1*b077aed3SPierre Pronchery /*- 2*b077aed3SPierre Pronchery * Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved. 3*b077aed3SPierre Pronchery * Copyright Nokia 2007-2019 4*b077aed3SPierre Pronchery * Copyright Siemens AG 2015-2019 5*b077aed3SPierre Pronchery * 6*b077aed3SPierre Pronchery * Licensed under the Apache License 2.0 (the "License"). You may not use 7*b077aed3SPierre Pronchery * this file except in compliance with the License. You can obtain a copy 8*b077aed3SPierre Pronchery * in the file LICENSE in the source distribution or at 9*b077aed3SPierre Pronchery * https://www.openssl.org/source/license.html 10*b077aed3SPierre Pronchery * 11*b077aed3SPierre Pronchery * CRMF implementation by Martin Peylo, Miikka Viljanen, and David von Oheimb. 12*b077aed3SPierre Pronchery */ 13*b077aed3SPierre Pronchery 14*b077aed3SPierre Pronchery #ifndef OSSL_CRYPTO_CRMF_LOCAL_H 15*b077aed3SPierre Pronchery # define OSSL_CRYPTO_CRMF_LOCAL_H 16*b077aed3SPierre Pronchery 17*b077aed3SPierre Pronchery # include <openssl/crmf.h> 18*b077aed3SPierre Pronchery # include <openssl/err.h> 19*b077aed3SPierre Pronchery 20*b077aed3SPierre Pronchery /* explicit #includes not strictly needed since implied by the above: */ 21*b077aed3SPierre Pronchery # include <openssl/types.h> 22*b077aed3SPierre Pronchery # include <openssl/safestack.h> 23*b077aed3SPierre Pronchery # include <openssl/x509.h> 24*b077aed3SPierre Pronchery # include <openssl/x509v3.h> 25*b077aed3SPierre Pronchery 26*b077aed3SPierre Pronchery /*- 27*b077aed3SPierre Pronchery * EncryptedValue ::= SEQUENCE { 28*b077aed3SPierre Pronchery * intendedAlg [0] AlgorithmIdentifier OPTIONAL, 29*b077aed3SPierre Pronchery * -- the intended algorithm for which the value will be used 30*b077aed3SPierre Pronchery * symmAlg [1] AlgorithmIdentifier OPTIONAL, 31*b077aed3SPierre Pronchery * -- the symmetric algorithm used to encrypt the value 32*b077aed3SPierre Pronchery * encSymmKey [2] BIT STRING OPTIONAL, 33*b077aed3SPierre Pronchery * -- the (encrypted) symmetric key used to encrypt the value 34*b077aed3SPierre Pronchery * keyAlg [3] AlgorithmIdentifier OPTIONAL, 35*b077aed3SPierre Pronchery * -- algorithm used to encrypt the symmetric key 36*b077aed3SPierre Pronchery * valueHint [4] OCTET STRING OPTIONAL, 37*b077aed3SPierre Pronchery * -- a brief description or identifier of the encValue content 38*b077aed3SPierre Pronchery * -- (may be meaningful only to the sending entity, and 39*b077aed3SPierre Pronchery * -- used only if EncryptedValue might be re-examined 40*b077aed3SPierre Pronchery * -- by the sending entity in the future) 41*b077aed3SPierre Pronchery * encValue BIT STRING 42*b077aed3SPierre Pronchery * -- the encrypted value itself 43*b077aed3SPierre Pronchery * } 44*b077aed3SPierre Pronchery */ 45*b077aed3SPierre Pronchery struct ossl_crmf_encryptedvalue_st { 