1OSSL_CMP_VALIDATE_MSG(3ossl)        OpenSSL       OSSL_CMP_VALIDATE_MSG(3ossl)
2
3
4

NAME

6       OSSL_CMP_validate_msg, OSSL_CMP_validate_cert_path - functions for
7       verifying CMP message protection
8

SYNOPSIS

10        #include <openssl/cmp.h>
11        int OSSL_CMP_validate_msg(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg);
12        int OSSL_CMP_validate_cert_path(const OSSL_CMP_CTX *ctx,
13                                        X509_STORE *trusted_store, X509 *cert);
14

DESCRIPTION

16       This is the API for validating the protection of CMP messages, which
17       includes validating CMP message sender certificates and their paths
18       while optionally checking the revocation status of the certificates(s).
19
20       OSSL_CMP_validate_msg() validates the protection of the given msg using
21       either password-based mac (PBM) or a signature algorithm.
22
23       In case of signature algorithm, the certificate to use for the
24       signature check is preferably the one provided by a call to
25       OSSL_CMP_CTX_set1_srvCert(3).  If no such sender cert has been pinned
26       then candidate sender certificates are taken from the list of
27       certificates received in the msg extraCerts, then any certificates
28       provided before via OSSL_CMP_CTX_set1_untrusted(3), and then all
29       trusted certificates provided via OSSL_CMP_CTX_set0_trustedStore(3),
30       where a candidate is acceptable only if has not expired, its subject DN
31       matches the msg sender DN (as far as present), and its subject key
32       identifier is present and matches the senderKID (as far as the latter
33       present).  Each acceptable cert is tried in the given order to see if
34       the message signature check succeeds and the cert and its path can be
35       verified using any trust store set via
36       OSSL_CMP_CTX_set0_trustedStore(3).
37
38       If the option OSSL_CMP_OPT_PERMIT_TA_IN_EXTRACERTS_FOR_IR was set by
39       calling OSSL_CMP_CTX_set_option(3), for an Initialization Response (IP)
40       message any self-issued certificate from the msg extraCerts field may
41       also be used as trust anchor for the path verification of an acceptable
42       cert if it can be used also to validate the issued certificate returned
43       in the IP message. This is according to TS 33.310 [Network Domain
44       Security (NDS); Authentication Framework (AF)] document specified by
45       the The 3rd Generation Partnership Project (3GPP).
46
47       Any cert that has been found as described above is cached and tried
48       first when validating the signatures of subsequent messages in the same
49       transaction.
50
51       OSSL_CMP_validate_cert_path() attempts to validate the given
52       certificate and its path using the given store of trusted certs
53       (possibly including CRLs and a cert verification callback) and non-
54       trusted intermediate certs from the ctx.
55

NOTES

57       CMP is defined in RFC 4210 (and CRMF in RFC 4211).
58

RETURN VALUES

60       OSSL_CMP_validate_msg() and OSSL_CMP_validate_cert_path() return 1 on
61       success, 0 on error or validation failed.
62

SEE ALSO

64       OSSL_CMP_CTX_new(3), OSSL_CMP_exec_certreq(3)
65

HISTORY

67       The OpenSSL CMP support was added in OpenSSL 3.0.
68
70       Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved.
71
72       Licensed under the Apache License 2.0 (the "License").  You may not use
73       this file except in compliance with the License.  You can obtain a copy
74       in the file LICENSE in the source distribution or at
75       <https://www.openssl.org/source/license.html>.
76
77
78
793.0.5                             2022-11-01      OSSL_CMP_VALIDATE_MSG(3ossl)
Impressum