-</code></pre></div><h2 id=description>DESCRIPTION<a class=headerlink href=#description title="Permanent link">¶</a></h2><p>This is the API for validating the protection of CMP messages, which includes validating CMP message sender certificates and their paths while optionally checking the revocation status of the certificates(s).</p><p>OSSL_CMP_validate_msg() validates the protection of the given <em>msg</em>, which must be signature-based or using password-based MAC (PBM). In the former case a suitable trust anchor must be given in the CMP context <em>ctx</em>, and in the latter case the matching secret must have been set there using <a href=../OSSL_CMP_CTX_new/ >OSSL_CMP_CTX_set1_secretValue(3)</a>.</p><p>In case of signature algorithm, the certificate to use for the signature check is preferably the one provided by a call to <a href=../OSSL_CMP_CTX_new/ >OSSL_CMP_CTX_set1_srvCert(3)</a>. If no such sender cert has been pinned then candidate sender certificates are taken from the list of certificates received in the <em>msg</em> extraCerts, then any certificates provided before via <a href=../OSSL_CMP_CTX_new/ >OSSL_CMP_CTX_set1_untrusted(3)</a>, and then all trusted certificates provided via <a href=../OSSL_CMP_CTX_new/ >OSSL_CMP_CTX_set0_trusted(3)</a>. A candidate certificate is acceptable only if it is currently valid (or the trust store contains a verification callback that overrides the verdict that the certificate is expired or not yet valid), its subject DN matches the <em>msg</em> sender DN (as far as present), and its subject key identifier is present and matches the senderKID (as far as the latter is present). Each acceptable cert is tried in the given order to see if the message signature check succeeds and the cert and its path can be verified using any trust store set via <a href=../OSSL_CMP_CTX_new/ >OSSL_CMP_CTX_set0_trusted(3)</a>.</p><p>If the option OSSL_CMP_OPT_PERMIT_TA_IN_EXTRACERTS_FOR_IR was set by calling <a href=../OSSL_CMP_CTX_new/ >OSSL_CMP_CTX_set_option(3)</a>, for an Initialization Response (IP) message any self-issued certificate from the <em>msg</em> extraCerts field may be used as a trust anchor for the path verification of an 'acceptable' cert if it can be used also to validate the issued certificate returned in the IP message. This is according to TS 33.310 [Network Domain Security (NDS); Authentication Framework (AF)] document specified by the The 3rd Generation Partnership Project (3GPP). Note that using this option is dangerous as the certificate obtained this way has not been authenticated (at least not at CMP level). Taking it over as a trust anchor implements trust-on-first-use (TOFU).</p><p>Any cert that has been found as described above is cached and tried first when validating the signatures of subsequent messages in the same transaction.</p><p>OSSL_CMP_validate_cert_path() attempts to validate the given certificate and its path using the given store of trusted certs (possibly including CRLs and a cert verification callback) and non-trusted intermediate certs from the <em>ctx</em>.</p><h2 id=notes>NOTES<a class=headerlink href=#notes title="Permanent link">¶</a></h2><p>CMP is defined in RFC 4210 (and CRMF in RFC 4211).</p><h2 id=return-values>RETURN VALUES<a class=headerlink href=#return-values title="Permanent link">¶</a></h2><p>OSSL_CMP_validate_msg() and OSSL_CMP_validate_cert_path() return 1 on success, 0 on error or validation failed.</p><h2 id=see-also>SEE ALSO<a class=headerlink href=#see-also title="Permanent link">¶</a></h2><p><a href=../OSSL_CMP_CTX_new/ >OSSL_CMP_CTX_new(3)</a>, <a href=../OSSL_CMP_exec_certreq/ >OSSL_CMP_exec_certreq(3)</a>, <a href=../OSSL_CMP_CTX_new/ >OSSL_CMP_CTX_set1_secretValue(3)</a>, <a href=../OSSL_CMP_CTX_new/ >OSSL_CMP_CTX_set1_srvCert(3)</a>, <a href=../OSSL_CMP_CTX_new/ >OSSL_CMP_CTX_set1_untrusted(3)</a>, <a href=../OSSL_CMP_CTX_new/ >OSSL_CMP_CTX_set0_trusted(3)</a></p><h2 id=history>HISTORY<a class=headerlink href=#history title="Permanent link">¶</a></h2><p>The OpenSSL CMP support was added in OpenSSL 3.0.</p><h2 id=copyright>COPYRIGHT<a class=headerlink href=#copyright title="Permanent link">¶</a></h2><p>Copyright 2007-2024 The OpenSSL Project Authors. All Rights Reserved.</p><p>Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at <a href=https://www.openssl.org/source/license.html>https://www.openssl.org/source/license.html</a>.</p></article></div><script>var target=document.getElementById(location.hash.slice(1));target&&target.name&&(target.checked=target.name.startsWith("__tabbed_"))</script></div></main><footer class=md-footer><div class="md-footer-meta md-typeset"><div class="md-footer-meta__inner md-grid"><div class=md-copyright> Made with <a href=https://squidfunk.github.io/mkdocs-material/ target=_blank rel=noopener> Material for MkDocs </a></div></div></div></footer></div><div class=md-dialog data-md-component=dialog><div class="md-dialog__inner md-typeset"></div></div><script id=__config type=application/json>{"base": "../..", "features": ["navigation.indexes", "navigation.instant", "navigation.path", "navigation.prune", "navigation.tabs", "navigation.tabs.sticky", "navigation.tracking", "search.suggest", "toc.follow"], "search": "../../assets/javascripts/workers/search.b8dbb3d2.min.js", "translations": {"clipboard.copied": "Copied to clipboard", "clipboard.copy": "Copy to clipboard", "search.result.more.one": "1 more on this page", "search.result.more.other": "# more on this page", "search.result.none": "No matching documents", "search.result.one": "1 matching document", "search.result.other": "# matching documents", "search.result.placeholder": "Type to start searching", "search.result.term.missing": "Missing", "select.version": "Select version"}, "version": {"default": "master", "provider": "mike"}}</script><script src=../../assets/javascripts/bundle.ad660dcc.min.js></script></body></html>
0 commit comments