46*b077aed3SPierre Pronchery X509_ALGOR *intendedAlg; /* 0 */ 47*b077aed3SPierre Pronchery X509_ALGOR *symmAlg; /* 1 */ 48*b077aed3SPierre Pronchery ASN1_BIT_STRING *encSymmKey; /* 2 */ 49*b077aed3SPierre Pronchery X509_ALGOR *keyAlg; /* 3 */ 50*b077aed3SPierre Pronchery ASN1_OCTET_STRING *valueHint; /* 4 */ 51*b077aed3SPierre Pronchery ASN1_BIT_STRING *encValue; 52*b077aed3SPierre Pronchery } /* OSSL_CRMF_ENCRYPTEDVALUE */; 53*b077aed3SPierre Pronchery 54*b077aed3SPierre Pronchery /*- 55*b077aed3SPierre Pronchery * Attributes ::= SET OF Attribute 56*b077aed3SPierre Pronchery * => X509_ATTRIBUTE 57*b077aed3SPierre Pronchery * 58*b077aed3SPierre Pronchery * PrivateKeyInfo ::= SEQUENCE { 59*b077aed3SPierre Pronchery * version INTEGER, 60*b077aed3SPierre Pronchery * privateKeyAlgorithm AlgorithmIdentifier, 61*b077aed3SPierre Pronchery * privateKey OCTET STRING, 62*b077aed3SPierre Pronchery * attributes [0] IMPLICIT Attributes OPTIONAL 63*b077aed3SPierre Pronchery * } 64*b077aed3SPierre Pronchery */ 65*b077aed3SPierre Pronchery typedef struct ossl_crmf_privatekeyinfo_st { 66*b077aed3SPierre Pronchery ASN1_INTEGER *version; 67*b077aed3SPierre Pronchery X509_ALGOR *privateKeyAlgorithm; 68*b077aed3SPierre Pronchery ASN1_OCTET_STRING *privateKey; 69*b077aed3SPierre Pronchery STACK_OF(X509_ATTRIBUTE) *attributes; /* [ 0 ] */ 70*b077aed3SPierre Pronchery } OSSL_CRMF_PRIVATEKEYINFO; 71*b077aed3SPierre Pronchery DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_PRIVATEKEYINFO) 72*b077aed3SPierre Pronchery 73*b077aed3SPierre Pronchery /*- 74*b077aed3SPierre Pronchery * section 4.2.1 Private Key Info Content Type 75*b077aed3SPierre Pronchery * id-ct-encKeyWithID OBJECT IDENTIFIER ::= {id-ct 21} 76*b077aed3SPierre Pronchery * 77*b077aed3SPierre Pronchery * EncKeyWithID ::= SEQUENCE { 78*b077aed3SPierre Pronchery * privateKey PrivateKeyInfo, 79*b077aed3SPierre Pronchery * identifier CHOICE { 80*b077aed3SPierre Pronchery * string UTF8String, 81*b077aed3SPierre Pronchery * generalName GeneralName 82*b077aed3SPierre Pronchery * } OPTIONAL 83*b077aed3SPierre Pronchery * } 84*b077aed3SPierre Pronchery */ 85*b077aed3SPierre Pronchery typedef struct ossl_crmf_enckeywithid_identifier_st { 86*b077aed3SPierre Pronchery int type; 87*b077aed3SPierre Pronchery union { 88*b077aed3SPierre Pronchery ASN1_UTF8STRING *string; 89*b077aed3SPierre Pronchery GENERAL_NAME *generalName; 90*b077aed3SPierre Pronchery } value; 91*b077aed3SPierre Pronchery } OSSL_CRMF_ENCKEYWITHID_IDENTIFIER; 92*b077aed3SPierre Pronchery DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_ENCKEYWITHID_IDENTIFIER) 93*b077aed3SPierre Pronchery 94*b077aed3SPierre Pronchery typedef struct ossl_crmf_enckeywithid_st { 95*b077aed3SPierre Pronchery OSSL_CRMF_PRIVATEKEYINFO *privateKey; 96*b077aed3SPierre Pronchery /* [0] */ 97*b077aed3SPierre Pronchery OSSL_CRMF_ENCKEYWITHID_IDENTIFIER *identifier; 98*b077aed3SPierre Pronchery } OSSL_CRMF_ENCKEYWITHID; 99*b077aed3SPierre Pronchery DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_ENCKEYWITHID) 100*b077aed3SPierre Pronchery 101*b077aed3SPierre Pronchery /*- 102*b077aed3SPierre Pronchery * CertId ::= SEQUENCE { 103*b077aed3SPierre Pronchery * issuer GeneralName, 104*b077aed3SPierre Pronchery * serialNumber INTEGER 105*b077aed3SPierre Pronchery * } 106*b077aed3SPierre Pronchery */ 107*b077aed3SPierre Pronchery struct ossl_crmf_certid_st { 108*b077aed3SPierre Pronchery GENERAL_NAME *issuer; 109*b077aed3SPierre Pronchery ASN1_INTEGER *serialNumber; 110*b077aed3SPierre Pronchery } /* OSSL_CRMF_CERTID */; 111*b077aed3SPierre Pronchery 112*b077aed3SPierre Pronchery /*- 113*b077aed3SPierre Pronchery * SinglePubInfo ::= SEQUENCE { 114*b077aed3SPierre Pronchery * pubMethod INTEGER { 115*b077aed3SPierre Pronchery * dontCare (0), 116*b077aed3SPierre Pronchery * x500 (1), 117*b077aed3SPierre Pronchery * web (2), 118*b077aed3SPierre Pronchery * ldap (3) }, 119*b077aed3SPierre Pronchery * pubLocation GeneralName OPTIONAL 120*b077aed3SPierre Pronchery * } 121*b077aed3SPierre Pronchery */ 122*b077aed3SPierre Pronchery struct ossl_crmf_singlepubinfo_st { 123*b077aed3SPierre Pronchery ASN1_INTEGER *pubMethod; 124*b077aed3SPierre Pronchery GENERAL_NAME *pubLocation; 125*b077aed3SPierre Pronchery } /* OSSL_CRMF_SINGLEPUBINFO */; 126*b077aed3SPierre Pronchery DEFINE_STACK_OF(OSSL_CRMF_SINGLEPUBINFO) 127*b077aed3SPierre Pronchery typedef STACK_OF(OSSL_CRMF_SINGLEPUBINFO) OSSL_CRMF_PUBINFOS; 128*b077aed3SPierre Pronchery 129*b077aed3SPierre Pronchery 130*b077aed3SPierre Pronchery /*- 131*b077aed3SPierre Pronchery * PKIPublicationInfo ::= SEQUENCE { 132*b077aed3SPierre Pronchery * action INTEGER { 133*b077aed3SPierre Pronchery * dontPublish (0), 134*b077aed3SPierre Pronchery * pleasePublish (1) }, 135*b077aed3SPierre Pronchery * pubInfos SEQUENCE SIZE (1..MAX) OF SinglePubInfo OPTIONAL 136*b077aed3SPierre Pronchery * -- pubInfos MUST NOT be present if action is "dontPublish" 137*b077aed3SPierre Pronchery * -- (if action is "pleasePublish" and pubInfos is omitted, 138*b077aed3SPierre Pronchery * -- "dontCare" is assumed) 139*b077aed3SPierre Pronchery * } 140*b077aed3SPierre Pronchery */ 141*b077aed3SPierre Pronchery struct ossl_crmf_pkipublicationinfo_st { 142*b077aed3SPierre Pronchery ASN1_INTEGER *action; 143*b077aed3SPierre Pronchery OSSL_CRMF_PUBINFOS *pubInfos; 144*b077aed3SPierre Pronchery } /* OSSL_CRMF_PKIPUBLICATIONINFO */; 145*b077aed3SPierre Pronchery DECLARE_ASN1_DUP_FUNCTION(OSSL_CRMF_PKIPUBLICATIONINFO) 146*b077aed3SPierre Pronchery 147*b077aed3SPierre Pronchery /*- 148*b077aed3SPierre Pronchery * PKMACValue ::= SEQUENCE { 149*b077aed3SPierre Pronchery * algId AlgorithmIdentifier, 150*b077aed3SPierre Pronchery * -- algorithm