CMP: add documentation

doc/man1/openssl-cmp.pod.in

@@ -26,6 +26,8 @@ Certificate enrollment options:
 
 [B<-newkey> I<filename>|I<uri>]
 [B<-newkeypass> I<arg>]
+[B<-centralkeygen>
+[B<-newkeyout> I<filename>]
 [B<-subject> I<name>]
 [B<-days> I<number>]
 [B<-reqexts> I<name>]
@@ -140,6 +142,8 @@ Mock server options:
 [B<-srv_untrusted> I<filenames>|I<uris>]
 [B<-ref_cert> I<filename>|I<uri>]
 [B<-rsp_cert> I<filename>|I<uri>]
+[B<-rsp_cert_key> I<filename>|I<uri>]
+[B<-rsp_keypass> I<filename>|I<uri>]
 [B<-rsp_crl> I<filename>|I<uri>]
 [B<-rsp_extracerts> I<filenames>|I<uris>]
 [B<-rsp_capubs> I<filenames>|I<uris>]
@@ -308,6 +312,15 @@ If not given here, the password will be prompted for if needed.
 For more information about the format of I<arg> see
 L<openssl-passphrase-options(1)>.
 
+=item B<-centralkeygen>
+
+Request central key generation for certificate enrollment.
+This applies to B<-cmd> I<ir|cr|kur|p10cr>.
+
+=item B<-newkeyout> I<filename>
+
+File to save private key generated by central key generation.
+
 =item B<-subject> I<name>
 
 X.509 Distinguished Name (DN) to use as subject field
@@ -920,7 +933,7 @@ See L<openssl(1)/Format Options> for details.
 
 Pass phrase source for certificate given with the B<-trusted>, B<-untrusted>,
 B<-own_trusted>, B<-srvcert>, B<-crlcert>, B<-out_trusted>, B<-extracerts>,
-B<-srv_trusted>, B<-srv_untrusted>, B<-ref_cert>, B<-rsp_cert>,
+B<-srv_trusted>, B<-srv_untrusted>, B<-ref_cert>,
 B<-rsp_extracerts>, B<-rsp_capubs>,
 B<-rsp_newwithnew>, B<-rsp_newwithold>, B<-rsp_oldwithnew>,
 B<-tls_extra>, and B<-tls_trusted> options.
@@ -1194,6 +1207,14 @@ Certificate to be expected for RR messages and any oldCertID in KUR messages.
 
 Certificate to be returned as mock enrollment result.
 
+=item B<-rsp_cert_key> I<filename>|I<uri>
+
+Private key to be returned as central key generation result.
+
+=item B<-rsp_keypass> I<arg>
+
+Pass phrase source for B<rsp_cert> and B<rsp_cert_key>.
+
 =item B<-rsp_crl> I<filename>|I<uri>
 
 CRL to be returned in genp of type C<crls>.

doc/man3/CMS_EnvelopedData_create.pod

@@ -3,7 +3,8 @@
 =head1 NAME
 
 CMS_EnvelopedData_create_ex, CMS_EnvelopedData_create,
-CMS_AuthEnvelopedData_create, CMS_AuthEnvelopedData_create_ex
+CMS_AuthEnvelopedData_create, CMS_AuthEnvelopedData_create_ex,
+CMS_env_sign_data
 - Create CMS envelope
 
 =head1 SYNOPSIS
@@ -19,6 +20,9 @@ CMS_AuthEnvelopedData_create, CMS_AuthEnvelopedData_create_ex
  CMS_AuthEnvelopedData_create_ex(const EVP_CIPHER *cipher, OSSL_LIB_CTX *libctx,
                                  const char *propq);
  CMS_ContentInfo *CMS_AuthEnvelopedData_create(const EVP_CIPHER *cipher);
+ CMS_EnvelopedData *CMS_env_sign_data(BIO *data, X509 *signcert, EVP_PKEY *signkey,
+                                      STACK_OF(X509) *encryption_recip,
+                                      OSSL_LIB_CTX *libctx, const char *propq);
 
 =head1 DESCRIPTION
 
@@ -47,6 +51,12 @@ CMS_EnvelopedData_create_ex() and CMS_AuthEnvelopedData_create_ex()
 but use default values of NULL for
 the library context I<libctx> and the property query I<propq>.
 
