TeaSpeak/openssl-prebuild
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
openssl-prebuild/linux_amd64/share/man/man3/OSSL_CMP_validate_msg.3

208 lines
7.7 KiB
Groff
Raw Normal View History

Initial upload
2020-03-02 16:50:34 +00:00
.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.16)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is turned on, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.ie \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. nr % 0
. rr F
.\}
.el \{\
. de IX
..
.\}
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "OSSL_CMP_VALIDATE_MSG 3"
.TH OSSL_CMP_VALIDATE_MSG 3 "2020-03-02" "3.0.0-dev" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
OSSL_CMP_validate_msg,
OSSL_CMP_validate_cert_path
\&\- functions for verifying CMP message protection
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 4
\& #include <openssl/cmp.h>
\& int OSSL_CMP_validate_msg(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg);
\& int OSSL_CMP_validate_cert_path(const OSSL_CMP_CTX *ctx,
\& X509_STORE *trusted_store, X509 *cert);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
This is the \s-1API\s0 for validating the protection of \s-1CMP\s0 messages,
which includes validating \s-1CMP\s0 message sender certificates and their paths
while optionally checking the revocation status of the certificates(s).
.PP
\&\fIOSSL_CMP_validate_msg()\fR validates the protection of the given \f(CW\*(C`msg\*(C'\fR
using either password-based mac (\s-1PBM\s0) or a signature algorithm.
.PP
In case of signature algorithm, the certificate to use for the signature check
is preferably the one provided by a call to \fIOSSL_CMP_CTX_set1_srvCert\fR\|(3).
If no such sender cert has been pinned then candidate sender certificates are
taken from the list of certificates received in the \f(CW\*(C`msg\*(C'\fR extraCerts, then any
certificates provided before via \fIOSSL_CMP_CTX_set1_untrusted_certs\fR\|(3), and
then all trusted certificates provided via \fIOSSL_CMP_CTX_set0_trustedStore\fR\|(3),
where a candidate is acceptable only if has not expired, its subject \s-1DN\s0 matches
the \f(CW\*(C`msg\*(C'\fR sender \s-1DN\s0 (as far as present), and its subject key identifier
is present and matches the senderKID (as far as the latter present).
Each acceptable cert is tried in the given order to see if the message
signature check succeeds and the cert and its path can be verified
using any trust store set via \fIOSSL_CMP_CTX_set0_trustedStore\fR\|(3).
.PP
If the option \s-1OSSL_CMP_OPT_PERMIT_TA_IN_EXTRACERTS_FOR_IR\s0 was set by calling
\&\fIOSSL_CMP_CTX_set_option\fR\|(3), for an Initialization Response (\s-1IP\s0) message
any self-issued certificate from the \f(CW\*(C`msg\*(C'\fR extraCerts field may also be used
as trust anchor for the path verification of an acceptable cert if it can be
used also to validate the issued certificate returned in the \s-1IP\s0 message. This is
according to \s-1TS\s0 33.310 [Network Domain Security (\s-1NDS\s0); Authentication Framework
(\s-1AF\s0)] document specified by the The 3rd Generation Partnership Project (3GPP).
.PP
Any cert that has been found as described above is cached and tried first when
validating the signatures of subsequent messages in the same transaction.
.PP
After successful validation of PBM-based protection of a certificate response
the certificates in the caPubs field (if any) are added to the trusted
certificates provided via \fIOSSL_CMP_CTX_set0_trustedStore\fR\|(3), such that
they are available for validating subsequent messages in the same context.
Those could apply to any Polling Response (pollRep), error, or \s-1PKI\s0 Confirmation
(PKIConf) messages following in the same or future transactions.
.PP
\&\fIOSSL_CMP_validate_cert_path()\fR attempts to validate the given certificate and its
path using the given store of trusted certs (possibly including CRLs and a cert
verification callback) and non-trusted intermediate certs from the \fBctx\fR.
.SH "NOTES"
.IX Header "NOTES"
\&\s-1CMP\s0 is defined in \s-1RFC\s0 4210 (and \s-1CRMF\s0 in \s-1RFC\s0 4211).
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fIOSSL_CMP_validate_msg()\fR and \fIOSSL_CMP_validate_cert_path()\fR
return 1 on success, 0 on error or validation failed.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fIOSSL_CMP_CTX_new\fR\|(3), \fIOSSL_CMP_exec_IR_ses\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
The OpenSSL \s-1CMP\s0 support was added in OpenSSL 3.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2007\-2019 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the Apache License 2.0 (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
Reference in New Issue Copy Permalink