value shall be PasswordBasedMac {1 2 840 113533 7 66 13} 151*b077aed3SPierre Pronchery * -- parameter value is PBMParameter 152*b077aed3SPierre Pronchery * value BIT STRING 153*b077aed3SPierre Pronchery * } 154*b077aed3SPierre Pronchery */ 155*b077aed3SPierre Pronchery typedef struct ossl_crmf_pkmacvalue_st { 156*b077aed3SPierre Pronchery X509_ALGOR *algId; 157*b077aed3SPierre Pronchery ASN1_BIT_STRING *value; 158*b077aed3SPierre Pronchery } OSSL_CRMF_PKMACVALUE; 159*b077aed3SPierre Pronchery DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_PKMACVALUE) 160*b077aed3SPierre Pronchery 161*b077aed3SPierre Pronchery /*- 162*b077aed3SPierre Pronchery * SubsequentMessage ::= INTEGER { 163*b077aed3SPierre Pronchery * encrCert (0), 164*b077aed3SPierre Pronchery * -- requests that resulting certificate be encrypted for the 165*b077aed3SPierre Pronchery * -- end entity (following which, POP will be proven in a 166*b077aed3SPierre Pronchery * -- confirmation message) 167*b077aed3SPierre Pronchery * challengeResp (1) 168*b077aed3SPierre Pronchery * -- requests that CA engage in challenge-response exchange with 169*b077aed3SPierre Pronchery * -- end entity in order to prove private key possession 170*b077aed3SPierre Pronchery * } 171*b077aed3SPierre Pronchery * 172*b077aed3SPierre Pronchery * POPOPrivKey ::= CHOICE { 173*b077aed3SPierre Pronchery * thisMessage [0] BIT STRING, -- Deprecated 174*b077aed3SPierre Pronchery * -- possession is proven in this message (which contains the private 175*b077aed3SPierre Pronchery * -- key itself (encrypted for the CA)) 176*b077aed3SPierre Pronchery * subsequentMessage [1] SubsequentMessage, 177*b077aed3SPierre Pronchery * -- possession will be proven in a subsequent message 178*b077aed3SPierre Pronchery * dhMAC [2] BIT STRING, -- Deprecated 179*b077aed3SPierre Pronchery * agreeMAC [3] PKMACValue, 180*b077aed3SPierre Pronchery * encryptedKey [4] EnvelopedData 181*b077aed3SPierre Pronchery * } 182*b077aed3SPierre Pronchery */ 183*b077aed3SPierre Pronchery 184*b077aed3SPierre Pronchery typedef struct ossl_crmf_popoprivkey_st { 185*b077aed3SPierre Pronchery int type; 186*b077aed3SPierre Pronchery union { 187*b077aed3SPierre Pronchery ASN1_BIT_STRING *thisMessage; /* 0 */ /* Deprecated */ 188*b077aed3SPierre Pronchery ASN1_INTEGER *subsequentMessage; /* 1 */ 189*b077aed3SPierre Pronchery ASN1_BIT_STRING *dhMAC; /* 2 */ /* Deprecated */ 190*b077aed3SPierre Pronchery OSSL_CRMF_PKMACVALUE *agreeMAC; /* 3 */ 191*b077aed3SPierre Pronchery ASN1_NULL *encryptedKey; /* 4 */ 192*b077aed3SPierre Pronchery } value; 193*b077aed3SPierre Pronchery } OSSL_CRMF_POPOPRIVKEY; 194*b077aed3SPierre Pronchery DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_POPOPRIVKEY) 195*b077aed3SPierre Pronchery 196*b077aed3SPierre Pronchery /*- 197*b077aed3SPierre Pronchery * PBMParameter ::= SEQUENCE { 