+CMS_env_sign_data() creates a B<CMS_EnvelopedData> structure for recipients in
+I<encryption_recip>. I<data> is signed using I<signcert> and I<signkey> to
+create B<CMS_SignedData> and then encrypted using I<encryption_recip> to
+create B<CMS_EnvelopedData>. The library context I<libctx> and the property
+query I<propq> are used when retrieving algorithms from providers.
+
 =head1 NOTES
 
 Although CMS_EnvelopedData_create_ex(), and CMS_EnvelopedData_create(),

doc/man3/OSSL_CMP_SRV_CTX_new.pod

@@ -21,7 +21,8 @@ OSSL_CMP_SRV_CTX_get0_custom_ctx,
 OSSL_CMP_SRV_CTX_set_send_unprotected_errors,
 OSSL_CMP_SRV_CTX_set_accept_unprotected,
 OSSL_CMP_SRV_CTX_set_accept_raverified,
-OSSL_CMP_SRV_CTX_set_grant_implicit_confirm
+OSSL_CMP_SRV_CTX_set_grant_implicit_confirm,
+OSSL_CMP_SRV_CTX_centralKeygen_req
 - generic functions to set up and control a CMP server
 
 =head1 SYNOPSIS
@@ -91,6 +92,8 @@ OSSL_CMP_SRV_CTX_set_grant_implicit_confirm
  int OSSL_CMP_SRV_CTX_set_accept_raverified(OSSL_CMP_SRV_CTX *srv_ctx, int val);
  int OSSL_CMP_SRV_CTX_set_grant_implicit_confirm(OSSL_CMP_SRV_CTX *srv_ctx,
                                                  int val);
+ int OSSL_CMP_SRV_CTX_centralKeygen_req(const OSSL_CRMF_MSG *crm,
+                                        X509_REQ *p10cr);
 
 =head1 DESCRIPTION
 
@@ -155,6 +158,11 @@ messages with POPO 'RAVerified'.
 OSSL_CMP_SRV_CTX_set_grant_implicit_confirm() enables granting implicit
 confirmation of newly enrolled certificates if requested.
 
+OSSL_CMP_SRV_CTX_centralKeygen_req() returns I<true> if central key generaion
+is requested i.e, public key in certificate request (I<crm> or I<p10cr>) is NULL
+or have zero length.
+
+
 =head1 NOTES
 
 CMP is defined in RFC 4210 (and CRMF in RFC 4211).

doc/man3/OSSL_CRMF_MSG_get0_tmpl.pod

@@ -10,6 +10,10 @@ OSSL_CRMF_CERTTEMPLATE_get0_serialNumber,
 OSSL_CRMF_CERTTEMPLATE_get0_extensions,
 OSSL_CRMF_CERTID_get0_serialNumber,
 OSSL_CRMF_CERTID_get0_issuer,
+OSSL_CRMF_ENCRYPTEDKEY_get1_encCert,
+OSSL_CRMF_ENCRYPTEDKEY_get1_pkey,
+OSSL_CRMF_ENCRYPTEDKEY_init_envdata,
+OSSL_CRMF_ENCRYPTEDVALUE_decrypt,
 OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert,
 OSSL_CRMF_MSG_get_certReqId
 - functions reading from CRMF CertReqMsg structures
@@ -34,6 +38,23 @@ OSSL_CRMF_MSG_get_certReqId
  *OSSL_CRMF_CERTID_get0_serialNumber(const OSSL_CRMF_CERTID *cid);
  const X509_NAME *OSSL_CRMF_CERTID_get0_issuer(const OSSL_CRMF_CERTID *cid);
 
+ X509
+ *OSSL_CRMF_ENCRYPTEDKEY_get1_encCert(const OSSL_CRMF_ENCRYPTEDKEY *ecert,
+                                      OSSL_LIB_CTX *libctx, const char *propq,
+                                      EVP_PKEY *pkey, unsigned int flags);
+ EVP_PKEY
+ *OSSL_CRMF_ENCRYPTEDKEY_get1_pkey(OSSL_CRMF_ENCRYPTEDKEY *encryptedKey,
+                                   X509_STORE *ts, STACK_OF(X509) *extra,
+                                   EVP_PKEY *pkey, X509 *cert,
+                                   ASN1_OCTET_STRING *secret,
+                                   OSSL_LIB_CTX *libctx, const char *propq);
+ OSSL_CRMF_ENCRYPTEDKEY
+ *OSSL_CRMF_ENCRYPTEDKEY_init_envdata(CMS_EnvelopedData *envdata);
+
+ unsigned char
+ *OSSL_CRMF_ENCRYPTEDVALUE_decrypt(const OSSL_CRMF_ENCRYPTEDVALUE *enc,
+                                   EVP_PKEY *pkey, int *outlen,
+                                   OSSL_LIB_CTX *libctx, const char *propq);
  X509
  *OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert(const OSSL_CRMF_ENCRYPTEDVALUE *ecert,
                                         OSSL_LIB_CTX *libctx, const char *propq,
@@ -66,6 +87,27 @@ of the given CertId I<cid>.
 OSSL_CRMF_CERTID_get0_issuer retrieves the issuer name
 of the given CertId I<cid>, which must be of ASN.1 type GEN_DIRNAME.
 
