From 8fe017ecb01c24f9f5b0f243fac8f39a156712af Mon Sep 17 00:00:00 2001 From: Rajeev Ranjan Date: Fri, 4 Oct 2024 11:36:14 +0200 Subject: [PATCH] fixup! fixup! fixup! CMP: add documentation --- apps/lib/cmp_mock_srv.c | 2 +- crypto/cmp/cmp_server.c | 25 +++++++++++++------ crypto/crmf/crmf_lib.c | 7 ++++++ doc/man1/openssl-cmp.pod.in | 2 +- doc/man3/CMS_EnvelopedData_create.pod | 4 +-- doc/man3/OSSL_CMP_SRV_CTX_new.pod | 16 ++---------- doc/man3/OSSL_CRMF_MSG_get0_tmpl.pod | 23 +++++++++++++---- doc/man3/OSSL_CRMF_MSG_set0_validity.pod | 12 +++++++-- include/internal/cms.h | 1 - include/openssl/cmp.h.in | 2 -- include/openssl/crmf.h.in | 3 +++ .../80-test_cmp_http_data/test_commands.csv | 6 ++--- util/libcrypto.num | 5 ++-- 13 files changed, 67 insertions(+), 41 deletions(-) diff --git a/apps/lib/cmp_mock_srv.c b/apps/lib/cmp_mock_srv.c index fd65d81525a127..904fc30553d5c4 100644 --- a/apps/lib/cmp_mock_srv.c +++ b/apps/lib/cmp_mock_srv.c @@ -375,7 +375,7 @@ static OSSL_CMP_PKISI *process_cert_request(OSSL_CMP_SRV_CTX *srv_ctx, && (*certOut = X509_dup(ctx->certOut)) == NULL) /* Should return a cert produced from request template, see FR #16054 */ goto err; - if (OSSL_CMP_SRV_CTX_centralKeygen_req(crm, p10cr) + if (OSSL_CRMF_MSG_centralKeygen_requested(crm, p10cr) && (ctx->keyOut == NULL || (keyOut = EVP_PKEY_dup(ctx->keyOut)) == NULL || !OSSL_CMP_CTX_set0_newPkey(OSSL_CMP_SRV_CTX_get0_cmp_ctx(srv_ctx), diff --git a/crypto/cmp/cmp_server.c b/crypto/cmp/cmp_server.c index 116aed606f6b61..dcd26fe0f946f2 100644 --- a/crypto/cmp/cmp_server.c +++ b/crypto/cmp/cmp_server.c @@ -165,8 +165,8 @@ int OSSL_CMP_SRV_CTX_set_grant_implicit_confirm(OSSL_CMP_SRV_CTX *srv_ctx, return 1; } -int OSSL_CMP_SRV_CTX_centralKeygen_req(const OSSL_CRMF_MSG *crm, - const X509_REQ *p10cr) +int OSSL_CRMF_MSG_centralKeygen_requested(const OSSL_CRMF_MSG *crm, + const X509_REQ *p10cr) { X509_PUBKEY *pubkey = NULL; const unsigned char *pk = NULL; @@ -174,7 +174,7 @@ int OSSL_CMP_SRV_CTX_centralKeygen_req(const OSSL_CRMF_MSG *crm, if (crm == NULL && p10cr == NULL) { ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); - return 0; + return -1; } if (crm != NULL) @@ -187,7 +187,13 @@ int OSSL_CMP_SRV_CTX_centralKeygen_req(const OSSL_CRMF_MSG *crm, && pklen == 0)) ret = 1; - pk = NULL; + /* + * In case of CRMF, POPO MUST be absent if central key generation + * is requested, otherwise MUST be present + */ + if (crm != NULL && ret != OSSL_CRMF_MSG_popo_present(crm)) + return -2; + return ret; } @@ -247,7 +253,7 @@ static OSSL_CMP_MSG *process_cert_request(OSSL_CMP_SRV_CTX *srv_ctx, const OSSL_CRMF_MSG *crm = NULL; const X509_REQ *p10cr = NULL; int bodytype; - int certReqId; + int certReqId, central_keygen; if (!ossl_assert(srv_ctx != NULL && srv_ctx->ctx != NULL && req != NULL)) return NULL; @@ -290,8 +296,11 @@ static OSSL_CMP_MSG *process_cert_request(OSSL_CMP_SRV_CTX *srv_ctx, } srv_ctx->certReqId = certReqId; - if (!