198*b077aed3SPierre Pronchery * salt OCTET STRING, 199*b077aed3SPierre Pronchery * owf AlgorithmIdentifier, 200*b077aed3SPierre Pronchery * -- AlgId for a One-Way Function (SHA-1 recommended) 201*b077aed3SPierre Pronchery * iterationCount INTEGER, 202*b077aed3SPierre Pronchery * -- number of times the OWF is applied 203*b077aed3SPierre Pronchery * mac AlgorithmIdentifier 204*b077aed3SPierre Pronchery * -- the MAC AlgId (e.g., DES-MAC, Triple-DES-MAC [PKCS11], 205*b077aed3SPierre Pronchery * -- or HMAC [HMAC, RFC2202]) 206*b077aed3SPierre Pronchery * } 207*b077aed3SPierre Pronchery */ 208*b077aed3SPierre Pronchery struct ossl_crmf_pbmparameter_st { 209*b077aed3SPierre Pronchery ASN1_OCTET_STRING *salt; 210*b077aed3SPierre Pronchery X509_ALGOR *owf; 211*b077aed3SPierre Pronchery ASN1_INTEGER *iterationCount; 212*b077aed3SPierre Pronchery X509_ALGOR *mac; 213*b077aed3SPierre Pronchery } /* OSSL_CRMF_PBMPARAMETER */; 214*b077aed3SPierre Pronchery # define OSSL_CRMF_PBM_MAX_ITERATION_COUNT 100000 /* if too large allows DoS */ 215*b077aed3SPierre Pronchery 216*b077aed3SPierre Pronchery /*- 217*b077aed3SPierre Pronchery * POPOSigningKeyInput ::= SEQUENCE { 218*b077aed3SPierre Pronchery * authInfo CHOICE { 219*b077aed3SPierre Pronchery * sender [0] GeneralName, 220*b077aed3SPierre Pronchery * -- used only if an authenticated identity has been 221*b077aed3SPierre Pronchery * -- established for the sender (e.g., a DN from a 222*b077aed3SPierre Pronchery * -- previously-issued and currently-valid certificate) 223*b077aed3SPierre Pronchery * publicKeyMAC PKMACValue }, 224*b077aed3SPierre Pronchery * -- used if no authenticated GeneralName currently exists for 225*b077aed3SPierre Pronchery * -- the sender; publicKeyMAC contains a password-based MAC 226*b077aed3SPierre Pronchery * -- on the DER-encoded value of publicKey 227*b077aed3SPierre Pronchery * publicKey SubjectPublicKeyInfo -- from CertTemplate 228*b077aed3SPierre Pronchery * } 229*b077aed3SPierre Pronchery */ 230*b077aed3SPierre Pronchery typedef struct ossl_crmf_poposigningkeyinput_authinfo_st { 231*b077aed3SPierre Pronchery int type; 232*b077aed3SPierre Pronchery union { 233*b077aed3SPierre Pronchery /* 0 */ GENERAL_NAME *sender; 234*b077aed3SPierre Pronchery /* 1 */ OSSL_CRMF_PKMACVALUE *publicKeyMAC; 235*b077aed3SPierre Pronchery } value; 236*b077aed3SPierre Pronchery } OSSL_CRMF_POPOSIGNINGKEYINPUT_AUTHINFO; 237*b077aed3SPierre Pronchery DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_POPOSIGNINGKEYINPUT_AUTHINFO) 238*b077aed3SPierre Pronchery 239*b077aed3SPierre Pronchery typedef struct ossl_crmf_poposigningkeyinput_st { 240*b077aed3SPierre Pronchery OSSL_CRMF_POPOSIGNINGKEYINPUT_AUTHINFO *authInfo; 241*b077aed3SPierre Pronchery X509_PUBKEY *publicKey; 242*b077aed3SPierre Pronchery } OSSL_CRMF_POPOSIGNINGKEYINPUT; 243*b077aed3SPierre Pronchery DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_POPOSIGNINGKEYINPUT) 244*b077aed3SPierre Pronchery 245*b077aed3SPierre Pronchery /*- 246*b077aed3SPierre Pronchery * POPOSigningKey ::= SEQUENCE { 247*b077aed3SPierre Pronchery * poposkInput [0] POPOSigningKeyInput OPTIONAL, 248*b077aed3SPierre Pronchery * algorithmIdentifier AlgorithmIdentifier, 249*b077aed3SPierre Pronchery * signature BIT STRING 250*b077aed3SPierre Pronchery * } 251*b077aed3SPierre Pronchery */ 252*b077aed3SPierre Pronchery struct ossl_crmf_poposigningkey_st { 253*b077aed3SPierre Pronchery OSSL_CRMF_POPOSIGNINGKEYINPUT *poposkInput; 254*b077aed3SPierre Pronchery X509_ALGOR *algorithmIdentifier; 255*b077aed3SPierre Pronchery ASN1_BIT_STRING *signature; 256*b077aed3SPierre Pronchery } /* OSSL_CRMF_POPOSIGNINGKEY */; 257*b077aed3SPierre Pronchery DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_POPOSIGNINGKEY) 258*b077aed3SPierre Pronchery 259*b077aed3SPierre Pronchery /*- 260*b077aed3SPierre Pronchery * ProofOfPossession ::= CHOICE { 261*b077aed3SPierre Pronchery * raVerified [0] NULL, 262*b077aed3SPierre Pronchery * -- used if the RA has already verified that the requester is in 263*b077aed3SPierre Pronchery * -- possession of the private key 264*b077aed3SPierre Pronchery * signature [1] POPOSigningKey, 265*b077aed3SPierre Pronchery * keyEncipherment [2] POPOPrivKey, 266*b077aed3SPierre Pronchery * keyAgreement [3] POPOPrivKey 267*b077aed3SPierre Pronchery * } 268*b077aed3SPierre Pronchery */ 269*b077aed3SPierre Pronchery typedef struct ossl_crmf_popo_st { 270*b077aed3SPierre Pronchery int type; 271*b077aed3SPierre Pronchery union { 272*b077aed3SPierre Pronchery ASN1_NULL *raVerified; /* 0 */ 273*b077aed3SPierre Pronchery OSSL_CRMF_POPOSIGNINGKEY *signature; /* 1 */ 274*b077aed3SPierre Pronchery OSSL_CRMF_POPOPRIVKEY *keyEncipherment; /* 2 */ 275*b077aed3SPierre Pronchery OSSL_CRMF_POPOPRIVKEY *keyAgreement; /* 3 */ 276*b077aed3SPierre Pronchery } value; 277*b077aed3SPierre Pronchery } OSSL_CRMF_POPO; 278*b077aed3SPierre Pronchery DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_POPO) 279*b077aed3SPierre Pronchery 280*b077aed3SPierre Pronchery /*- 281*b077aed3SPierre Pronchery * OptionalValidity ::= SEQUENCE { 282*b077aed3SPierre Pronchery * notBefore [0] Time OPTIONAL, 283*b077aed3SPierre Pronchery * notAfter [1] Time OPTIONAL -- at least one MUST be present 284*b077aed3SPierre Pronchery * } 285*b077aed3SPierre Pronchery */ 286*b077aed3SPierre Pronchery struct ossl_crmf_optionalvalidity_st { 287*b077aed3SPierre Pronchery /* 0 */ ASN1_TIME *notBefore; 288*b077aed3SPierre Pronchery /* 1 */ ASN1_TIME *notAfter; 289*b077aed3SPierre Pronchery } /* OSSL_CRMF_OPTIONALVALIDITY */; 290*b077aed3SPierre Pronchery DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_OPTIONALVALIDITY) 291*b077aed3SPierre Pronchery 292*b077aed3SPierre