ESS: Export three core functions, clean up TS and CMS CAdES-BES usage

Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14601)
2021-03-15 20:24:40 +01:00 · 2021-03-15 20:24:40 +01:00 · 1751768cd1
parent 624359374b
commit 1751768cd1
15 changed files with 168 additions and 66 deletions
--- a/crypto/cms/cms_ess.c
+++ b/crypto/cms/cms_ess.c
@ -53,7 +53,7 @@ int ossl_cms_check_signing_certs(const CMS_SignerInfo *si,
    ESS_SIGNING_CERT_V2 *ssv2 = NULL;
    int ret = ossl_cms_signerinfo_get_signing_cert(si, &ss) >= 0
        && ossl_cms_signerinfo_get_signing_cert_v2(si, &ssv2) >= 0
-        && ossl_ess_check_signing_certs(ss, ssv2, chain, 1);
+        && OSSL_ESS_check_signing_certs(ss, ssv2, chain, 1) > 0;
    ESS_SIGNING_CERT_free(ss);
    ESS_SIGNING_CERT_V2_free(ssv2);
--- a/crypto/cms/cms_sd.c
+++ b/crypto/cms/cms_sd.c
@ -377,13 +377,13 @@ CMS_SignerInfo *CMS_add1_signer(CMS_ContentInfo *cms,
            int add_sc;
            if (md == NULL || EVP_MD_is_a(md, SN_sha1)) {
-                if ((sc = ossl_ess_signing_cert_new_init(signer,
+                if ((sc = OSSL_ESS_signing_cert_new_init(signer,
                                                         NULL, 1)) == NULL)
                    goto err;
                add_sc = ossl_cms_add1_signing_cert(si, sc);
                ESS_SIGNING_CERT_free(sc);
            } else {
-                if ((sc2 = ossl_ess_signing_cert_v2_new_init(md, signer,
+                if ((sc2 = OSSL_ESS_signing_cert_v2_new_init(md, signer,
                                                             NULL, 1)) == NULL)
                    goto err;
                add_sc = ossl_cms_add1_signing_cert_v2(si, sc2);
--- a/crypto/ess/ess_asn1.c
+++ b/crypto/ess/ess_asn1.c
@ -58,12 +58,13 @@ ASN1_SEQUENCE(ESS_SIGNING_CERT_V2) = {
 IMPLEMENT_ASN1_FUNCTIONS(ESS_SIGNING_CERT_V2)
 IMPLEMENT_ASN1_DUP_FUNCTION(ESS_SIGNING_CERT_V2)
 /* TODO the following two functions should be moved to ../cms/ */
 /* No cms support means no CMS_SignerInfo* definitions */
 #ifndef OPENSSL_NO_CMS
 /*
- * Returns < 0 if attribute is not found, 1 if found, or 
+ * Returns 0 if attribute is not found, 1 if found,
- * -1 on attribute parsing failure.
+ * or -1 on attribute parsing failure.
 */
 int ossl_cms_signerinfo_get_signing_cert_v2(const CMS_SignerInfo *si,
                                            ESS_SIGNING_CERT_V2 **psc)
@ -89,8 +90,8 @@ int ossl_cms_signerinfo_get_signing_cert_v2(const CMS_SignerInfo *si,
 }
 /*
- * Returns < 0 if attribute is not found, 1 if found, or 
+ * Returns 0 if attribute is not found, 1 if found,
- * -1 on attribute parsing failure.
+ * or -1 on attribute parsing failure.