+OSSL_CRMF_ENCRYPTEDKEY_get1_encCert() decrypts the certificate in the given
+encryptedKey I<ecert>, using the private key I<pkey>, library context
+I<libctx> and property query string I<propq> (see L<OSSL_LIB_CTX(3)>).
+This is needed for the indirect POPO method as in RFC 4210 section 5.2.8.2.
+The function returns the decrypted certificate as a copy, leaving its ownership
+with the caller, who is responsible for freeing it.
+
+OSSL_CRMF_ENCRYPTEDKEY_get1_pkey() decrypts the private key in the given
+encryptedKey I<encryptedKey>, using the I<secret> or private key I<pkey>
+and certificate I<cert>.
+It verifies the signed data using the trusted certificates in I<ts> and untrusted
+certificates in I<extra>,if envelopedata is present.
+library context I<libctx> and property query string I<propq> (see L<OSSL_LIB_CTX(3)>).
+
+OSSL_CRMF_ENCRYPTEDKEY_init_envdata() returns I<OSSL_CRMF_ENCRYPTEDKEY>, intialized with 
+the enveloped data I<envdata>.
+
+OSSL_CRMF_ENCRYPTEDVALUE_decrypt() decrypts the encrypted value in the given
+encryptedValue I<enc>, using the private key I<pkey>, library context
+I<libctx> and property query string I<propq> (see L<OSSL_LIB_CTX(3)>).
+
 OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert() decrypts the certificate in the given
 encryptedValue I<ecert>, using the private key I<pkey>, library context
 I<libctx> and property query string I<propq> (see L<OSSL_LIB_CTX(3)>).
@@ -92,6 +134,10 @@ The OpenSSL CRMF support was added in OpenSSL 3.0.
 
 OSSL_CRMF_CERTTEMPLATE_get0_publicKey() was added in OpenSSL 3.2.
 
+OSSL_CRMF_ENCRYPTEDKEY_get1_encCert(), OSSL_CRMF_ENCRYPTEDKEY_get1_pkey(),
+OSSL_CRMF_ENCRYPTEDKEY_init_envdata() and OSSL_CRMF_ENCRYPTEDVALUE_decrypt()
+were added in OpenSSL 3.4.
+
 =head1 COPYRIGHT
 
 Copyright 2007-2024 The OpenSSL Project Authors. All Rights Reserved.

doc/man3/X509_dup.pod

@@ -32,6 +32,7 @@ CMS_ContentInfo_new,
 CMS_ContentInfo_new_ex,
 CMS_ContentInfo_print_ctx,
 CMS_EnvelopedData_it,
+CMS_EnvelopedData_dup,
 CMS_ReceiptRequest_free,
 CMS_ReceiptRequest_new,
 CMS_SignedData_free,
@@ -172,6 +173,9 @@ OSSL_CRMF_CERTTEMPLATE_new,
 OSSL_CRMF_CERTTEMPLATE_dup,
 OSSL_CRMF_ATTRIBUTETYPEANDVALUE_dup,
 OSSL_CRMF_ATTRIBUTETYPEANDVALUE_free,
+OSSL_CRMF_ENCRYPTEDKEY_free,
+OSSL_CRMF_ENCRYPTEDKEY_it,
+OSSL_CRMF_ENCRYPTEDKEY_new,
 OSSL_CRMF_ENCRYPTEDVALUE_free,
 OSSL_CRMF_ENCRYPTEDVALUE_it,
 OSSL_CRMF_ENCRYPTEDVALUE_new,
@@ -457,6 +461,9 @@ CMS_ContentInfo_new_ex() were added in OpenSSL 3.0.
 The functions DSAparams_dup(), RSAPrivateKey_dup() and RSAPublicKey_dup() were
 deprecated in 3.0.
 
+The function CMS_EnvelopedData_dup(), OSSL_CRMF_ENCRYPTEDKEY_free(),
+OSSL_CRMF_ENCRYPTEDKEY_it() and OSSL_CRMF_ENCRYPTEDKEY_new() were added in OpenSSL 3.4.
+
 =head1 COPYRIGHT
 
 Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.

doc/man3/d2i_X509.pod

@@ -98,6 +98,7 @@ d2i_OSSL_CMP_PKIHEADER,
 d2i_OSSL_CMP_PKISI,
 d2i_OSSL_CRMF_CERTID,
 d2i_OSSL_CRMF_CERTTEMPLATE,
+d2i_OSSL_CRMF_ENCRYPTEDKEY,
 d2i_OSSL_CRMF_ENCRYPTEDVALUE,
 d2i_OSSL_CRMF_MSG,
 d2i_OSSL_CRMF_MSGS,
@@ -287,6 +288,7 @@ i2d_OSSL_CMP_PKIHEADER,
 i2d_OSSL_CMP_PKISI,
 i2d_OSSL_CRMF_CERTID,
 i2d_OSSL_CRMF_CERTTEMPLATE,
+i2d_OSSL_CRMF_ENCRYPTEDKEY,
 i2d_OSSL_CRMF_ENCRYPTEDVALUE,
 i2d_OSSL_CRMF_MSG,
 i2d_OSSL_CRMF_MSGS,