(OSSL_CMP_SRV_CTX_centralKeygen_req(crm, p10cr) - || ossl_cmp_verify_popo(srv_ctx->ctx, req, srv_ctx->acceptRAVerified))) { + central_keygen = OSSL_CRMF_MSG_centralKeygen_requested(crm, p10cr); + if (central_keygen < 0) + return NULL; + if (central_keygen == 0 + && !ossl_cmp_verify_popo(srv_ctx->ctx, req, srv_ctx->acceptRAVerified)) { /* Proof of possession could not be verified */ si = OSSL_CMP_STATUSINFO_new(OSSL_CMP_PKISTATUS_rejection, 1 << OSSL_CMP_PKIFAILUREINFO_badPOP, @@ -315,7 +324,7 @@ static OSSL_CMP_MSG *process_cert_request(OSSL_CMP_SRV_CTX *srv_ctx, /* do not set if polling starts: */ && certOut != NULL)) goto err; - if (OSSL_CMP_SRV_CTX_centralKeygen_req(crm, p10cr) + if (central_keygen == 1 && srv_ctx->ctx->newPkey_priv && srv_ctx->ctx->newPkey != NULL) keyOut = srv_ctx->ctx->newPkey; } diff --git a/crypto/crmf/crmf_lib.c b/crypto/crmf/crmf_lib.c index 3a8deb3b6e5f17..4dabc413aef54d 100644 --- a/crypto/crmf/crmf_lib.c +++ b/crypto/crmf/crmf_lib.c @@ -544,6 +544,13 @@ int OSSL_CRMF_MSGS_verify_popo(const OSSL_CRMF_MSGS *reqs, return 1; } +int OSSL_CRMF_MSG_popo_present(const OSSL_CRMF_MSG *crm) +{ + if (crm != NULL) + return -1; + return crm->popo != NULL; +} + X509_PUBKEY *OSSL_CRMF_CERTTEMPLATE_get0_publicKey(const OSSL_CRMF_CERTTEMPLATE *tmpl) { diff --git a/doc/man1/openssl-cmp.pod.in b/doc/man1/openssl-cmp.pod.in index fd07f8e7364cc2..5fd0cb6915f788 100644 --- a/doc/man1/openssl-cmp.pod.in +++ b/doc/man1/openssl-cmp.pod.in @@ -1522,7 +1522,7 @@ The B<-profile> option was added in OpenSSL 3.3. B<-crlcert>, B<-oldcrl>, B<-crlout>, B<-crlform> and B<-rsp_crl> options were added in OpenSSL 3.4. -B<-centralkeygen>, b<-newkeyout>. B<-rsp_key> and +B<-centralkeygen>, b<-newkeyout>, B<-rsp_key> and B<-rsp_keypass> were added in OpenSSL 3.5. =head1 COPYRIGHT diff --git a/doc/man3/CMS_EnvelopedData_create.pod b/doc/man3/CMS_EnvelopedData_create.pod index f7ed9dde8cc4e8..f4101d4eccef82 100644 --- a/doc/man3/CMS_EnvelopedData_create.pod +++ b/doc/man3/CMS_EnvelopedData_create.pod @@ -57,8 +57,8 @@ The wrappers L and L are often used instead. =head1 RETURN VALUES If the allocation fails, CMS_EnvelopedData_create_ex(), -CMS_EnvelopedData_create(), CMS_AuthEnvelopedData_create_ex() -CMS_AuthEnvelopedData_create(), CMS_AuthEnvelopedData_create() +CMS_EnvelopedData_create(), CMS_AuthEnvelopedData_create_ex(), +CMS_AuthEnvelopedData_create(), CMS_AuthEnvelopedData_create(), and CMS_AuthEnvelopedData_create_ex() return NULL and set an error code that can be obtained by L. Otherwise, they return a pointer to the newly allocated structure. diff --git a/doc/man3/OSSL_CMP_SRV_CTX_new.pod b/doc/man3/OSSL_CMP_SRV_CTX_new.pod index 4ec198f2f9fdf1..75d37f84307dab 100644 --- a/doc/man3/OSSL_CMP_SRV_CTX_new.pod +++ b/doc/man3/OSSL_CMP_SRV_CTX_new.pod @@ -21,8 +21,7 @@ OSSL_CMP_SRV_CTX_get0_custom_ctx, OSSL_CMP_SRV_CTX_set_send_unprotected_errors, OSSL_CMP_SRV_CTX_set_accept_unprotected, OSSL_CMP_SRV_CTX_set_accept_raverified, -OSSL_CMP_SRV_CTX_set_grant_implicit_confirm, -OSSL_CMP_SRV_CTX_centralKeygen_req +OSSL_CMP_SRV_CTX_set_grant_implicit_confirm - generic functions to set up and control a CMP server =head1 SYNOPSIS @@ -92,8 +91,6 @@ OSSL_CMP_SRV_CTX_centralKeygen_req int OSSL_CMP_SRV_CTX_set_accept_raverified(OSSL_CMP_SRV_CTX *srv_ctx, int val); int OSSL_CMP_SRV_CTX_set_grant_implicit_confirm(OSSL_CMP_SRV_CTX *srv_ctx, int val); - int OSSL_CMP_SRV_CTX_centralKeygen_req(const OSSL_CRMF_MSG *crm, - const X509_REQ *p10cr); =head1 DESCRIPTION @@ -158,11 +155,6 @@ messages with POPO 'RAVerified'. OSSL_CMP_SRV_CTX_set_grant_implicit_confirm() enables granting implicit confirmation of newly enrolled certificates if requested. -OSSL_CMP_SRV_CTX_centralKeygen_req() returns 1 if central key generation -is requested i.e., the public key in the certificate request (I if non-NULL, -otherwise I) is NULL or has an empty key value (with length zero). -Otherwise or on error it returns 0. - =head1 NOTES CMP is defined in RFC 4210 (and CRMF in RFC 4211). @@ -183,9 +175,6 @@ NULL on error. OSSL_CMP_SRV_CTX_get0_custom_ctx() returns the custom server context that has been set using OSSL_CMP_SRV_CTX_init(). -OSSL_CMP_SRV_CTX_centralKeygen_req() returns 0 if central key generation -is not requested or in case of error, 1 if it is requested. - All other functions return 1 on success, 0 on error. =head1 HISTORY @@ -196,8 +185,7 @@ OSSL_CMP_SRV_CTX_init_trans() supporting delayed delivery of all types of response messages was added in OpenSSL 3.3. -OSSL_CMP_SRV_CTX_set_grant_implicit_confirm() and OSSL_CMP_SRV_CTX_centralKeygen_req() -were added in OpenSSL 3.5. +OSSL_CMP_SRV_CTX_set_grant_implicit_confirm() was added in OpenSSL 3.5. =head1 COPYRIGHT diff --git a/doc/man3/OSSL_CRMF_MSG_get0_tmpl.pod b/doc/man3/OSSL_CRMF_MSG_get0_tmpl.pod index aa3839d09dd9f8..0f6837fa48fc71 100644 --- a/doc/man3/OSSL_CRMF_MSG_get0_tmpl.pod +++ b/doc/man3/OSSL_CRMF_MSG_get0_tmpl.pod @@ -15,7 +15,8 @@ OSSL_CRMF_ENCRYPTEDKEY_get1_pkey, OSSL_CRMF_ENCRYPTEDKEY_init_envdata, OSSL_CRMF_ENCRYPTEDVALUE_decrypt, OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert, -OSSL_CRMF_MSG_get_certReqId +OSSL_CRMF_MSG_get_certReqId, +OSSL_CRMF_MSG_centralKeygen_requested - functions reading from CRMF CertReqMsg structures =head1 SYNOPSIS @@ -59,6 +60,8 @@ OSSL_CRMF_MSG_get_certReqId OSSL_LIB_CTX *libctx, const char *propq); int OSSL_CRMF_MSG_get_certReqId(const OSSL_CRMF_MSG *crm); + int OSSL_CRMF_MSG_centralKeygen_requested(const OSSL_CRMF_MSG *crm, + const X509_REQ *p10cr); =head1 DESCRIPTION @@ -97,10 +100,10 @@ If `encryptedKey` is not of type B, decryption uses the private key I. The library context I and property query I are taken into account as usual. The rest of this paragraph is relevant only if CMS support not disabled for the OpenSSL build -and `encryptedKey` is of type case B. +and `encryptedKey` is of type case B. Decryption uses the I parameter if not NULL; otherwise uses the private key and the certificate I -related to I, where I is recommended to be given if available. +related to I, where I is recommended to be given if available. On success, the function verifies the decrypted data as signed data, using the trust store I and any untrusted certificates in I. Doing so, it checks for the purpose "CMP Key Generation Authority" (cmKGA). @@ -121,11 +124,21 @@ with the caller, who is responsible for freeing it. OSSL_CRMF_MSG_get_certReqId() retrieves the certReqId of I. +OSSL_CRMF_MSG_centralKeygen_requested() returns 1 if central key generation +is requested i.e., the public key in the certificate request (I is taken if it is non-NULL, +otherwise I) is NULL or has an empty key value (with length zero). +In case I is non-NULL, this is checked for consistency with its B field (must be +NULL if central key generation is requested else must be present). +Otherwise it returns 0, and on error a negative value. + =head1 RETURN VALUES OSSL_CRMF_MSG_get_certReqId() returns the certificate request ID as a nonnegative integer or -1 on error. +OSSL_CRMF_MSG_centralKeygen_requested() returns 1 if central key generation +is requested, 0 if it is not requested, and a negative value on error. + All other functions return a pointer with the intended result or NULL on error. =head1 SEE ALSO @@ -139,8 +152,8 @@ The OpenSSL CRMF support was added in OpenSSL 3.0. OSSL_CRMF_CERTTEMPLATE_get0_publicKey() was added in OpenSSL 3.2. OSSL_CRMF_ENCRYPTEDKEY_get1_encCert(), OSSL_CRMF_ENCRYPTEDKEY_get1_pkey(), -OSSL_CRMF_ENCRYPTEDKEY_init_envdata() and OSSL_CRMF_ENCRYPTEDVALUE_decrypt() -were added in OpenSSL 3.5. +OSSL_CRMF_ENCRYPTEDKEY_init_envdata(), OSSL_CRMF_ENCRYPTEDVALUE_decrypt() +and OSSL_CRMF_MSG_centralKeygen_requested() were added in OpenSSL 3.5. =head1 COPYRIGHT diff --git a/doc/man3/OSSL_CRMF_MSG_set0_validity.pod b/doc/man3/OSSL_CRMF_MSG_set0_validity.pod index 93185a5528d849..8a6422b2256925 100644 --- a/doc/man3/OSSL_CRMF_MSG_set0_validity.pod +++ b/doc/man3/OSSL_CRMF_MSG_set0_validity.pod @@ -8,7 +8,8 @@ OSSL_CRMF_CERTTEMPLATE_fill, OSSL_CRMF_MSG_set0_extensions, OSSL_CRMF_MSG_push0_extension, OSSL_CRMF_MSG_create_popo, -OSSL_CRMF_MSGS_verify_popo +OSSL_CRMF_MSGS_verify_popo, +OSSL_CRMF_MSG_popo_present - functions populating and verifying CRMF CertReqMsg structures =head1 SYNOPSIS @@ -37,6 +38,7 @@ OSSL_CRMF_MSGS_verify_popo int OSSL_CRMF_MSGS_verify_popo(const OSSL_CRMF_MSGS *reqs, int rid, int acceptRAVerified, OSSL_LIB_CTX *libctx, const char *propq); + int OSSL_CRMF_MSG_popo_present(const OSSL_CRMF_MSG *crm); =head1 DESCRIPTION @@ -96,9 +98,15 @@ OSSL_CRMF_MSGS_verify_popo verifies the Proof-of-Possession of the request with the given I in the list of I. Optionally accepts RAVerified. It can make use of the library context I and property query string I. +OSSL_CRMF_MSG_popo_present returns 1 if the Proof-of-Possession is present in I. +Otherwise it returns 0 and negative value on error. + =head1 RETURN VALUES -All functions return 1 on success, 0 on error. +OSSL_CRMF_MSG_popo_present returns 1 if popo is present, otherwise 0 +and negative value on error. + +All other functions return 1 on success, 0 on error. =head1 SEE ALSO diff --git a/include/internal/cms.h b/include/internal/cms.h index 192abaaa4e945d..59cdae77798bf1 100644 --- a/include/internal/cms.h +++ b/include/internal/cms.h @@ -13,7 +13,6 @@ # include # ifndef OPENSSL_NO_CMS - CMS_EnvelopedData *ossl_cms_sign_encrypt(BIO *data, X509 *sign_cert, STACK_OF(X509) *certs, EVP_PKEY *sign_key, unsigned int sign_flags, STACK_OF(X509) *enc_recip, const EVP_CIPHER *cipher, diff --git a/include/openssl/cmp.h.in b/include/openssl/cmp.h.in index 5866dcec6952e5..d659331fa38fa7 100644 --- a/include/openssl/cmp.h.in +++ b/include/openssl/cmp.h.in @@ -542,8 +542,6 @@ int OSSL_CMP_SRV_CTX_set_accept_unprotected(OSSL_CMP_SRV_CTX *srv_ctx, int val); int OSSL_CMP_SRV_CTX_set_accept_raverified(OSSL_CMP_SRV_CTX *srv_ctx, int val); int OSSL_CMP_SRV_CTX_set_grant_implicit_confirm(OSSL_CMP_SRV_CTX *srv_ctx, int val); -int OSSL_CMP_SRV_CTX_centralKeygen_req(const OSSL_CRMF_MSG *crm, - const X509_REQ *p10cr); /* from cmp_client.c */ X509 *OSSL_CMP_exec_certreq(OSSL_CMP_CTX *ctx, int req_type, diff --git a/include/openssl/crmf.h.in b/include/openssl/crmf.h.in index f47445791b4ba9..e88b422733f854 100644 --- a/include/openssl/crmf.h.in +++ b/include/openssl/crmf.h.in @@ -161,6 +161,7 @@ int OSSL_CRMF_MSG_create_popo(int meth, OSSL_CRMF_MSG *crm, int OSSL_CRMF_MSGS_verify_popo(const OSSL_CRMF_MSGS *reqs, int rid, int acceptRAVerified, OSSL_LIB_CTX *libctx, const char *propq); +int OSSL_CRMF_MSG_popo_present(const OSSL_CRMF_MSG *crm); OSSL_CRMF_CERTTEMPLATE *OSSL_CRMF_MSG_get0_tmpl(const OSSL_CRMF_MSG *crm); X509_PUBKEY *OSSL_CRMF_CERTTEMPLATE_get0_publicKey(const OSSL_CRMF_CERTTEMPLATE *tmpl); @@ -194,6 +195,8 @@ EVP_PKEY *OSSL_CRMF_ENCRYPTEDKEY_get1_pkey(const OSSL_CRMF_ENCRYPTEDKEY *encrypt X509_STORE *ts, STACK_OF(X509) *extra, EVP_PKEY *pkey, X509 *cert, ASN1_OCTET_STRING *secret, OSSL_LIB_CTX *libctx, const char *propq); +int OSSL_CRMF_MSG_centralKeygen_requested(const OSSL_CRMF_MSG *crm, + const X509_REQ *p10cr); # ifndef OPENSSL_NO_CMS OSSL_CRMF_ENCRYPTEDKEY *OSSL_CRMF_ENCRYPTEDKEY_init_envdata(CMS_EnvelopedData *envdata); # endif diff --git a/test/recipes/80-test_cmp_http_data/test_commands.csv b/test/recipes/80-test_cmp_http_data/test_commands.csv index aacb624937edf9..658ee1a485d3c3 100644 --- a/test/recipes/80-test_cmp_http_data/test_commands.csv +++ b/test/recipes/80-test_cmp_http_data/test_commands.csv @@ -137,9 +137,9 @@ expected,description, -section,val, -cmd,val,val2, -cacertsout,val,val2, -infoty 0,reqin ir - no newkey, -section,, -cmd,ir,,-reqin,_RESULT_DIR/ir2.der,,-newkey,"""",-newkey,"""",-key,"""",-cert,"""",-secret,_PBM_SECRET 1,reqin ir and rspout - using no newkey and -popo 0 as workaround, -section,, -cmd,ir,,-reqin,_RESULT_DIR/ir2.der,,-rspout,_RESULT_DIR/ip2.der,-newkey,"""", -popo,0 1,reqin ip and rspin - using no newkey and -popo 0 as workaround, -section,, -cmd,ir,,-reqin,_RESULT_DIR/ir2.der,,-rspin,_RESULT_DIR/ip2.der,,-newkey,"""",-server,"""",-disable_confirm, -popo,0 -1,reqout_only ir - no server with -popo -1, -section,, -cmd,ir,,-reqout_only,_RESULT_DIR/ir3.der,,BLANK,,BLANK, -server,"""", -popo,-1, -newkeyout,_RESULT_DIR/dummyout.pem -1,reqin ir and rspout - using no newkey and -popo -1, -section,, -cmd,ir,,-reqin,_RESULT_DIR/ir3.der,,-rspout,_RESULT_DIR/ip3.der,-newkey,"""", -popo,-1, -newkeyout,_RESULT_DIR/newkeyout.pem -1,reqin ip and rspin - using no newkey and -popo -1, -section,, -cmd,ir,,-reqin,_RESULT_DIR/ir3.der,,-rspin,_RESULT_DIR/ip3.der,,-newkey,"""",-server,"""",-disable_confirm, -popo,-1, -newkeyout,_RESULT_DIR/newkeyout.pem +1,reqout_only ir - no server with -popo -1 (same as -centralkeygen), -section,, -cmd,ir,,-reqout_only,_RESULT_DIR/ir3.der,,BLANK,,BLANK, -server,"""", -popo,-1, -newkeyout,_RESULT_DIR/dummyout.pem +1,reqin ir and rspout - using no newkey and -popo -1 (same as -centralkeygen), -section,, -cmd,ir,,-reqin,_RESULT_DIR/ir3.der,,-rspout,_RESULT_DIR/ip3.der,-newkey,"""", -popo,-1, -newkeyout,_RESULT_DIR/newkeyout.pem +1,reqin ip and rspin - using no newkey and -popo -1 (same as -centralkeygen), -section,, -cmd,ir,,-reqin,_RESULT_DIR/ir3.der,,-rspin,_RESULT_DIR/ip3.der,,-newkey,"""",-server,"""",-disable_confirm, -popo,-1, -newkeyout,_RESULT_DIR/newkeyout.pem ,,,,,,,,,,,,,,,,,,, 1,central key generation, -section,, -cmd,cr,, -centralkeygen, -newkeyout,_RESULT_DIR/newkeyout1.pem 0,central key generation missing newkeyout, -section,, -cmd,cr,, -centralkeygen,,BLANK,,BLANK,,BLANK,,BLANK, diff --git a/util/libcrypto.num b/util/libcrypto.num index 4bf1867cd9886b..a777288a84665c 100644 --- a/util/libcrypto.num +++ b/util/libcrypto.num @@ -5734,8 +5734,6 @@ EVP_CIPHER_CTX_get_algor 5861 3_4_0 EXIST::FUNCTION: EVP_PKEY_CTX_set_algor_params 5862 3_4_0 EXIST::FUNCTION: EVP_PKEY_CTX_get_algor_params 5863 3_4_0 EXIST::FUNCTION: EVP_PKEY_CTX_get_algor 5864 3_4_0 EXIST::FUNCTION: -OSSL_CMP_SRV_CTX_centralKeygen_req ? 3_5_0 EXIST::FUNCTION:CMP -CMS_EnvelopedData_dup ? 3_5_0 EXIST::FUNCTION:CMS d2i_OSSL_CRMF_ENCRYPTEDKEY ? 3_5_0 EXIST::FUNCTION:CRMF i2d_OSSL_CRMF_ENCRYPTEDKEY ? 3_5_0 EXIST::FUNCTION:CRMF OSSL_CRMF_ENCRYPTEDKEY_free ? 3_5_0 EXIST::FUNCTION:CRMF @@ -5744,6 +5742,9 @@ OSSL_CRMF_ENCRYPTEDKEY_it ? 3_5_0 EXIST::FUNCTION:CRMF OSSL_CRMF_ENCRYPTEDKEY_get1_encCert ? 3_5_0 EXIST::FUNCTION:CRMF OSSL_CRMF_ENCRYPTEDVALUE_decrypt ? 3_5_0 EXIST::FUNCTION:CRMF OSSL_CRMF_ENCRYPTEDKEY_get1_pkey ? 3_5_0 EXIST::FUNCTION:CRMF +OSSL_CRMF_MSG_popo_present ? 3_5_0 EXIST::FUNCTION:CRMF +OSSL_CRMF_MSG_centralKeygen_requested ? 3_5_0 EXIST::FUNCTION:CRMF +CMS_EnvelopedData_dup ? 3_5_0 EXIST::FUNCTION:CMS OSSL_CRMF_ENCRYPTEDKEY_init_envdata ? 3_5_0 EXIST::FUNCTION:CMS,CRMF EVP_get1_default_properties ? 3_5_0 EXIST::FUNCTION: d2i_OSSL_AUTHORITY_ATTRIBUTE_ID_SYNTAX ? 3_5_0 EXIST::FUNCTION: