xref: /freebsd/crypto/openssl/doc/man3/OSSL_CMP_validate_msg.pod (revision 5ca8e32633c4ffbbcd6762e5888b6a4ba0708c6c)
1=pod
2
3=head1 NAME
4
5OSSL_CMP_validate_msg,
6OSSL_CMP_validate_cert_path
7- functions for verifying CMP message protection
8
9=head1 SYNOPSIS
10
11 #include <openssl/cmp.h>
12 int OSSL_CMP_validate_msg(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg);
13 int OSSL_CMP_validate_cert_path(const OSSL_CMP_CTX *ctx,
14                                 X509_STORE *trusted_store, X509 *cert);
15
16=head1 DESCRIPTION
17
18This is the API for validating the protection of CMP messages,
19which includes validating CMP message sender certificates and their paths
20while optionally checking the revocation status of the certificates(s).
21
22OSSL_CMP_validate_msg() validates the protection of the given I<msg>,
23which must be signature-based or using password-based MAC (PBM).
24In the former case a suitable trust anchor must be given in the CMP context
25I<ctx>, and in the latter case the matching secret must have been set there
26using L<OSSL_CMP_CTX_set1_secretValue(3)>.
27
28In case of signature algorithm, the certificate to use for the signature check
29is preferably the one provided by a call to L<OSSL_CMP_CTX_set1_srvCert(3)>.
30If no such sender cert has been pinned then candidate sender certificates are
31taken from the list of certificates received in the I<msg> extraCerts, then any
32certificates provided before via L<OSSL_CMP_CTX_set1_untrusted(3)>, and
33then all trusted certificates provided via L<OSSL_CMP_CTX_set0_trustedStore(3)>,
34where a candidate is acceptable only if has not expired, its subject DN matches
35the I<msg> sender DN (as far as present), and its subject key identifier
36is present and matches the senderKID (as far as the latter present).
37Each acceptable cert is tried in the given order to see if the message
38signature check succeeds and the cert and its path can be verified
39using any trust store set via L<OSSL_CMP_CTX_set0_trustedStore(3)>.
40
41If the option OSSL_CMP_OPT_PERMIT_TA_IN_EXTRACERTS_FOR_IR was set by calling
42L<OSSL_CMP_CTX_set_option(3)>, for an Initialization Response (IP) message
43any self-issued certificate from the I<msg> extraCerts field may also be used
44as trust anchor for the path verification of an acceptable cert if it can be
45used also to validate the issued certificate returned in the IP message. This is
46according to TS 33.310 [Network Domain Security (NDS); Authentication Framework
47(AF)] document specified by the The 3rd Generation Partnership Project (3GPP).
48
49Any cert that has been found as described above is cached and tried first when
50validating the signatures of subsequent messages in the same transaction.
51
52OSSL_CMP_validate_cert_path() attempts to validate the given certificate and its
53path using the given store of trusted certs (possibly including CRLs and a cert
54verification callback) and non-trusted intermediate certs from the I<ctx>.
55
56=head1 NOTES
57
58CMP is defined in RFC 4210 (and CRMF in RFC 4211).
59
60=head1 RETURN VALUES
61
62OSSL_CMP_validate_msg() and OSSL_CMP_validate_cert_path()
63return 1 on success, 0 on error or validation failed.
64
65=head1 SEE ALSO
66
67L<OSSL_CMP_CTX_new(3)>, L<OSSL_CMP_exec_certreq(3)>,
68L<OSSL_CMP_CTX_set1_secretValue(3)>, L<OSSL_CMP_CTX_set1_srvCert(3)>,
69L<OSSL_CMP_CTX_set1_untrusted(3)>, L<OSSL_CMP_CTX_set0_trustedStore(3)>
70
71=head1 HISTORY
72
73The OpenSSL CMP support was added in OpenSSL 3.0.
74
75=head1 COPYRIGHT
76
77Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved.
78
79Licensed under the Apache License 2.0 (the "License").  You may not use
80this file except in compliance with the License.  You can obtain a copy
81in the file LICENSE in the source distribution or at
82L<https://www.openssl.org/source/license.html>.
83
84=cut
85