diff --git a/doc/man1/openssl-cmp.pod.in b/doc/man1/openssl-cmp.pod.in index bf153e579eec60..b9da5dfd2a1f58 100644 --- a/doc/man1/openssl-cmp.pod.in +++ b/doc/man1/openssl-cmp.pod.in @@ -26,6 +26,8 @@ Certificate enrollment options: [B<-newkey> I|I] [B<-newkeypass> I] +[B<-centralkeygen> +[B<-newkeyout> I] [B<-subject> I] [B<-days> I] [B<-reqexts> I] @@ -140,6 +142,8 @@ Mock server options: [B<-srv_untrusted> I|I] [B<-ref_cert> I|I] [B<-rsp_cert> I|I] +[B<-rsp_cert_key> I|I] +[B<-rsp_keypass> I|I] [B<-rsp_crl> I|I] [B<-rsp_extracerts> I|I] [B<-rsp_capubs> I|I] @@ -308,6 +312,15 @@ If not given here, the password will be prompted for if needed. For more information about the format of I see L. +=item B<-centralkeygen> + +Request central key generation for certificate enrollment. +This applies to B<-cmd> I. + +=item B<-newkeyout> I + +File to save private key generated by central key generation. + =item B<-subject> I X.509 Distinguished Name (DN) to use as subject field @@ -918,7 +931,7 @@ See L for details. Pass phrase source for certificate given with the B<-trusted>, B<-untrusted>, B<-own_trusted>, B<-srvcert>, B<-crlcert>, B<-out_trusted>, B<-extracerts>, -B<-srv_trusted>, B<-srv_untrusted>, B<-ref_cert>, B<-rsp_cert>, +B<-srv_trusted>, B<-srv_untrusted>, B<-ref_cert>, B<-rsp_extracerts>, B<-rsp_capubs>, B<-rsp_newwithnew>, B<-rsp_newwithold>, B<-rsp_oldwithnew>, B<-tls_extra>, and B<-tls_trusted> options. @@ -1192,6 +1205,14 @@ Certificate to be expected for RR messages and any oldCertID in KUR messages. Certificate to be returned as mock enrollment result. +=item B<-rsp_cert_key> I|I + +Private key to be returned as central key generation result. + +=item B<-rsp_keypass> I + +Pass phrase source for B and B. + =item B<-rsp_crl> I|I CRL to be returned in genp of type C. diff --git a/doc/man3/CMS_EnvelopedData_create.pod b/doc/man3/CMS_EnvelopedData_create.pod index 9dfd0ad77d8c07..a5a24ff1fd186d 100644 --- a/doc/man3/CMS_EnvelopedData_create.pod +++ b/doc/man3/CMS_EnvelopedData_create.pod @@ -3,7 +3,8 @@ =head1 NAME CMS_EnvelopedData_create_ex, CMS_EnvelopedData_create, -CMS_AuthEnvelopedData_create, CMS_AuthEnvelopedData_create_ex +CMS_AuthEnvelopedData_create, CMS_AuthEnvelopedData_create_ex, +CMS_env_sign_data - Create CMS envelope =head1 SYNOPSIS @@ -19,6 +20,9 @@ CMS_AuthEnvelopedData_create, CMS_AuthEnvelopedData_create_ex CMS_AuthEnvelopedData_create_ex(const EVP_CIPHER *cipher, OSSL_LIB_CTX *libctx, const char *propq); CMS_ContentInfo *CMS_AuthEnvelopedData_create(const EVP_CIPHER *cipher); + CMS_EnvelopedData *CMS_env_sign_data(BIO *data, X509 *signcert, EVP_PKEY *signkey, + STACK_OF(X509) *encryption_recip, + OSSL_LIB_CTX *libctx, const char *propq); =head1 DESCRIPTION @@ -47,6 +51,12 @@ CMS_EnvelopedData_create_ex() and CMS_AuthEnvelopedData_create_ex() but use default values of NULL for the library context I and the property query I. +CMS_env_sign_data() creates a B structure for recipients in +I. I is signed using I and I to +create B and then encrypted using I to +create B. The library context I and the property +query I are used when retrieving algorithms from providers. + =head1 NOTES Although CMS_EnvelopedData_create_ex(), and