 */
 int ossl_cms_signerinfo_get_signing_cert(const CMS_SignerInfo *si,
                                         ESS_SIGNING_CERT **psc)
--- a/crypto/ess/ess_lib.c
+++ b/crypto/ess/ess_lib.c
@ -15,13 +15,15 @@
 #include "crypto/ess.h"
 #include "crypto/x509.h"
-static ESS_CERT_ID *ESS_CERT_ID_new_init(X509 *cert, int issuer_needed);
+static ESS_CERT_ID *ESS_CERT_ID_new_init(const X509 *cert,
                                         int set_issuer_serial);
 static ESS_CERT_ID_V2 *ESS_CERT_ID_V2_new_init(const EVP_MD *hash_alg,
-                                               X509 *cert, int issuer_needed);
+                                               const X509 *cert,
                                               int set_issuer_serial);
-ESS_SIGNING_CERT *ossl_ess_signing_cert_new_init(X509 *signcert,
+ESS_SIGNING_CERT *OSSL_ESS_signing_cert_new_init(const X509 *signcert,
-                                                 STACK_OF(X509) *certs,
+                                                 const STACK_OF(X509) *certs,
-                                                 int issuer_needed)
+                                                 int set_issuer_serial)
 {
    ESS_CERT_ID *cid = NULL;
    ESS_SIGNING_CERT *sc;
@ -33,11 +35,12 @@ ESS_SIGNING_CERT *ossl_ess_signing_cert_new_init(X509 *signcert,
        && (sc->cert_ids = sk_ESS_CERT_ID_new_null()) == NULL)
        goto err;
-    if ((cid = ESS_CERT_ID_new_init(signcert, issuer_needed)) == NULL
+    if ((cid = ESS_CERT_ID_new_init(signcert, set_issuer_serial)) == NULL
        || !sk_ESS_CERT_ID_push(sc->cert_ids, cid))
        goto err;
    for (i = 0; i < sk_X509_num(certs); ++i) {
        X509 *cert = sk_X509_value(certs, i);
        if ((cid = ESS_CERT_ID_new_init(cert, 1)) == NULL
            || !sk_ESS_CERT_ID_push(sc->cert_ids, cid))
            goto err;
@ -51,26 +54,22 @@ ESS_SIGNING_CERT *ossl_ess_signing_cert_new_init(X509 *signcert,
    return NULL;
 }
-static ESS_CERT_ID *ESS_CERT_ID_new_init(X509 *cert, int issuer_needed)
+static ESS_CERT_ID *ESS_CERT_ID_new_init(const X509 *cert,
                                         int set_issuer_serial)
 {
    ESS_CERT_ID *cid = NULL;
    GENERAL_NAME *name = NULL;
    unsigned char cert_sha1[SHA_DIGEST_LENGTH];
    /* Call for side-effect of computing hash and caching extensions */
    if (!ossl_x509v3_cache_extensions(cert))
        return NULL;
    if ((cid = ESS_CERT_ID_new()) == NULL)
        goto err;
    /* TODO(3.0): fetch sha1 algorithm from providers */
    if (!X509_digest(cert, EVP_sha1(), cert_sha1, NULL))
        goto err;
    if (!ASN1_OCTET_STRING_set(cid->hash, cert_sha1, SHA_DIGEST_LENGTH))
        goto err;
    /* Setting the issuer/serial if requested. */
-    if (!issuer_needed)
+    if (!set_issuer_serial)
        return cid;
    if (cid->issuer_serial == NULL
@ -97,10 +96,11 @@ static ESS_CERT_ID *ESS_CERT_ID_new_init(X509 *cert, int issuer_needed)
    return NULL;
 }
-ESS_SIGNING_CERT_V2 *ossl_ess_signing_cert_v2_new_init(const EVP_MD *hash_alg,
+ESS_SIGNING_CERT_V2 *OSSL_ESS_signing_cert_v2_new_init(const EVP_MD *hash_alg,
-                                                       X509 *signcert,