Pronchery /*- 293*b077aed3SPierre Pronchery * CertTemplate ::= SEQUENCE { 294*b077aed3SPierre Pronchery * version [0] Version OPTIONAL, 295*b077aed3SPierre Pronchery * serialNumber [1] INTEGER OPTIONAL, 296*b077aed3SPierre Pronchery * signingAlg [2] AlgorithmIdentifier OPTIONAL, 297*b077aed3SPierre Pronchery * issuer [3] Name OPTIONAL, 298*b077aed3SPierre Pronchery * validity [4] OptionalValidity OPTIONAL, 299*b077aed3SPierre Pronchery * subject [5] Name OPTIONAL, 300*b077aed3SPierre Pronchery * publicKey [6] SubjectPublicKeyInfo OPTIONAL, 301*b077aed3SPierre Pronchery * issuerUID [7] UniqueIdentifier OPTIONAL, 302*b077aed3SPierre Pronchery * subjectUID [8] UniqueIdentifier OPTIONAL, 303*b077aed3SPierre Pronchery * extensions [9] Extensions OPTIONAL 304*b077aed3SPierre Pronchery * } 305*b077aed3SPierre Pronchery */ 306*b077aed3SPierre Pronchery struct ossl_crmf_certtemplate_st { 307*b077aed3SPierre Pronchery ASN1_INTEGER *version; 308*b077aed3SPierre Pronchery ASN1_INTEGER *serialNumber; /* serialNumber MUST be omitted */ 309*b077aed3SPierre Pronchery /* This field is assigned by the CA during certificate creation */ 310*b077aed3SPierre Pronchery X509_ALGOR *signingAlg; /* signingAlg MUST be omitted */ 311*b077aed3SPierre Pronchery /* This field is assigned by the CA during certificate creation */ 312*b077aed3SPierre Pronchery const X509_NAME *issuer; 313*b077aed3SPierre Pronchery OSSL_CRMF_OPTIONALVALIDITY *validity; 314*b077aed3SPierre Pronchery const X509_NAME *subject; 315*b077aed3SPierre Pronchery X509_PUBKEY *publicKey; 316*b077aed3SPierre Pronchery ASN1_BIT_STRING *issuerUID; /* deprecated in version 2 */ 317*b077aed3SPierre Pronchery /* According to rfc 3280: UniqueIdentifier ::= BIT STRING */ 318*b077aed3SPierre Pronchery ASN1_BIT_STRING *subjectUID; /* deprecated in version 2 */ 319*b077aed3SPierre Pronchery /* Could be X509_EXTENSION*S*, but that's only cosmetic */ 320*b077aed3SPierre Pronchery STACK_OF(X509_EXTENSION) *extensions; 321*b077aed3SPierre Pronchery } /* OSSL_CRMF_CERTTEMPLATE */; 322*b077aed3SPierre Pronchery 323*b077aed3SPierre Pronchery /*- 324*b077aed3SPierre Pronchery * CertRequest ::= SEQUENCE { 325*b077aed3SPierre Pronchery * certReqId INTEGER, -- ID for matching request and reply 326*b077aed3SPierre Pronchery * certTemplate CertTemplate, -- Selected fields of cert to be issued 327*b077aed3SPierre Pronchery * controls Controls OPTIONAL -- Attributes affecting issuance 328*b077aed3SPierre Pronchery * } 329*b077aed3SPierre Pronchery */ 330*b077aed3SPierre Pronchery struct ossl_crmf_certrequest_st { 331*b077aed3SPierre Pronchery ASN1_INTEGER *certReqId; 332*b077aed3SPierre Pronchery OSSL_CRMF_CERTTEMPLATE *certTemplate; 333*b077aed3SPierre Pronchery STACK_OF(OSSL_CRMF_ATTRIBUTETYPEANDVALUE) *controls; 334*b077aed3SPierre Pronchery } /* OSSL_CRMF_CERTREQUEST */; 335*b077aed3SPierre