CMS_EnvelopedData_create(), diff --git a/doc/man3/OSSL_CMP_SRV_CTX_new.pod b/doc/man3/OSSL_CMP_SRV_CTX_new.pod index 7222a898e8e7b6..b0a7bd0a570b75 100644 --- a/doc/man3/OSSL_CMP_SRV_CTX_new.pod +++ b/doc/man3/OSSL_CMP_SRV_CTX_new.pod @@ -21,7 +21,8 @@ OSSL_CMP_SRV_CTX_get0_custom_ctx, OSSL_CMP_SRV_CTX_set_send_unprotected_errors, OSSL_CMP_SRV_CTX_set_accept_unprotected, OSSL_CMP_SRV_CTX_set_accept_raverified, -OSSL_CMP_SRV_CTX_set_grant_implicit_confirm +OSSL_CMP_SRV_CTX_set_grant_implicit_confirm, +OSSL_CMP_SRV_CTX_centralKeygen_req - generic functions to set up and control a CMP server =head1 SYNOPSIS @@ -91,6 +92,8 @@ OSSL_CMP_SRV_CTX_set_grant_implicit_confirm int OSSL_CMP_SRV_CTX_set_accept_raverified(OSSL_CMP_SRV_CTX *srv_ctx, int val); int OSSL_CMP_SRV_CTX_set_grant_implicit_confirm(OSSL_CMP_SRV_CTX *srv_ctx, int val); + int OSSL_CMP_SRV_CTX_centralKeygen_req(const OSSL_CRMF_MSG *crm, + X509_REQ *p10cr); =head1 DESCRIPTION @@ -155,6 +158,11 @@ messages with POPO 'RAVerified'. OSSL_CMP_SRV_CTX_set_grant_implicit_confirm() enables granting implicit confirmation of newly enrolled certificates if requested. +OSSL_CMP_SRV_CTX_centralKeygen_req() returns I if central key generaion +is requested i.e, public key in certificate request (I or I) is NULL +or have zero length. + + =head1 NOTES CMP is defined in RFC 4210 (and CRMF in RFC 4211). diff --git a/doc/man3/OSSL_CRMF_MSG_get0_tmpl.pod b/doc/man3/OSSL_CRMF_MSG_get0_tmpl.pod index 9d57719a485ab1..db2bd0ec47a6cb 100644 --- a/doc/man3/OSSL_CRMF_MSG_get0_tmpl.pod +++ b/doc/man3/OSSL_CRMF_MSG_get0_tmpl.pod @@ -10,6 +10,10 @@ OSSL_CRMF_CERTTEMPLATE_get0_serialNumber, OSSL_CRMF_CERTTEMPLATE_get0_extensions, OSSL_CRMF_CERTID_get0_serialNumber, OSSL_CRMF_CERTID_get0_issuer, +OSSL_CRMF_ENCRYPTEDKEY_get1_encCert, +OSSL_CRMF_ENCRYPTEDKEY_get1_pkey, +OSSL_CRMF_ENCRYPTEDKEY_init_envdata, +OSSL_CRMF_ENCRYPTEDVALUE_decrypt, OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert, OSSL_CRMF_MSG_get_certReqId - functions reading from CRMF CertReqMsg structures @@ -34,6 +38,23 @@ OSSL_CRMF_MSG_get_certReqId *OSSL_CRMF_CERTID_get0_serialNumber(const OSSL_CRMF_CERTID *cid); const X509_NAME *OSSL_CRMF_CERTID_get0_issuer(const OSSL_CRMF_CERTID *cid); + X509 + *OSSL_CRMF_ENCRYPTEDKEY_get1_encCert(const OSSL_CRMF_ENCRYPTEDKEY *ecert, + OSSL_LIB_CTX *libctx, const char *propq, + EVP_PKEY *pkey, unsigned int flags); + EVP_PKEY + *OSSL_CRMF_ENCRYPTEDKEY_get1_pkey(OSSL_CRMF_ENCRYPTEDKEY *encryptedKey, + X509_STORE *ts, STACK_OF(X509) *extra, + EVP_PKEY *pkey, X509 *cert, + ASN1_OCTET_STRING *secret, + OSSL_LIB_CTX *libctx, const char *propq); + OSSL_CRMF_ENCRYPTEDKEY + *OSSL_CRMF_ENCRYPTEDKEY_init_envdata(CMS_EnvelopedData *envdata); + + unsigned char + *OSSL_CRMF_ENCRYPTEDVALUE_decrypt(const OSSL_CRMF_ENCRYPTEDVALUE *enc, + EVP_PKEY *pkey, int *outlen, + OSSL_LIB_CTX *libctx, const char *propq); X509 *OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert(const OSSL_CRMF_ENCRYPTEDVALUE *ecert, OSSL_LIB_CTX *libctx, const char *propq, @@ -66,6 +87,27 @@ of the given CertId I. OSSL_CRMF_CERTID_get0_issuer retrieves the issuer name of the given CertId I, which must be of ASN.1 type GEN_DIRNAME. +OSSL_CRMF_ENCRYPTEDKEY_get1_encCert() decrypts the certificate in the given +encryptedKey I, using the private key I, library context +I and property query string I (see L). +This is needed for the indirect POPO method as in RFC 4210 section 5.2.8.2. +The function returns the decrypted certificate as a copy, leaving its ownership +with the caller, who is responsible for freeing it. + +OSSL_CRMF_ENCRYPTEDKEY_get1_pkey() decrypts the private key in the given +encryptedKey I, using the I or private key I +and certificate I. +It verifies the signed data using the trusted certificates in I and untrusted +certificates in I,if envelopedata is present. +library context I and property query string I (see L). + +OSSL_CRMF_ENCRYPTEDKEY_init_envdata() returns I, intialized with +the enveloped data I. + +OSSL_CRMF_ENCRYPTEDVALUE_decrypt() decrypts the encrypted value in the given +encryptedValue I, using the private key I, library context +I and property query string I (see L). + OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert() decrypts the certificate in the given encryptedValue I, using the private key I, library context I and property query string I (see L). @@ -92,6 +134,10 @@ The OpenSSL CRMF support was added in OpenSSL 3.0. OSSL_CRMF_CERTTEMPLATE_get0_publicKey() was added in OpenSSL 3.2. +OSSL_CRMF_ENCRYPTEDKEY_get1_encCert(), OSSL_CRMF_ENCRYPTEDKEY_get1_pkey(), +OSSL_CRMF_ENCRYPTEDKEY_init_envdata() and OSSL_CRMF_ENCRYPTEDVALUE_decrypt() +were added in OpenSSL 3.4. + =head1 COPYRIGHT Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved. diff --git a/doc/man3/X509_dup.pod b/doc/man3/X509_dup.pod index 81ea2275d74142..16481e0323d165 100644 --- a/doc/man3/X509_dup.pod +++ b/doc/man3/X509_dup.pod @@ -32,6 +32,7 @@ CMS_ContentInfo_new, CMS_ContentInfo_new_ex, CMS_ContentInfo_print_ctx, CMS_EnvelopedData_it, +CMS_EnvelopedData_dup, CMS_ReceiptRequest_free, CMS_ReceiptRequest_new, CMS_SignedData_free, @@ -169,6 +170,9 @@ OSSL_CRMF_CERTTEMPLATE_new, OSSL_CRMF_CERTTEMPLATE_dup, OSSL_CRMF_ATTRIBUTETYPEANDVALUE_dup, OSSL_CRMF_ATTRIBUTETYPEANDVALUE_free, +OSSL_CRMF_ENCRYPTEDKEY_free, +OSSL_CRMF_ENCRYPTEDKEY_it, +OSSL_CRMF_ENCRYPTEDKEY_new, OSSL_CRMF_ENCRYPTEDVALUE_free, OSSL_CRMF_ENCRYPTEDVALUE_it, OSSL_CRMF_ENCRYPTEDVALUE_new, @@ -448,6 +452,9 @@ CMS_ContentInfo_new_ex() were added in OpenSSL 3.0. The functions DSAparams_dup(), RSAPrivateKey_dup() and RSAPublicKey_dup() were deprecated in 3.0. +The function CMS_EnvelopedData_dup(), OSSL_CRMF_ENCRYPTEDKEY_free(), +OSSL_CRMF_ENCRYPTEDKEY_it() and OSSL_CRMF_ENCRYPTEDKEY_new() were added in OpenSSL 3.4. + =head1 COPYRIGHT Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved. diff --git a/doc/man3/d2i_X509.pod b/doc/man3/d2i_X509.pod index 3615bcaafe7c03..6955bfe210aeaf 100644 --- a/doc/man3/d2i_X509.pod +++ b/doc/man3/d2i_X509.pod @@ -97,6 +97,7 @@ d2i_OSSL_CMP_PKIHEADER, d2i_OSSL_CMP_PKISI, d2i_OSSL_CRMF_CERTID, d2i_OSSL_CRMF_CERTTEMPLATE, +d2i_OSSL_CRMF_ENCRYPTEDKEY, d2i_OSSL_CRMF_ENCRYPTEDVALUE, d2i_OSSL_CRMF_MSG, d2i_OSSL_CRMF_MSGS, @@ -283,6 +284,7 @@ i2d_OSSL_CMP_PKIHEADER, i2d_OSSL_CMP_PKISI, i2d_OSSL_CRMF_CERTID, i2d_OSSL_CRMF_CERTTEMPLATE, +i2d_OSSL_CRMF_ENCRYPTEDKEY, i2d_OSSL_CRMF_ENCRYPTEDVALUE, i2d_OSSL_CRMF_MSG, i2d_OSSL_CRMF_MSGS,