+                                                       const X509 *signcert,
                                                       const
                                                       STACK_OF(X509) *certs,
-                                                       int issuer_needed)
+                                                       int set_issuer_serial)
 {
    ESS_CERT_ID_V2 *cid = NULL;
    ESS_SIGNING_CERT_V2 *sc;
@ -108,7 +108,8 @@ ESS_SIGNING_CERT_V2 *ossl_ess_signing_cert_v2_new_init(const EVP_MD *hash_alg,
    if ((sc = ESS_SIGNING_CERT_V2_new()) == NULL)
        goto err;
-    if ((cid = ESS_CERT_ID_V2_new_init(hash_alg, signcert, issuer_needed)) == NULL)
+    cid = ESS_CERT_ID_V2_new_init(hash_alg, signcert, set_issuer_serial);
    if (cid == NULL)
        goto err;
    if (!sk_ESS_CERT_ID_V2_push(sc->cert_ids, cid))
        goto err;
@ -133,7 +134,8 @@ ESS_SIGNING_CERT_V2 *ossl_ess_signing_cert_v2_new_init(const EVP_MD *hash_alg,
 }
 static ESS_CERT_ID_V2 *ESS_CERT_ID_V2_new_init(const EVP_MD *hash_alg,
-                                               X509 *cert, int issuer_needed)
+                                               const X509 *cert,
                                               int set_issuer_serial)
 {
    ESS_CERT_ID_V2 *cid;
    GENERAL_NAME *name = NULL;
@ -159,14 +161,13 @@ static ESS_CERT_ID_V2 *ESS_CERT_ID_V2_new_init(const EVP_MD *hash_alg,
        cid->hash_alg = NULL;
    }
    /* TODO(3.0): fetch sha1 algorithm from providers */
    if (!X509_digest(cert, hash_alg, hash, &hash_len))
        goto err;
    if (!ASN1_OCTET_STRING_set(cid->hash, hash, hash_len))
        goto err;
-    if (!issuer_needed)
+    if (!set_issuer_serial)
        return cid;
    if ((cid->issuer_serial = ESS_ISSUER_SERIAL_new()) == NULL)
@ -193,6 +194,7 @@ static ESS_CERT_ID_V2 *ESS_CERT_ID_V2_new_init(const EVP_MD *hash_alg,
    return NULL;
 }
 /* TODO the following four functions should be moved to ../ts/ */
 ESS_SIGNING_CERT *ossl_ess_get_signing_cert(const PKCS7_SIGNER_INFO *si)
 {
    ASN1_TYPE *attr;
@ -295,8 +297,8 @@ static int ess_issuer_serial_cmp(const ESS_ISSUER_SERIAL *is, const X509 *cert)
 }
 /*
- * Find cert referenced by |cid| (if not NULL, else |cidv2|) in |certs|.
+ * Find the cert in |certs| referenced by |cid| if not NULL, else by |cid_v2|.
- * If the cid{,v2} index is 0, the cert must be in the first in |certs| list.
+ * The cert must be the first one in |certs| if and only if |index| is 0.
 * Return 0 on not found, -1 on error, else 1 + the position in |certs|.
 */
 static int find(const ESS_CERT_ID *cid, const ESS_CERT_ID_V2 *cid_v2,
@ -336,7 +338,6 @@ static int find(const ESS_CERT_ID *cid, const ESS_CERT_ID_V2 *cid_v2,
    }
    (void)ERR_pop_to_mark();
    /* Look for cert with cid in the certs. */
    for (i = 0; i < sk_X509_num(certs); ++i) {
        cert = sk_X509_value(certs, i);
@ -369,34 +370,33 @@ end:
    return ret;
 }
-/*
+int OSSL_ESS_check_signing_certs(const ESS_SIGNING_CERT *ss,
 * If ESSCertID and/or ESSCertIDv2 exist, which must be non-empty if given,
 * check if their first ID entry matches the signer cert first in chain
 * and each further ID entry matches any further cert in the chain.
