash(OSSL_CMP_CERTSTATUS *certStatus,
ASN1_OCTET_STRING *hash);
-OSSL_CMP_MSG *ossl_cmp_certConf_new(OSSL_CMP_CTX *ctx, int fail_info,
- const char *text);
+OSSL_CMP_MSG *ossl_cmp_certConf_new(OSSL_CMP_CTX *ctx, int certReqId,
+ int fail_info, const char *text);
OSSL_CMP_MSG *ossl_cmp_pollReq_new(OSSL_CMP_CTX *ctx, int crid);
OSSL_CMP_MSG *ossl_cmp_pollRep_new(OSSL_CMP_CTX *ctx, int crid,
int64_t poll_after);
OSSL_CMP_CERTRESPONSE *
ossl_cmp_certrepmessage_get0_certresponse(const OSSL_CMP_CERTREPMESSAGE *crm,
int rid);
-X509 *ossl_cmp_certresponse_get1_cert(const OSSL_CMP_CERTRESPONSE *crep,
- const OSSL_CMP_CTX *ctx, EVP_PKEY *pkey);
+X509 *ossl_cmp_certresponse_get1_cert(const OSSL_CMP_CTX *ctx,
+ const OSSL_CMP_CERTRESPONSE *crep);
OSSL_CMP_MSG *ossl_cmp_msg_load(const char *file);
+int ossl_cmp_is_error_with_waiting(const OSSL_CMP_MSG *msg);
/* from cmp_protect.c */
int ossl_cmp_msg_add_extraCerts(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg);
const OSSL_CMP_MSG *msg, int accept_RAVerified);
/* from cmp_client.c */
-int ossl_cmp_exchange_certConf(OSSL_CMP_CTX *ctx, int fail_info,
- const char *txt);
+/* expected max time per msg round trip, used for last try during polling: */
+# define OSSL_CMP_EXPECTED_RESP_TIME 2
+int ossl_cmp_exchange_certConf(OSSL_CMP_CTX *ctx, int certReqId,
+ int fail_info, const char *txt);
int ossl_cmp_exchange_error(OSSL_CMP_CTX *ctx, int status, int fail_info,
const char *txt, int errorCode, const char *detail);