Standard preamble:
========================================================================
..
.... Set up some character translations and predefined strings. \*(-- will
give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
double quote, and \*(R" will give a right double quote. \*(C+ will
give a nicer C++. Capital omega is used to do unbreakable dashes and
therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
nothing in troff, for use with C<>.
.tr \(*W- . ds -- \(*W- . ds PI pi . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch . ds L" "" . ds R" "" . ds C` "" . ds C' "" 'br\} . ds -- \|\(em\| . ds PI \(*p . ds L" `` . ds R" '' . ds C` . ds C' 'br\}
Escape single quotes in literal strings from groff's Unicode transform.
If the F register is >0, we'll generate index entries on stderr for
titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
entries marked with X<> in POD. Of course, you'll have to process the
output yourself in some meaningful fashion.
Avoid warning from groff about undefined register 'F'.
.. .nr rF 0 . if \nF \{\ . de IX . tm Index:\\$1\t\\n%\t"\\$2" .. . if !\nF==2 \{\ . nr % 0 . nr F 2 . \} . \} .\} .rr rF Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff . ds #H 0 . ds #V .8m . ds #F .3m . ds #[ \f1 . ds #] .\} . ds #H ((1u-(\\\\n(.fu%2u))*.13m) . ds #V .6m . ds #F 0 . ds #[ \& . ds #] \& .\} . \" simple accents for nroff and troff . ds ' \& . ds ` \& . ds ^ \& . ds , \& . ds ~ ~ . ds / .\} . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' .\} . \" troff and (daisy-wheel) nroff accents . \" corrections for vroff . \" for low resolution devices (crt and lpr) \{\ . ds : e . ds 8 ss . ds o a . ds d- d\h'-1'\(ga . ds D- D\h'-1'\(hy . ds th \o'bp' . ds Th \o'LP' . ds ae ae . ds Ae AE .\} ========================================================================
Title "OSSL_CMP_EXEC_CERTREQ 3ossl"
way too many mistakes in technical documents.
All functions take a populated \s-1OSSL_CMP_CTX\s0 structure as their first argument. Usually the server name, port, and path (\*(L"\s-1CMP\s0 alias\*(R") need to be set, as well as credentials the client can use for authenticating itself to the server. In order to authenticate the server the client typically needs a trust store. The functions return their respective main results directly, while there are also accessor functions for retrieving various results and status information from the ctx. See OSSL_CMP_CTX_new\|(3) etc. for details.
The default conveying protocol is \s-1HTTP.\s0 Timeout values may be given per request-response pair and per transaction. See OSSL_CMP_MSG_http_perform\|(3) for details.
\fBOSSL_CMP_exec_IR_ses() requests an initial certificate from the given \s-1PKI.\s0
\fBOSSL_CMP_exec_CR_ses() requests an additional certificate.
\fBOSSL_CMP_exec_P10CR_ses() conveys a legacy PKCS#10 \s-1CSR\s0 requesting a certificate.
\fBOSSL_CMP_exec_KUR_ses() obtains an updated certificate.
These four types of certificate enrollment are implemented as macros calling OSSL_CMP_exec_certreq().
\fBOSSL_CMP_exec_certreq() performs a certificate request of the type specified by the req_type parameter, which may be \s-1IR, CR, P10CR,\s0 or \s-1KUR.\s0 For \s-1IR, CR,\s0 and \s-1KUR,\s0 the certificate template to be used in the request may be supplied via the crm parameter pointing to a \s-1CRMF\s0 structure. Typically crm is \s-1NULL,\s0 then the template ingredients are taken from ctx and need to be filled in using OSSL_CMP_CTX_set1_subjectName\|(3), \fBOSSL_CMP_CTX_set0_newPkey\|(3), OSSL_CMP_CTX_set1_oldCert\|(3), etc. For P10CR, OSSL_CMP_CTX_set1_p10CSR\|(3) needs to be used instead. The enrollment session may be blocked by sleeping until the addressed \s-1CA\s0 (or an intermediate \s-1PKI\s0 component) can fully process and answer the request.
