1OSSL_CRMF_MSG_SET0_VALIDITY(3ossl)  OpenSSL OSSL_CRMF_MSG_SET0_VALIDITY(3ossl)
2
3
4

NAME

6       OSSL_CRMF_MSG_set0_validity, OSSL_CRMF_MSG_set_certReqId,
7       OSSL_CRMF_CERTTEMPLATE_fill, OSSL_CRMF_MSG_set0_extensions,
8       OSSL_CRMF_MSG_push0_extension, OSSL_CRMF_MSG_create_popo,
9       OSSL_CRMF_MSGS_verify_popo - functions populating and verifying CRMF
10       CertReqMsg structures
11

SYNOPSIS

13        #include <openssl/crmf.h>
14
15        int OSSL_CRMF_MSG_set0_validity(OSSL_CRMF_MSG *crm,
16                                        ASN1_TIME *notBefore, ASN1_TIME *notAfter);
17
18        int OSSL_CRMF_MSG_set_certReqId(OSSL_CRMF_MSG *crm, int rid);
19
20        int OSSL_CRMF_CERTTEMPLATE_fill(OSSL_CRMF_CERTTEMPLATE *tmpl,
21                                        EVP_PKEY *pubkey,
22                                        const X509_NAME *subject,
23                                        const X509_NAME *issuer,
24                                        const ASN1_INTEGER *serial);
25
26        int OSSL_CRMF_MSG_set0_extensions(OSSL_CRMF_MSG *crm, X509_EXTENSIONS *exts);
27
28        int OSSL_CRMF_MSG_push0_extension(OSSL_CRMF_MSG *crm, X509_EXTENSION *ext);
29
30        int OSSL_CRMF_MSG_create_popo(int meth, OSSL_CRMF_MSG *crm,
31                                      EVP_PKEY *pkey, const EVP_MD *digest,
32                                      OSSL_LIB_CTX *libctx, const char *propq);
33
34        int OSSL_CRMF_MSGS_verify_popo(const OSSL_CRMF_MSGS *reqs,
35                                       int rid, int acceptRAVerified,
36                                       OSSL_LIB_CTX *libctx, const char *propq);
37

DESCRIPTION

39       OSSL_CRMF_MSG_set0_validity() sets the notBefore and notAfter fields as
40       validity constraints in the certTemplate of crm.  Any of the notBefore
41       and notAfter parameters may be NULL, which means no constraint for the
42       respective field.  On success ownership of notBefore and notAfter is
43       transferred to crm.
44
45       OSSL_CRMF_MSG_set_certReqId() sets rid as the certReqId of crm.
46
47       OSSL_CRMF_CERTTEMPLATE_fill() sets those fields of the certTemplate
48       tmpl for which non-NULL values are provided: pubkey, subject, issuer,
49       and/or serial.  X.509 extensions may be set using
50       OSSL_CRMF_MSG_set0_extensions().  On success the reference counter of
51       the pubkey (if given) is incremented, while the subject, issuer, and
52       serial structures (if given) are copied.
53
54       OSSL_CRMF_MSG_set0_extensions() sets exts as the extensions in the
55       certTemplate of crm. Frees any pre-existing ones and consumes exts.
56
57       OSSL_CRMF_MSG_push0_extension() pushes the X509 extension ext to the
58       extensions in the certTemplate of crm.  Consumes ext.
59
60       OSSL_CRMF_MSG_create_popo() creates and sets the Proof-of-Possession
61       (POPO) according to the method meth in crm.  The library context libctx
62       and property query string propq, may be NULL to select the defaults.
63       In case the method is OSSL_CRMF_POPO_SIGNATURE the POPO is calculated
64       using the private key pkey and the digest method digest, where the
65       digest argument is ignored if pkey is of a type (such as Ed25519 and
66       Ed448) that is implicitly associated with a digest algorithm.
67
68       meth can be one of the following:
69
70       •       OSSL_CRMF_POPO_NONE       - RFC 4211, section 4, POP field
71               omitted.  CA/RA uses out-of-band method to verify POP. Note
72               that servers may fail in this case, resulting for instance in
73               HTTP error code 500 (Internal error).
74
75       •       OSSL_CRMF_POPO_RAVERIFIED - RFC 4211, section 4, explicit
76               indication that the RA has already verified the POP.
77
78       •       OSSL_CRMF_POPO_SIGNATURE  - RFC 4211, section 4.1, only case 3
79               supported so far.
80
81       •       OSSL_CRMF_POPO_KEYENC     - RFC 4211, section 4.2, only
82               indirect method (subsequentMessage/enccert) supported,
83               challenge-response exchange (challengeResp) not yet supported.
84
85       •       OSSL_CRMF_POPO_KEYAGREE   - RFC 4211, section 4.3, not yet
86               supported.
87
88       OSSL_CRMF_MSGS_verify_popo verifies the Proof-of-Possession of the
89       request with the given rid in the list of reqs. Optionally accepts
90       RAVerified. It can make use of the library context libctx and property
91       query string propq.
92

RETURN VALUES

94       All functions return 1 on success, 0 on error.
95

SEE ALSO

97       RFC 4211
98

HISTORY

100       The OpenSSL CRMF support was added in OpenSSL 3.0.
101
103       Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved.
104
105       Licensed under the Apache License 2.0 (the "License").  You may not use
106       this file except in compliance with the License.  You can obtain a copy
107       in the file LICENSE in the source distribution or at
108       <https://www.openssl.org/source/license.html>.
109
110
111
1123.0.9                             2023-07-27OSSL_CRMF_MSG_SET0_VALIDITY(3ossl)
Impressum