Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
OSSL_CMP_VALIDATE_MSG(3ossl)	    OpenSSL	  OSSL_CMP_VALIDATE_MSG(3ossl)

NAME
       OSSL_CMP_validate_msg, OSSL_CMP_validate_cert_path - functions for
       verifying CMP message protection

SYNOPSIS
	#include <openssl/cmp.h>
	int OSSL_CMP_validate_msg(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg);
	int OSSL_CMP_validate_cert_path(const OSSL_CMP_CTX *ctx,
					X509_STORE *trusted_store, X509	*cert);

DESCRIPTION
       This is the API for validating the protection of	CMP messages, which
       includes	validating CMP message sender certificates and their paths
       while optionally	checking the revocation	status of the certificates(s).

       OSSL_CMP_validate_msg() validates the protection	of the given msg using
       either password-based mac (PBM) or a signature algorithm.

       In case of signature algorithm, the certificate to use for the
       signature check is preferably the one provided by a call	to
       OSSL_CMP_CTX_set1_srvCert(3).  If no such sender	cert has been pinned
       then candidate sender certificates are taken from the list of
       certificates received in	the msg	extraCerts, then any certificates
       provided	before via OSSL_CMP_CTX_set1_untrusted(3), and then all
       trusted certificates provided via OSSL_CMP_CTX_set0_trustedStore(3),
       where a candidate is acceptable only if has not expired,	its subject DN
       matches the msg sender DN (as far as present), and its subject key
       identifier is present and matches the senderKID (as far as the latter
       present).  Each acceptable cert is tried	in the given order to see if
       the message signature check succeeds and	the cert and its path can be
       verified	using any trust	store set via
       OSSL_CMP_CTX_set0_trustedStore(3).

       If the option OSSL_CMP_OPT_PERMIT_TA_IN_EXTRACERTS_FOR_IR was set by
       calling OSSL_CMP_CTX_set_option(3), for an Initialization Response (IP)
       message any self-issued certificate from	the msg	extraCerts field may
       also be used as trust anchor for	the path verification of an acceptable
       cert if it can be used also to validate the issued certificate returned
       in the IP message. This is according to TS 33.310 [Network Domain
       Security	(NDS); Authentication Framework	(AF)] document specified by
       the The 3rd Generation Partnership Project (3GPP).

       Any cert	that has been found as described above is cached and tried
       first when validating the signatures of subsequent messages in the same
       transaction.

       OSSL_CMP_validate_cert_path() attempts to validate the given
       certificate and its path	using the given	store of trusted certs
       (possibly including CRLs	and a cert verification	callback) and non-
       trusted intermediate certs from the ctx.

NOTES
       CMP is defined in RFC 4210 (and CRMF in RFC 4211).

RETURN VALUES
       OSSL_CMP_validate_msg() and OSSL_CMP_validate_cert_path() return	1 on
       success,	0 on error or validation failed.

SEE ALSO
       OSSL_CMP_CTX_new(3), OSSL_CMP_exec_certreq(3)

HISTORY
       The OpenSSL CMP support was added in OpenSSL 3.0.

COPYRIGHT
       Copyright 2007-2021 The OpenSSL Project Authors.	All Rights Reserved.

       Licensed	under the Apache License 2.0 (the "License").  You may not use
       this file except	in compliance with the License.	 You can obtain	a copy
       in the file LICENSE in the source distribution or at
       <https://www.openssl.org/source/license.html>.

3.0.0-beta1+quic		  2021-06-19	  OSSL_CMP_VALIDATE_MSG(3ossl)

NAME | SYNOPSIS | DESCRIPTION | NOTES | RETURN VALUES | SEE ALSO | HISTORY | COPYRIGHT

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=OSSL_CMP_validate_msg&sektion=3ossl&manpath=FreeBSD+13.0-RELEASE+and+Ports>

home | help