\fBOSSL_CMP_try_certreq() is an alternative to the above functions that is more flexible regarding what to do after receiving a checkAfter value. When called for the first time (with no certificate request in progress for the given ctx) it starts a new transaction by sending a certificate request constructed as stated above using the req_type and optional crm parameter. Otherwise (when according to ctx a 'waiting' status has been received before) it continues polling for the pending request unless the req_type argument is < 0, which aborts the request. If the requested certificate is available the function returns 1 and the caller can use OSSL_CMP_CTX_get0_newCert\|(3) to retrieve the new certificate. If no error occurred but no certificate is available yet then \fBOSSL_CMP_try_certreq() remembers in the \s-1CMP\s0 context that it should be retried and returns -1 after assigning the received checkAfter value via the output pointer argument (unless it is \s-1NULL\s0). The checkAfter value indicates the number of seconds the caller should let pass before trying again. The caller is free to sleep for the given number of seconds or for some other time and/or to do anything else before retrying by calling \fBOSSL_CMP_try_certreq() again with the same parameter values as before. \fBOSSL_CMP_try_certreq() then polls to see whether meanwhile the requested certificate is available. If the caller decides to abort the pending certificate request and provides a negative value as the req_type argument then OSSL_CMP_try_certreq() aborts the \s-1CMP\s0 transaction by sending an error message to the server.
\fBOSSL_CMP_exec_RR_ses() requests the revocation of the certificate specified in the ctx using OSSL_CMP_CTX_set1_oldCert\|(3). \s-1RFC 4210\s0 is vague in which PKIStatus should be returned by the server. We take \*(L"accepted\*(R" and \*(L"grantedWithMods\*(R" as clear success and handle \*(L"revocationWarning\*(R" and \*(L"revocationNotification\*(R" just as warnings because CAs typically return them as an indication that the certificate was already revoked. \*(L"rejection\*(R" is a clear error. The values \*(L"waiting\*(R" and \*(L"keyUpdateWarning\*(R" make no sense for revocation and thus are treated as an error as well.
\fBOSSL_CMP_exec_GENM_ses() sends a general message containing the sequence of infoType and infoValue pairs (InfoTypeAndValue; short: \s-1ITAV\s0) optionally provided in the ctx using OSSL_CMP_CTX_push0_genm_ITAV\|(3). On success it records in ctx the status OSSL_CMP_PKISTATUS_accepted and returns the list of \s-1ITAV\s0s received in the \s-1GENP\s0 message. This can be used, for instance, to poll for CRLs or \s-1CA\s0 Key Updates. See \s-1RFC 4210\s0 section 5.3.19 and appendix E.5 for details.
The \s-1CMP\s0 client implementation is limited to one request per \s-1CMP\s0 message (and consequently to at most one response component per \s-1CMP\s0 message).
When a client obtains from a \s-1CMP\s0 server \s-1CA\s0 certificates that it is going to trust, for instance via the caPubs field of a certificate response, authentication of the \s-1CMP\s0 server is particularly critical. So special care must be taken setting up server authentication in ctx using functions such as \fBOSSL_CMP_CTX_set0_trustedStore\|(3) (for certificate-based authentication) or \fBOSSL_CMP_CTX_set1_secretValue\|(3) (for MAC-based protection).
\fBOSSL_CMP_try_certreq() returns 1 if the requested certificate is available via OSSL_CMP_CTX_get0_newCert\|(3) or on successfully aborting a pending certificate request, 0 on error, and -1 in case a 'waiting' status has been received and checkAfter value is available. In the latter case OSSL_CMP_CTX_get0_newCert\|(3) yields \s-1NULL\s0 and the output parameter checkAfter has been used to assign the received value unless checkAfter is \s-1NULL.\s0
\fBOSSL_CMP_exec_RR_ses() returns 1 on success, 0 on error.
\fBOSSL_CMP_exec_GENM_ses() returns \s-1NULL\s0 on error, otherwise a pointer to the sequence of \s-1ITAV\s0 received, which may be empty. This pointer must be freed by the caller.
Licensed under the Apache License 2.0 (the \*(L"License\*(R"). You may not use this file except in compliance with the License. You can obtain a copy in the file \s-1LICENSE\s0 in the source distribution or at <https://www.openssl.org/source/license.html>.