Pronchery DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_CERTREQUEST) 336*b077aed3SPierre Pronchery DECLARE_ASN1_DUP_FUNCTION(OSSL_CRMF_CERTREQUEST) 337*b077aed3SPierre Pronchery 338*b077aed3SPierre Pronchery struct ossl_crmf_attributetypeandvalue_st { 339*b077aed3SPierre Pronchery ASN1_OBJECT *type; 340*b077aed3SPierre Pronchery union { 341*b077aed3SPierre Pronchery /* NID_id_regCtrl_regToken */ 342*b077aed3SPierre Pronchery ASN1_UTF8STRING *regToken; 343*b077aed3SPierre Pronchery 344*b077aed3SPierre Pronchery /* NID_id_regCtrl_authenticator */ 345*b077aed3SPierre Pronchery ASN1_UTF8STRING *authenticator; 346*b077aed3SPierre Pronchery 347*b077aed3SPierre Pronchery /* NID_id_regCtrl_pkiPublicationInfo */ 348*b077aed3SPierre Pronchery OSSL_CRMF_PKIPUBLICATIONINFO *pkiPublicationInfo; 349*b077aed3SPierre Pronchery 350*b077aed3SPierre Pronchery /* NID_id_regCtrl_oldCertID */ 351*b077aed3SPierre Pronchery OSSL_CRMF_CERTID *oldCertID; 352*b077aed3SPierre Pronchery 353*b077aed3SPierre Pronchery /* NID_id_regCtrl_protocolEncrKey */ 354*b077aed3SPierre Pronchery X509_PUBKEY *protocolEncrKey; 355*b077aed3SPierre Pronchery 356*b077aed3SPierre Pronchery /* NID_id_regInfo_utf8Pairs */ 357*b077aed3SPierre Pronchery ASN1_UTF8STRING *utf8Pairs; 358*b077aed3SPierre Pronchery 359*b077aed3SPierre Pronchery /* NID_id_regInfo_certReq */ 360*b077aed3SPierre Pronchery OSSL_CRMF_CERTREQUEST *certReq; 361*b077aed3SPierre Pronchery 362*b077aed3SPierre Pronchery ASN1_TYPE *other; 363*b077aed3SPierre Pronchery } value; 364*b077aed3SPierre Pronchery } /* OSSL_CRMF_ATTRIBUTETYPEANDVALUE */; 365*b077aed3SPierre Pronchery DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_ATTRIBUTETYPEANDVALUE) 366*b077aed3SPierre Pronchery DEFINE_STACK_OF(OSSL_CRMF_ATTRIBUTETYPEANDVALUE) 367*b077aed3SPierre Pronchery DECLARE_ASN1_DUP_FUNCTION(OSSL_CRMF_ATTRIBUTETYPEANDVALUE) 368*b077aed3SPierre Pronchery 369*b077aed3SPierre Pronchery /*- 370*b077aed3SPierre Pronchery * CertReqMessages ::= SEQUENCE SIZE (1..MAX) OF CertReqMsg 371*b077aed3SPierre Pronchery * CertReqMsg ::= SEQUENCE { 372*b077aed3SPierre Pronchery * certReq CertRequest, 373*b077aed3SPierre Pronchery * popo ProofOfPossession OPTIONAL, 374*b077aed3SPierre Pronchery * -- content depends upon key type 375*b077aed3SPierre Pronchery * regInfo SEQUENCE SIZE(1..MAX) OF AttributeTypeAndValue OPTIONAL 376*b077aed3SPierre Pronchery * } 377*b077aed3SPierre Pronchery */ 378*b077aed3SPierre Pronchery struct ossl_crmf_msg_st { 379*b077aed3SPierre Pronchery OSSL_CRMF_CERTREQUEST *certReq; 380*b077aed3SPierre Pronchery /* 0 */ 381*b077aed3SPierre Pronchery OSSL_CRMF_POPO *popo; 382*b077aed3SPierre Pronchery /* 1 */ 383*b077aed3SPierre Pronchery STACK_OF(OSSL_CRMF_ATTRIBUTETYPEANDVALUE) *regInfo; 384*b077aed3SPierre Pronchery } /* OSSL_CRMF_MSG */; 385*b077aed3SPierre Pronchery #endif 386