 */
 int ossl_ess_check_signing_certs(const ESS_SIGNING_CERT *ss,
                                 const ESS_SIGNING_CERT_V2 *ssv2,
                                 const STACK_OF(X509) *chain,
                                 int require_signing_cert)
 {
    int n_v1 = ss == NULL ? -1 : sk_ESS_CERT_ID_num(ss->cert_ids);
    int n_v2 = ssv2 == NULL ? -1 : sk_ESS_CERT_ID_V2_num(ssv2->cert_ids);
-    int i;
+    int i, ret;
    if (require_signing_cert && ss == NULL && ssv2 == NULL) {
        ERR_raise(ERR_LIB_CMS, ESS_R_MISSING_SIGNING_CERTIFICATE_ATTRIBUTE);
-        return 0;
+        return -1;
    }
    if (n_v1 == 0 || n_v2 == 0) {
        ERR_raise(ERR_LIB_ESS, ESS_R_EMPTY_ESS_CERT_ID_LIST);
-        return 0;
+        return -1;
    }
    /* If both ss and ssv2 exist, as required evaluate them independently. */
-    for (i = 0; i < n_v1; i++)
+    for (i = 0; i < n_v1; i++) {
-        if (find(sk_ESS_CERT_ID_value(ss->cert_ids, i), NULL, i, chain) <= 0)
+        ret = find(sk_ESS_CERT_ID_value(ss->cert_ids, i), NULL, i, chain);
-            return 0;
+        if (ret <= 0)
-    for (i = 0; i < n_v2; i++)
+            return ret;
-        if (find(NULL, sk_ESS_CERT_ID_V2_value(ssv2->cert_ids, i), i, chain) <= 0)
+    }
-            return 0;
+    for (i = 0; i < n_v2; i++) {
        ret = find(NULL, sk_ESS_CERT_ID_V2_value(ssv2->cert_ids, i), i, chain);
        if (ret <= 0)
            return ret;
    }
    return 1;
 }
--- a/crypto/ts/ts_rsp_sign.c
+++ b/crypto/ts/ts_rsp_sign.c
@ -687,7 +687,7 @@ static int ts_RESP_sign(TS_RESP_CTX *ctx)
    certs = ctx->flags & TS_ESS_CERT_ID_CHAIN ? ctx->certs : NULL;
    if (ctx->ess_cert_id_digest == NULL
        || EVP_MD_is_a(ctx->ess_cert_id_digest, SN_sha1)) {
-        if ((sc = ossl_ess_signing_cert_new_init(ctx->signer_cert,
+        if ((sc = OSSL_ESS_signing_cert_new_init(ctx->signer_cert,
                                                 certs, 0)) == NULL)
            goto err;
@ -696,7 +696,7 @@ static int ts_RESP_sign(TS_RESP_CTX *ctx)
            goto err;
        }
    } else {
-        sc2 = ossl_ess_signing_cert_v2_new_init(ctx->ess_cert_id_digest,
+        sc2 = OSSL_ESS_signing_cert_v2_new_init(ctx->ess_cert_id_digest,
                                                ctx->signer_cert, certs, 0);
        if (sc2 == NULL)
            goto err;
--- a/crypto/ts/ts_rsp_verify.c
+++ b/crypto/ts/ts_rsp_verify.c
@ -208,7 +208,7 @@ static int ts_check_signing_certs(const PKCS7_SIGNER_INFO *si,
 {
    ESS_SIGNING_CERT *ss = ossl_ess_get_signing_cert(si);
    ESS_SIGNING_CERT_V2 *ssv2 = ossl_ess_get_signing_cert_v2(si);
-    int ret = ossl_ess_check_signing_certs(ss, ssv2, chain, 1);
+    int ret = OSSL_ESS_check_signing_certs(ss, ssv2, chain, 1) > 0;
    ESS_SIGNING_CERT_free(ss);
    ESS_SIGNING_CERT_V2_free(ssv2);
--- a/doc/build.info
+++ b/doc/build.info
@ -1602,6 +1602,10 @@ DEPEND[html/man3/OSSL_ENCODER_to_bio.html]=man3/OSSL_ENCODER_to_bio.pod
 GENERATE[html/man3/OSSL_ENCODER_to_bio.html]=man3/OSSL_ENCODER_to_bio.pod
 DEPEND[man/man3/OSSL_ENCODER_to_bio.3]=man3/OSSL_ENCODER_to_bio.pod
 GENERATE[man/man3/OSSL_ENCODER_to_bio.3]=man3/OSSL_ENCODER_to_bio.pod
 DEPEND[html/man3/OSSL_ESS_check_signing_certs.html]=man3/OSSL_ESS_check_signing_certs.pod
 GENERATE[html/man3/OSSL_ESS_check_signing_certs.html]=man3/OSSL_ESS_check_signing_certs.pod
 DEPEND[man/man3/OSSL_ESS_check_signing_certs.3]=man3/OSSL_ESS_check_signing_certs.pod
 GENERATE[man/man3/OSSL_ESS_check_signing_certs.3]=man3/OSSL_ESS_check_signing_certs.pod
 DEPEND[html/man3/OSSL_HTTP_REQ_CTX.html]=man3/OSSL_HTTP_REQ_CTX.pod
 GENERATE[html/man3/OSSL_HTTP_REQ_CTX.html]=man3/OSSL_HTTP_REQ_CTX.pod
 DEPEND[man/man3/OSSL_HTTP_REQ_CTX.3]=man3/OSSL_HTTP_REQ_CTX.pod
@ -3050,6 +3054,7 @@ html/man3/OSSL_ENCODER.html \
 html/man3/OSSL_ENCODER_CTX.html \
 html/man3/OSSL_ENCODER_CTX_new_for_pkey.html \
 html/man3/OSSL_ENCODER_to_bio.html \
 html/man3/OSSL_ESS_check_signing_certs.html \
 html/man3/OSSL_HTTP_REQ_CTX.html \
 html/man3/OSSL_HTTP_parse_url.html \
 html/man3/OSSL_HTTP_transfer.html \
@ -3625,6 +3630,7 @@ man/man3/OSSL_ENCODER.3 \
 man/man3/OSSL_ENCODER_CTX.3 \
 man/man3/OSSL_ENCODER_CTX_new_for_pkey.3 \
 man/man3/OSSL_ENCODER_to_bio.3 \
 man/man3/OSSL_ESS_check_signing_certs.3 \
 man/man3/OSSL_HTTP_REQ_CTX.3 \
 man/man3/OSSL_HTTP_parse_url.3 \
 man/man3/OSSL_HTTP_transfer.3 \
--- a/doc/man3/CMS_verify.pod
+++ b/doc/man3/CMS_verify.pod
@ -122,6 +122,7 @@ be held in memory if it is not detached.
 =head1 SEE ALSO
 L<OSSL_ESS_check_signing_certs(3)>,
 L<ERR_get_error(3)>, L<CMS_sign(3)>
 =head1 COPYRIGHT
--- a/doc/man3/OSSL_ESS_check_signing_certs.pod
+++ b/doc/man3/OSSL_ESS_check_signing_certs.pod
@ -0,0 +1,88 @@
 =pod
 =head1 NAME
 OSSL_ESS_signing_cert_new_init,
 OSSL_ESS_signing_cert_v2_new_init,
 OSSL_ESS_check_signing_certs
 - Enhanced Security Services (ESS) functions
 =head1 SYNOPSIS
 #include <openssl/ess.h>
 ESS_SIGNING_CERT *OSSL_ESS_signing_cert_new_init(const X509 *signcert,
                                                  const STACK_OF(X509) *certs,
                                                  int set_issuer_serial);
 ESS_SIGNING_CERT_V2 *OSSL_ESS_signing_cert_v2_new_init(const EVP_MD *hash_alg,
                                                        const X509 *signcert,
                                                        const
                                                        STACK_OF(X509) *certs,
                                                        int set_issuer_serial);
 int OSSL_ESS_check_signing_certs(const ESS_SIGNING_CERT *ss,
                                  const ESS_SIGNING_CERT_V2 *ssv2,
                                  const STACK_OF(X509) *chain,
                                  int require_signing_cert);
 =head1 DESCRIPTION
 OSSL_ESS_signing_cert_new_init() generates a new B<ESS_SIGNING_CERT> structure
 referencing the given I<signcert> and any given further I<certs>
 using their SHA-1 fingerprints.
 If I<set_issuer_serial> is nonzero then also the issuer and serial number
 of I<signcert> are included in the B<ESS_CERT_ID> as the B<issuerSerial> field.
 For all members of I<certs> the  B<issuerSerial> field is always included.
 OSSL_ESS_signing_cert_v2_new_init() is the same as
 OSSL_ESS_signing_cert_new_init() except that it uses the given I<hash_alg> and
 generates a B<ESS_SIGNING_CERT_V2> structure with B<ESS_CERT_ID_V2> elements.
 OSSL_ESS_check_signing_certs() checks if the validation chain I<chain> contains
 the certificates required by the identifiers given in I<ss> and/or I<ssv2>.
