1=pod
2
3=head1 NAME
4
5OSSL_CRMF_MSG_set0_validity,
6OSSL_CRMF_MSG_set_certReqId,
7OSSL_CRMF_CERTTEMPLATE_fill,
8OSSL_CRMF_MSG_set0_extensions,
9OSSL_CRMF_MSG_push0_extension,
10OSSL_CRMF_MSG_create_popo,
11OSSL_CRMF_MSGS_verify_popo
12- functions populating and verifying CRMF CertReqMsg structures
13
14=head1 SYNOPSIS
15
16 #include <openssl/crmf.h>
17
18 int OSSL_CRMF_MSG_set0_validity(OSSL_CRMF_MSG *crm,
19                                 ASN1_TIME *notBefore, ASN1_TIME *notAfter);
20
21 int OSSL_CRMF_MSG_set_certReqId(OSSL_CRMF_MSG *crm, int rid);
22
23 int OSSL_CRMF_CERTTEMPLATE_fill(OSSL_CRMF_CERTTEMPLATE *tmpl,
24                                 EVP_PKEY *pubkey,
25                                 const X509_NAME *subject,
26                                 const X509_NAME *issuer,
27                                 const ASN1_INTEGER *serial);
28
29 int OSSL_CRMF_MSG_set0_extensions(OSSL_CRMF_MSG *crm, X509_EXTENSIONS *exts);
30
31 int OSSL_CRMF_MSG_push0_extension(OSSL_CRMF_MSG *crm, X509_EXTENSION *ext);
32
33 int OSSL_CRMF_MSG_create_popo(int meth, OSSL_CRMF_MSG *crm,
34                               EVP_PKEY *pkey, const EVP_MD *digest,
35                               OSSL_LIB_CTX *libctx, const char *propq);
36
37 int OSSL_CRMF_MSGS_verify_popo(const OSSL_CRMF_MSGS *reqs,
38                                int rid, int acceptRAVerified,
39                                OSSL_LIB_CTX *libctx, const char *propq);
40
41=head1 DESCRIPTION
42
43OSSL_CRMF_MSG_set0_validity() sets the I<notBefore> and I<notAfter> fields
44as validity constraints in the certTemplate of I<crm>.
45Any of the I<notBefore> and I<notAfter> parameters may be NULL,
46which means no constraint for the respective field.
47On success ownership of I<notBefore> and I<notAfter> is transferred to I<crm>.
48
49OSSL_CRMF_MSG_set_certReqId() sets I<rid> as the certReqId of I<crm>.
50
51OSSL_CRMF_CERTTEMPLATE_fill() sets those fields of the certTemplate I<tmpl>
52for which non-NULL values are provided: I<pubkey>, I<subject>, I<issuer>,
53and/or I<serial>.
54X.509 extensions may be set using OSSL_CRMF_MSG_set0_extensions().
55On success the reference counter of the I<pubkey> (if given) is incremented,
56while the I<subject>, I<issuer>, and I<serial> structures (if given) are copied.
57
58OSSL_CRMF_MSG_set0_extensions() sets I<exts> as the extensions in the
59certTemplate of I<crm>. Frees any pre-existing ones and consumes I<exts>.
60
61OSSL_CRMF_MSG_push0_extension() pushes the X509 extension I<ext> to the
62extensions in the certTemplate of I<crm>.  Consumes I<ext>.
63
64OSSL_CRMF_MSG_create_popo() creates and sets the Proof-of-Possession (POPO)
65according to the method I<meth> in I<crm>.
66The library context I<libctx> and property query string I<propq>,
67may be NULL to select the defaults.
68In case the method is OSSL_CRMF_POPO_SIGNATURE the POPO is calculated
69using the private key I<pkey> and the digest method I<digest>,
70where the I<digest> argument is ignored if I<pkey> is of a type (such as
71Ed25519 and Ed448) that is implicitly associated with a digest algorithm.
72
73I<meth> can be one of the following:
74
75=over 8
76
77=item * OSSL_CRMF_POPO_NONE       - RFC 4211, section 4, POP field omitted.
78CA/RA uses out-of-band method to verify POP. Note that servers may fail in this
79case, resulting for instance in HTTP error code 500 (Internal error).
80
81=item * OSSL_CRMF_POPO_RAVERIFIED - RFC 4211, section 4, explicit indication
82that the RA has already verified the POP.
83
84=item * OSSL_CRMF_POPO_SIGNATURE  - RFC 4211, section 4.1, only case 3 supported
85so far.
86
87=item * OSSL_CRMF_POPO_KEYENC     - RFC 4211, section 4.2, only indirect method
88(subsequentMessage/enccert) supported,
89challenge-response exchange (challengeResp) not yet supported.
90
91=item * OSSL_CRMF_POPO_KEYAGREE   - RFC 4211, section 4.3, not yet supported.
92
93=back
94
95OSSL_CRMF_MSGS_verify_popo verifies the Proof-of-Possession of the request with
96the given I<rid> in the list of I<reqs>. Optionally accepts RAVerified. It can
97make use of the library context I<libctx> and property query string I<propq>.
98
99=head1 RETURN VALUES
100
101All functions return 1 on success, 0 on error.
102
103=head1 SEE ALSO
104
105RFC 4211
106
107=head1 HISTORY
108
109The OpenSSL CRMF support was added in OpenSSL 3.0.
110
111=head1 COPYRIGHT
112
113Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved.
114
115Licensed under the Apache License 2.0 (the "License").  You may not use
116this file except in compliance with the License.  You can obtain a copy
117in the file LICENSE in the source distribution or at
118L<https://www.openssl.org/source/license.html>.
119
120=cut
121