openssl/doc/man3/OSSL_CMP_validate_msg.pod

=pod

=head1 NAME

OSSL_CMP_validate_msg,
OSSL_CMP_validate_cert_path
- functions for verifying CMP message protection

=head1 SYNOPSIS

 #include <openssl/cmp.h>
 int OSSL_CMP_validate_msg(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg);
 int OSSL_CMP_validate_cert_path(const OSSL_CMP_CTX *ctx,
                                 X509_STORE *trusted_store, X509 *cert);

=head1 DESCRIPTION

This is the API for validating the protection of CMP messages,
which includes validating CMP message sender certificates and their paths
while optionally checking the revocation status of the certificates(s).

OSSL_CMP_validate_msg() validates the protection of the given C<msg>
using either password-based mac (PBM) or a signature algorithm.

In case of signature algorithm, the certificate to use for the signature check
is preferably the one provided by a call to L<OSSL_CMP_CTX_set1_srvCert(3)>.
If no such sender cert has been pinned then candidate sender certificates are
taken from the list of certificates received in the C<msg> extraCerts, then any
certificates provided before via L<OSSL_CMP_CTX_set1_untrusted(3)>, and
then all trusted certificates provided via L<OSSL_CMP_CTX_set0_trustedStore(3)>,
where a candidate is acceptable only if has not expired, its subject DN matches
the C<msg> sender DN (as far as present), and its subject key identifier
is present and matches the senderKID (as far as the latter present).
Each acceptable cert is tried in the given order to see if the message
signature check succeeds and the cert and its path can be verified
using any trust store set via L<OSSL_CMP_CTX_set0_trustedStore(3)>.

If the option OSSL_CMP_OPT_PERMIT_TA_IN_EXTRACERTS_FOR_IR was set by calling
L<OSSL_CMP_CTX_set_option(3)>, for an Initialization Response (IP) message
any self-issued certificate from the C<msg> extraCerts field may also be used
as trust anchor for the path verification of an acceptable cert if it can be
used also to validate the issued certificate returned in the IP message. This is
according to TS 33.310 [Network Domain Security (NDS); Authentication Framework
(AF)] document specified by the The 3rd Generation Partnership Project (3GPP).

Any cert that has been found as described above is cached and tried first when
validating the signatures of subsequent messages in the same transaction.

OSSL_CMP_validate_cert_path() attempts to validate the given certificate and its
path using the given store of trusted certs (possibly including CRLs and a cert
verification callback) and non-trusted intermediate certs from the B<ctx>.

=head1 NOTES

CMP is defined in RFC 4210 (and CRMF in RFC 4211).

=head1 RETURN VALUES

OSSL_CMP_validate_msg() and OSSL_CMP_validate_cert_path()
return 1 on success, 0 on error or validation failed.

=head1 SEE ALSO

L<OSSL_CMP_CTX_new(3)>, L<OSSL_CMP_exec_certreq(3)>

=head1 HISTORY

The OpenSSL CMP support was added in OpenSSL 3.0.

=head1 COPYRIGHT

Copyright 2007-2020 The OpenSSL Project Authors. All Rights Reserved.

Licensed under the Apache License 2.0 (the "License").  You may not use
this file except in compliance with the License.  You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.

=cut
chunk 7 of CMP contribution to OpenSSL add CMP message validation and related tests; while doing so: * add ERR_add_error_mem_bio() to crypto/err/err_prn.c * move ossl_cmp_add_error_txt() as ERR_add_error_txt() to crypto/err/err_prn.c * add X509_STORE_CTX_print_verify_cb() to crypto/x509/t_x509.c, adding internally x509_print_ex_brief(), print_certs(), and print_store_certs() * move {ossl_cmp_,}X509_STORE_get1_certs() to crypto/x509/x509_lu.c Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/10620) 2020-02-15 21:57:32 +08:00			`=pod`

			`=head1 NAME`

			`OSSL_CMP_validate_msg,`
			`OSSL_CMP_validate_cert_path`
			`- functions for verifying CMP message protection`

			`=head1 SYNOPSIS`

			`#include <openssl/cmp.h>`
			`int OSSL_CMP_validate_msg(OSSL_CMP_CTX ctx, OSSL_CMP_MSG msg);`
			`int OSSL_CMP_validate_cert_path(const OSSL_CMP_CTX *ctx,`
			`X509_STORE trusted_store, X509 cert);`

			`=head1 DESCRIPTION`

			`This is the API for validating the protection of CMP messages,`
			`which includes validating CMP message sender certificates and their paths`
			`while optionally checking the revocation status of the certificates(s).`

			`OSSL_CMP_validate_msg() validates the protection of the given C<msg>`
			`using either password-based mac (PBM) or a signature algorithm.`

			`In case of signature algorithm, the certificate to use for the signature check`
			`is preferably the one provided by a call to L<OSSL_CMP_CTX_set1_srvCert(3)>.`
			`If no such sender cert has been pinned then candidate sender certificates are`
			`taken from the list of certificates received in the C<msg> extraCerts, then any`
OSSL_CMP_CTX: rename field and its getter/setter from 'untrusted_certs' to 'untrusted Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12788) 2020-08-28 18:42:47 +08:00			`certificates provided before via L<OSSL_CMP_CTX_set1_untrusted(3)>, and`
chunk 7 of CMP contribution to OpenSSL add CMP message validation and related tests; while doing so: * add ERR_add_error_mem_bio() to crypto/err/err_prn.c * move ossl_cmp_add_error_txt() as ERR_add_error_txt() to crypto/err/err_prn.c * add X509_STORE_CTX_print_verify_cb() to crypto/x509/t_x509.c, adding internally x509_print_ex_brief(), print_certs(), and print_store_certs() * move {ossl_cmp_,}X509_STORE_get1_certs() to crypto/x509/x509_lu.c Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/10620) 2020-02-15 21:57:32 +08:00			`then all trusted certificates provided via L<OSSL_CMP_CTX_set0_trustedStore(3)>,`
			`where a candidate is acceptable only if has not expired, its subject DN matches`
			`the C<msg> sender DN (as far as present), and its subject key identifier`
			`is present and matches the senderKID (as far as the latter present).`
			`Each acceptable cert is tried in the given order to see if the message`
			`signature check succeeds and the cert and its path can be verified`
			`using any trust store set via L<OSSL_CMP_CTX_set0_trustedStore(3)>.`

			`If the option OSSL_CMP_OPT_PERMIT_TA_IN_EXTRACERTS_FOR_IR was set by calling`
			`L<OSSL_CMP_CTX_set_option(3)>, for an Initialization Response (IP) message`
			`any self-issued certificate from the C<msg> extraCerts field may also be used`
			`as trust anchor for the path verification of an acceptable cert if it can be`
			`used also to validate the issued certificate returned in the IP message. This is`
			`according to TS 33.310 [Network Domain Security (NDS); Authentication Framework`
			`(AF)] document specified by the The 3rd Generation Partnership Project (3GPP).`

			`Any cert that has been found as described above is cached and tried first when`
			`validating the signatures of subsequent messages in the same transaction.`

			`OSSL_CMP_validate_cert_path() attempts to validate the given certificate and its`
			`path using the given store of trusted certs (possibly including CRLs and a cert`
			`verification callback) and non-trusted intermediate certs from the B<ctx>.`

			`=head1 NOTES`

			`CMP is defined in RFC 4210 (and CRMF in RFC 4211).`

			`=head1 RETURN VALUES`

			`OSSL_CMP_validate_msg() and OSSL_CMP_validate_cert_path()`
			`return 1 on success, 0 on error or validation failed.`

			`=head1 SEE ALSO`

Streamline the CMP request session API, adding the generalized OSSL_CMP_exec_certreq() Fixes #12395 Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12431) 2020-07-13 20:12:02 +08:00			`L<OSSL_CMP_CTX_new(3)>, L<OSSL_CMP_exec_certreq(3)>`
chunk 7 of CMP contribution to OpenSSL add CMP message validation and related tests; while doing so: * add ERR_add_error_mem_bio() to crypto/err/err_prn.c * move ossl_cmp_add_error_txt() as ERR_add_error_txt() to crypto/err/err_prn.c * add X509_STORE_CTX_print_verify_cb() to crypto/x509/t_x509.c, adding internally x509_print_ex_brief(), print_certs(), and print_store_certs() * move {ossl_cmp_,}X509_STORE_get1_certs() to crypto/x509/x509_lu.c Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/10620) 2020-02-15 21:57:32 +08:00
			`=head1 HISTORY`

			`The OpenSSL CMP support was added in OpenSSL 3.0.`

			`=head1 COPYRIGHT`

Update copyright year Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11616) 2020-04-23 20:55:52 +08:00			`Copyright 2007-2020 The OpenSSL Project Authors. All Rights Reserved.`
chunk 7 of CMP contribution to OpenSSL add CMP message validation and related tests; while doing so: * add ERR_add_error_mem_bio() to crypto/err/err_prn.c * move ossl_cmp_add_error_txt() as ERR_add_error_txt() to crypto/err/err_prn.c * add X509_STORE_CTX_print_verify_cb() to crypto/x509/t_x509.c, adding internally x509_print_ex_brief(), print_certs(), and print_store_certs() * move {ossl_cmp_,}X509_STORE_get1_certs() to crypto/x509/x509_lu.c Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/10620) 2020-02-15 21:57:32 +08:00
			`Licensed under the Apache License 2.0 (the "License"). You may not use`
			`this file except in compliance with the License. You can obtain a copy`
			`in the file LICENSE in the source distribution or at`
			`L<https://www.openssl.org/source/license.html>.`

			`=cut`