 If I<require_signing_cert> is nonzero, I<ss> or I<ssv2> must not be NULL.
 If both I<ss> and I<ssv2> are not NULL, they are evaluated independently.
 The list of certificate identifiers in I<ss> is of type B<ESS_CERT_ID>,
 while the list contained in I<ssv2> is of type B<ESS_CERT_ID_V2>.
 As far as these lists are present, they must be nonempty.
 The certificate identified by their first entry must be the first element of
 I<chain>, i.e. the signer certificate.
 Any further certficates referenced in the list must also be found in I<chain>.
 The matching is done using the given certificate hash algorithm and value.
 In addition to the checks required by RFCs 2624 and 5035,
 if the B<issuerSerial> field is included in an B<ESSCertID> or B<ESSCertIDv2>
 it must match the certificate issuer and serial number attributes.
 =head1 NOTES
 ESS has been defined in RFC 2634, which has been updated in RFC 5035
 (ESS version 2) to support hash algorithms other than SHA-1.
 This is used for TSP (RFC 3161) and CAdES-BES (informational RFC 5126).
 =head1 RETURN VALUES
 OSSL_ESS_signing_cert_new_init() and OSSL_ESS_signing_cert_v2_new_init()
 return a pointer to the new structure or NULL on malloc failure.
 OSSL_ESS_check_signing_certs() returns 1 on success,
 0 if a required certificate cannot be found, -1 on other error.
 =head1 SEE ALSO
 L<TS_VERIFY_CTX_set_certs(3)>,
 L<CMS_verify(3)>
 =head1 HISTORY
 OSSL_ESS_signing_cert_new_init(), OSSL_ESS_signing_cert_v2_new_init(), and
 OSSL_ESS_check_signing_certs() were added in OpenSSL 3.0.
 =head1 COPYRIGHT
 Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
 in the file LICENSE in the source distribution or at
 L<https://www.openssl.org/source/license.html>.
 =cut
--- a/doc/man3/TS_VERIFY_CTX_set_certs.pod
+++ b/doc/man3/TS_VERIFY_CTX_set_certs.pod
@ -39,6 +39,10 @@ which takes the same parameters and returns the same result.
 TS_VERIFY_CTX_set_certs() returns the stack of B<X509> certificates the user
 passes in via parameter B<certs>.
 =head1 SEE ALSO
 L<OSSL_ESS_check_signing_certs(3)>
 =head1 HISTORY
 The spelling of TS_VERIFY_CTX_set_certs() was corrected in OpenSSL 3.0.0.
--- a/include/crypto/ess.h
+++ b/include/crypto/ess.h
@ -11,27 +11,16 @@
 # define OSSL_CRYPTO_ESS_H
 # pragma once
-/* internal ESS related stuff */
+/* internal ESS related functions used for TS */
 /* TODO move these four decls to a new include/crypto/ts.h */
 ESS_SIGNING_CERT *ossl_ess_get_signing_cert(const PKCS7_SIGNER_INFO *si);
 int ossl_ess_signing_cert_add(PKCS7_SIGNER_INFO *si, ESS_SIGNING_CERT *sc);
 ESS_SIGNING_CERT *ossl_ess_signing_cert_new_init(X509 *signcert,
                                                 STACK_OF(X509) *certs,
                                                 int issuer_needed);
 ESS_SIGNING_CERT_V2 *ossl_ess_get_signing_cert_v2(const PKCS7_SIGNER_INFO *si);
 int ossl_ess_signing_cert_v2_add(PKCS7_SIGNER_INFO *si, ESS_SIGNING_CERT_V2 *sc);
-ESS_SIGNING_CERT_V2 *ossl_ess_signing_cert_v2_new_init(const EVP_MD *hash_alg,
+/* internal ESS stuff */
                                                       X509 *signcert,
                                                       STACK_OF(X509) *certs,
                                                       int issuer_needed);
 int ossl_ess_check_signing_certs(const ESS_SIGNING_CERT *ss,
                                 const ESS_SIGNING_CERT_V2 *ssv2,
                                 const STACK_OF(X509) *chain,
                                 int require_signing_cert);
 /*-
 * IssuerSerial ::= SEQUENCE {
--- a/include/openssl/ess.h.in
+++ b/include/openssl/ess.h.in
@ -44,7 +44,6 @@ typedef struct ESS_cert_id_v2_st ESS_CERT_ID_V2;
    generate_stack_macros("ESS_CERT_ID_V2");
 -}
 DECLARE_ASN1_ALLOC_FUNCTIONS(ESS_ISSUER_SERIAL)
 DECLARE_ASN1_ENCODE_FUNCTIONS_only(ESS_ISSUER_SERIAL, ESS_ISSUER_SERIAL)
 DECLARE_ASN1_DUP_FUNCTION(ESS_ISSUER_SERIAL)
@ -65,6 +64,19 @@ DECLARE_ASN1_ALLOC_FUNCTIONS(ESS_SIGNING_CERT_V2)
 DECLARE_ASN1_ENCODE_FUNCTIONS_only(ESS_SIGNING_CERT_V2, ESS_SIGNING_CERT_V2)
 DECLARE_ASN1_DUP_FUNCTION(ESS_SIGNING_CERT_V2)
 ESS_SIGNING_CERT *OSSL_ESS_signing_cert_new_init(const X509 *signcert,
                                                 const STACK_OF(X509) *certs,
                                                 int set_issuer_serial);
 ESS_SIGNING_CERT_V2 *OSSL_ESS_signing_cert_v2_new_init(const EVP_MD *hash_alg,
                                                       const X509 *signcert,
                                                       const
                                                       STACK_OF(X509) *certs,
                                                       int set_issuer_serial);
 int OSSL_ESS_check_signing_certs(const ESS_SIGNING_CERT *ss,
                                 const ESS_SIGNING_CERT_V2 *ssv2,
                                 const STACK_OF(X509) *chain,
                                 int require_signing_cert);
 # ifdef  __cplusplus
 }
 # endif
--- a/include/openssl/esserr.h
+++ b/include/openssl/esserr.h
@ -16,8 +16,6 @@
 # include <openssl/symhacks.h>
 # include <openssl/cryptoerr_legacy.h>
 /*
 * ESS reason codes.
 */
--- a/test/recipes/80-test_cms.t
+++ b/test/recipes/80-test_cms.t
@ -455,7 +455,7 @@ my @smime_cms_cades_ko_tests = (
      [ @prov, "-sign", "-in", $smcont, "-outform", "DER", "-nodetach",
        "-certfile", catfile($smdir, "smroot.pem"),
        "-signer", catfile($smdir, "smrsa1.pem"), "-out", "{output}.cms" ],
-      "fail to verify token because requiring CAdES-BES compatibility",
+      "fail to verify token since requiring CAdES-BES compatibility",
      [ @prov, "-verify", "-cades", "-in", "{output}.cms", "-inform", "DER",
        "-CAfile", catfile($smdir, "smroot.pem"), "-out", "{output}.txt" ],
      \&final_compare
--- a/util/libcrypto.num
+++ b/util/libcrypto.num
@ -5315,6 +5315,9 @@ RAND_set_DRBG_type                      ?	3_0_0	EXIST::FUNCTION:
 RAND_set_seed_source_type               ?	3_0_0	EXIST::FUNCTION:
 BN_mod_exp_mont_consttime_x2            ?	3_0_0	EXIST::FUNCTION:
 BIO_f_readbuffer                        ?	3_0_0	EXIST::FUNCTION:
 OSSL_ESS_check_signing_certs            ?	3_0_0	EXIST::FUNCTION:
 OSSL_ESS_signing_cert_new_init          ?	3_0_0	EXIST::FUNCTION:
 OSSL_ESS_signing_cert_v2_new_init       ?	3_0_0	EXIST::FUNCTION:
 EVP_DigestInit_ex2                      ?	3_0_0	EXIST::FUNCTION:
 EVP_EncryptInit_ex2                     ?	3_0_0	EXIST::FUNCTION:
 EVP_DecryptInit_ex2                     ?	3_0_0	EXIST::FUNCTION: