fixup! fixup! CMP: add documentation

apps/cmp.c

@@ -3872,8 +3872,8 @@ int cmp_main(int argc, char **argv)
                 }
 
                 CMP_info1("saving centrally generated key to file '%s'", opt_newkeyout);
-                if (PEM_write_bio_PKCS8PrivateKey(out, new_key, cipher, NULL, 0, NULL,
-                                                  (void *)pass_string) <= 0)
+                if (PEM_write_bio_PrivateKey(out, new_key, cipher, NULL, 0, NULL,
+                                             (void *)pass_string) <= 0)
                     goto err;
                 BIO_free(out);
                 clear_free(pass_string);

crypto/cmp/cmp_msg.c

@@ -19,9 +19,9 @@
 #include <openssl/crmf.h>
 #include <openssl/err.h>
 #include <openssl/x509.h>
-#include <openssl/cms.h>
 #include <openssl/pem.h>
 #include <openssl/bio.h>
+#include <internal/cms.h>
 
 OSSL_CMP_MSG *OSSL_CMP_MSG_new(OSSL_LIB_CTX *libctx, const char *propq)
 {
@@ -458,30 +458,26 @@ static OSSL_CRMF_ENCRYPTEDKEY *enc_privkey(OSSL_CMP_CTX *ctx, const EVP_PKEY *pk
     OSSL_CRMF_ENCRYPTEDKEY *ek = NULL;
     CMS_EnvelopedData *envData = NULL;
     BIO *privbio = NULL;
-    X509 *recip = X509_dup(ctx->validatedSrvCert);
-    STACK_OF(X509) * encryption_recips = sk_X509_new_null();
+    X509 *recip = ctx->validatedSrvCert; /* this is the client cert */
+    STACK_OF(X509) *encryption_recips = sk_X509_new_reserve(NULL, 1);
 
-    if (encryption_recips == NULL || recip == NULL)
+    if (encryption_recips == NULL
+        || !X509_add_cert(encryption_recips, recip, X509_ADD_FLAG_UP_REF))
         goto err;
 
-    if (!sk_X509_push(encryption_recips, recip))
-        goto err;
-    recip = NULL;
-
     privbio = BIO_new(BIO_s_mem());
     if (privbio == NULL || i2d_PrivateKey_bio(privbio, pkey) <= 0)
         goto err;
     ossl_cmp_set_own_chain(ctx);
-    envData = CMS_sign_encrypt(privbio, ctx->cert, ctx->chain, ctx->pkey, CMS_BINARY,
-                               encryption_recips, EVP_aes_256_cbc(), CMS_BINARY,
-                               ctx->libctx, ctx->propq);
+    envData = ossl_cms_sign_encrypt(privbio, ctx->cert, ctx->chain, ctx->pkey, CMS_BINARY,
+                                    encryption_recips, EVP_aes_256_cbc(), CMS_BINARY,
+                                    ctx->libctx, ctx->propq);
     if (envData == NULL)
         goto err;
     ek = OSSL_CRMF_ENCRYPTEDKEY_init_envdata(envData);
 
  err:
     sk_X509_pop_free(encryption_recips, X509_free);
-    X509_free(recip);
     BIO_free(privbio);
     if (ek == NULL)
         M_ASN1_free_of(envData, CMS_EnvelopedData);

crypto/cmp/cmp_protect.c

@@ -136,8 +136,7 @@ void ossl_cmp_set_own_chain(OSSL_CMP_CTX *ctx)
         return;
     /* if not yet done try to build chain using available untrusted certs */
     if (ctx->chain == NULL) {
-        ossl_cmp_debug(ctx,
-                       "trying to build chain for own CMP signer cert");
+        ossl_cmp_debug(ctx, "trying to build chain for own CMP signer cert");
         ctx->chain = X509_build_chain(ctx->cert, ctx->untrusted, NULL, 0,
                                       ctx->libctx, ctx->propq);
         if (ctx->chain != NULL) {

crypto/cmp/cmp_server.c

@@ -245,7 +245,7 @@ static OSSL_CMP_MSG *process_cert_request(OSSL_CMP_SRV_CTX *srv_ctx,
     EVP_PKEY *keyOut = NULL;
     STACK_OF(X509) *chainOut = NULL, *caPubs = NULL;
     const OSSL_CRMF_MSG *crm = NULL;
-    X509_REQ *p10cr = NULL;
+    const X509_REQ *p10cr = NULL;
     int bodytype;
     int certReqId;
 

crypto/cms/cms_lib.c

@@ -17,6 +17,7 @@
 #include "internal/sizes.h"
 #include "crypto/x509.h"
 #include "cms_local.h"
+#include "internal/cms.h"
 
 static STACK_OF(CMS_CertificateChoices)
 **cms_get0_certificate_choices(CMS_ContentInfo *cms);
@@ -736,10 +737,11 @@ int ossl_cms_set1_keyid(ASN1_OCTET_STRING **pkeyid, X509 *cert)
     return 1;
 }
 
-CMS_EnvelopedData *CMS_sign_encrypt(BIO *data, X509 *sign_cert, STACK_OF(X509) *certs,
-                                    EVP_PKEY *sign_key, unsigned int sign_flags,
-                                    STACK_OF(X509) *enc_recip, const EVP_CIPHER *cipher,
-                                    unsigned int enc_flags, OSSL_LIB_CTX *libctx, const char *propq)
+CMS_EnvelopedData *ossl_cms_sign_encrypt(BIO *data, X509 *sign_cert, STACK_OF(X509) *certs,
+                                         EVP_PKEY *sign_key, unsigned int sign_flags,
+                                         STACK_OF(X509) *enc_recip, const EVP_CIPHER *cipher,
+                                         unsigned int enc_flags, OSSL_LIB_CTX *libctx,
+                                         const char *propq)
 {
     CMS_EnvelopedData *evd = NULL;
     BIO *privbio = NULL, *signbio = NULL;

doc/internal/man3/ossl_cms_sign_encrypt.pod

@@ -0,0 +1,56 @@
+=pod
+
+=head1 NAME
+
+ossl_cms_sign_encrypt
+- Create CMS envelope
+
+=head1 SYNOPSIS
+
+ #include <openssl/cms.h>
+
+ CMS_EnvelopedData *ossl_cms_sign_encrypt(BIO *data, X509 *sign_cert, STACK_OF(X509) *certs,
+                                          EVP_PKEY *sign_key, unsigned int sign_flags,
+                                          STACK_OF(X509) *enc_recip, const EVP_CIPHER *cipher,
+                                          unsigned int enc_flags, OSSL_LIB_CTX *libctx,
+                                          const char *propq);
+
+=head1 DESCRIPTION
+
+ossl_cms_sign_encrypt() creates a B<CMS_EnvelopedData> structure for recipients in
+I<enc_recip>.
+
+I<data> is signed using I<signcert> and I<signkey> to create B<CMS_SignedData> 
+and then encrypted using I<enc_recip> to create B<CMS_EnvelopedData>.
+The library context I<libctx> and the property query I<propq> are used
+when retrieving algorithms from providers.
+
+I<certs> is an optional additional set of certificates to include in the
+B<CMS_SignedData> structure (e.g., any intermediate CAs in the chain of the signer certificate).
+
+I<sign_flags> is an optional set of flags for the signing operation.
+See L<CMS_sign_ex(3)> for more information.
+
+I<enc_flags> is an optional set of flags for the encryption operation.
+See L<CMS_encrypt_ex(3)> for more information.
+
+=head1 RETURN VALUES
+
+If the allocation fails, ossl_cms_sign_encrypt() return NULL and
+set an error code that can be obtained by L<ERR_get_error(3)>. 
+Otherwise, they return a pointer to the newly allocated structure.
+
+=head1 HISTORY
+
+ossl_cms_sign_encrypt() was added in OpenSSL 3.5.
+
+=head1 COPYRIGHT
+
+Copyright 2023 - 2024 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
+
+=cut

doc/man1/openssl-cmp.pod.in

@@ -1214,7 +1214,7 @@ Private key to be returned as central key generation result.
 
 =item B<-rsp_keypass> I<arg>
 
-Pass phrase source for B<rsp_cert> and B<rsp_cert_key>.
+Pass phrase source for B<rsp_cert> and B<rsp_key>.
 
 =item B<-rsp_crl> I<filename>|I<uri>
 

doc/man3/CMS_EnvelopedData_create.pod

@@ -3,8 +3,7 @@
 =head1 NAME
 
 CMS_EnvelopedData_create_ex, CMS_EnvelopedData_create,
-CMS_AuthEnvelopedData_create, CMS_AuthEnvelopedData_create_ex,
-CMS_sign_encrypt
+CMS_AuthEnvelopedData_create, CMS_AuthEnvelopedData_create_ex
 - Create CMS envelope
 
 =head1 SYNOPSIS
@@ -21,11 +20,6 @@ CMS_sign_encrypt
                                  const char *propq);
  CMS_ContentInfo *CMS_AuthEnvelopedData_create(const EVP_CIPHER *cipher);
 
- CMS_EnvelopedData *CMS_sign_encrypt(BIO *data, X509 *sign_cert, STACK_OF(X509) *certs,
-                                     EVP_PKEY *sign_key, unsigned int sign_flags,
-                                     STACK_OF(X509) *enc_recip, const EVP_CIPHER *cipher,
-                                     unsigned int enc_flags, OSSL_LIB_CTX *libctx, const char *propq);
-
 =head1 DESCRIPTION
 
 CMS_EnvelopedData_create_ex() creates a B<CMS_ContentInfo> structure
@@ -53,24 +47,6 @@ CMS_EnvelopedData_create_ex() and CMS_AuthEnvelopedData_create_ex()
 but use default values of NULL for
 the library context I<libctx> and the property query I<propq>.
 
-CMS_sign_encrypt() creates a B<CMS_EnvelopedData> structure for recipients in
-I<enc_recip>.
-
-I<data> is signed using I<signcert> and I<signkey> to
-create B<CMS_SignedData> and then encrypted using I<enc_recip> to
-create B<CMS_EnvelopedData>. The library context I<libctx> and the property
-query I<propq> are used when retrieving algorithms from providers.
-
-I<certs> is an optional additional set of certificates to include in the
-B<CMS_SignedData> structure (e.g., any intermediate CAs in the chain of the signer certificate).
-
-I<sign_flags> is an optional set of flags for the signing operation.
-see L<CMS_sign_ex(3)> for more information.
-
-I<enc_flags> is an optional set of flags for the encryption operation.
-see L<CMS_encrypt_ex(3)> for more information.
-
-
 =head1 NOTES
 
 Although CMS_EnvelopedData_create_ex(), and CMS_EnvelopedData_create(),
@@ -82,10 +58,10 @@ The wrappers L<CMS_encrypt(3)> and L<CMS_decrypt(3)> are often used instead.
 
 If the allocation fails, CMS_EnvelopedData_create_ex(),
 CMS_EnvelopedData_create(), CMS_AuthEnvelopedData_create_ex()
-CMS_AuthEnvelopedData_create(), CMS_AuthEnvelopedData_create(),
-CMS_AuthEnvelopedData_create_ex() and CMS_sign_encrypt() return NULL and set an error code
-that can be obtained by L<ERR_get_error(3)>. Otherwise they return a pointer to the newly
-allocated structure.
+CMS_AuthEnvelopedData_create(), CMS_AuthEnvelopedData_create()
+and CMS_AuthEnvelopedData_create_ex() return NULL and set an
+error code that can be obtained by L<ERR_get_error(3)>. 
+Otherwise, they return a pointer to the newly allocated structure.
 
 =head1 SEE ALSO
 
@@ -96,8 +72,8 @@ L<CMS_sign_ex(3)>, L<CMS_encrypt_ex(3)>
 
 The CMS_EnvelopedData_create_ex() method was added in OpenSSL 3.0.
 
-CMS_AuthEnvelopedData_create(), CMS_AuthEnvelopedData_create_ex()
-and CMS_sign_encrypt() were added in OpenSSL 3.5.
+CMS_AuthEnvelopedData_create() and CMS_AuthEnvelopedData_create_ex()
+were added in OpenSSL 3.5.
 
 =head1 COPYRIGHT
 

doc/man3/OSSL_CMP_SRV_CTX_new.pod

@@ -183,6 +183,9 @@ NULL on error.
 OSSL_CMP_SRV_CTX_get0_custom_ctx() returns the custom server context
 that has been set using OSSL_CMP_SRV_CTX_init().
 
+OSSL_CMP_SRV_CTX_centralKeygen_req() returns 0 if central key generation
+is not requested or in case of error, 1 if it is requested.
+
 All other functions return 1 on success, 0 on error.
 
 =head1 HISTORY

doc/man3/OSSL_CRMF_MSG_get0_tmpl.pod

@@ -92,12 +92,18 @@ This is needed for the indirect POPO method as in RFC 4210 section 5.2.8.2.
 The function returns the decrypted certificate as a copy, leaving its ownership
 with the caller, who is responsible for freeing it.
 
-OSSL_CRMF_ENCRYPTEDKEY_get1_pkey() decrypts the private key in the given
-encryptedKey I<encryptedKey>, using the I<secret> or private key I<pkey>
-and certificate I<cert>.
-It verifies the signed data using the trusted certificates in I<ts> and untrusted
-certificates in I<extra>,if envelopedata is present.
-library context I<libctx> and property query string I<propq> (see L<OSSL_LIB_CTX(3)>).
+OSSL_CRMF_ENCRYPTEDKEY_get1_pkey() decrypts the private key in I<encryptedKey>.
+If `encryptedKey` is not of type B<OSSL_CRMF_ENCRYPTEDKEY_ENVELOPEDDATA>, 
+decryption uses the private key I<pkey>.
+The library context I<libctx> and property query I<propq> are taken into account as usual.
+The rest of this paragraph is relevant only if CMS support not disabled for the OpenSSL build
+and `encryptedKey` is of  type case B<OSSL_CRMF_ENCRYPTEDKEY_ENVELOPEDDATA>.
+Decryption uses the I<secret> parameter if not NULL; 
+otherwise uses the private key <pkey> and the certificate I<cert> 
+related to I<pkey>, where I<cert>  is recommended to be given if available. 
+On success, the function verifies the decrypted data as signed data,
+using the trust store I<ts> and any untrusted certificates in I<extra>.
+Doing so, it checks for the purpose "CMP Key Generation Authority" (cmKGA).
 
 OSSL_CRMF_ENCRYPTEDKEY_init_envdata() returns I<OSSL_CRMF_ENCRYPTEDKEY>, intialized with 
 the enveloped data I<envdata>.

include/internal/cms.h

@@ -0,0 +1,23 @@
+/*
+ * Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+#ifndef OSSL_INTERNAL_CMS_H
+# define OSSL_INTERNAL_CMS_H
+# pragma once
+
+# include <openssl/cms.h>
+
+# ifndef OPENSSL_NO_CMS
+
+CMS_EnvelopedData *ossl_cms_sign_encrypt(BIO *data, X509 *sign_cert, STACK_OF(X509) *certs,
+                                         EVP_PKEY *sign_key, unsigned int sign_flags,
+                                         STACK_OF(X509) *enc_recip, const EVP_CIPHER *cipher,
+                                         unsigned int enc_flags, OSSL_LIB_CTX *libctx,
+                                         const char *propq);
+# endif /* OPENSSL_NO_CMS */
+#endif /* OSSL_INTERNAL_CMS_H */

include/openssl/cms.h.in

@@ -399,11 +399,6 @@ int CMS_RecipientInfo_kari_decrypt(CMS_ContentInfo *cms,
 
 int CMS_SharedInfo_encode(unsigned char **pder, X509_ALGOR *kekalg,
                           ASN1_OCTET_STRING *ukm, int keylen);
-CMS_EnvelopedData *CMS_sign_encrypt(BIO *data, X509 *sign_cert, STACK_OF(X509) *certs,
-                                    EVP_PKEY *sign_key, unsigned int sign_flags,
-                                    STACK_OF(X509) *enc_recip, const EVP_CIPHER *cipher,
-                                    unsigned int enc_flags, OSSL_LIB_CTX *libctx,
-                                    const char *propq);
 
 /* Backward compatibility for spelling errors. */
 # define CMS_R_UNKNOWN_DIGEST_ALGORITM CMS_R_UNKNOWN_DIGEST_ALGORITHM

test/recipes/80-test_cmp_http_data/test_commands.csv

@@ -132,17 +132,20 @@ expected,description, -section,val, -cmd,val,val2, -cacertsout,val,val2, -infoty
 1,rspin, -section,, -cmd,ir,,BLANK,,,-rspin,_RESULT_DIR/ip.der _RESULT_DIR/pkiConf.der,,BLANK,,BLANK
 0,rspin too few files - server must reject, -section,, -cmd,ir,,BLANK,,,-rspin,_RESULT_DIR/ip.der,,BLANK,,BLANK,-secret,_PBM_SECRET
 0,rspin too few files - no server, -section,, -cmd,ir,,BLANK,,,-rspin,_RESULT_DIR/ip.der,,BLANK,,BLANK, -server,""""
-1,reqout_only ir - no server, -section,, -cmd,ir,,-reqout_only,_RESULT_DIR/ir2.der,,BLANK,,BLANK, -server,"""",-popo,-1,-newkeyout,_RESULT_DIR/newkeyout.pem
+1,reqout_only ir - no server, -section,, -cmd,ir,,-reqout_only,_RESULT_DIR/ir2.der,,BLANK,,BLANK, -server,""""
 0,reqout_only non-existing directory and file, -section,, -cmd,ir,,-reqout_only,idontexist/idontexist,,BLANK,,BLANK, -server,""""
 0,reqin ir - no newkey, -section,, -cmd,ir,,-reqin,_RESULT_DIR/ir2.der,,-newkey,"""",-newkey,"""",-key,"""",-cert,"""",-secret,_PBM_SECRET
-1,reqin ir and rspout - no newkey but -popo -1, -section,, -cmd,ir,,-reqin,_RESULT_DIR/ir2.der,,-rspout,_RESULT_DIR/ip2.der,-newkey,"""",-popo,-1,-newkeyout,_RESULT_DIR/newkeyout.pem
-1,reqin ip and rspin  - no newkey but -popo -1, -section,, -cmd,ir,,-reqin,_RESULT_DIR/ir2.der,,-rspin,_RESULT_DIR/ip2.der,,-newkey,"""",-server,"""",-disable_confirm,-popo,-1,-newkeyout,_RESULT_DIR/newkeyout.pem 
+1,reqin ir and rspout - using no newkey and -popo 0 as workaround, -section,, -cmd,ir,,-reqin,_RESULT_DIR/ir2.der,,-rspout,_RESULT_DIR/ip2.der,-newkey,"""", -popo,0
+1,reqin ip and rspin  - using no newkey and -popo 0 as workaround, -section,, -cmd,ir,,-reqin,_RESULT_DIR/ir2.der,,-rspin,_RESULT_DIR/ip2.der,,-newkey,"""",-server,"""",-disable_confirm, -popo,0
+1,reqout_only ir - no server with -popo -1, -section,, -cmd,ir,,-reqout_only,_RESULT_DIR/ir3.der,,BLANK,,BLANK, -server,"""", -popo,-1, -newkeyout,_RESULT_DIR/dummyout.pem
+1,reqin ir and rspout - using no newkey and -popo -1, -section,, -cmd,ir,,-reqin,_RESULT_DIR/ir3.der,,-rspout,_RESULT_DIR/ip3.der,-newkey,"""", -popo,-1, -newkeyout,_RESULT_DIR/newkeyout.pem
+1,reqin ip and rspin  - using no newkey and -popo -1, -section,, -cmd,ir,,-reqin,_RESULT_DIR/ir3.der,,-rspin,_RESULT_DIR/ip3.der,,-newkey,"""",-server,"""",-disable_confirm, -popo,-1, -newkeyout,_RESULT_DIR/newkeyout.pem
 ,,,,,,,,,,,,,,,,,,,
 1,central key generation, -section,, -cmd,cr,, -centralkeygen, -newkeyout,_RESULT_DIR/newkeyout1.pem
 0,central key generation missing newkeyout, -section,, -cmd,cr,, -centralkeygen,,BLANK,,BLANK,,BLANK,,BLANK,
-0,using popo=1 with central key generation, -section,, -cmd,cr,, -centralkeygen, -popo,1, -newkeyout,_RESULT_DIR/newkeyout.pem
-1, using popo=-1 with central key generation, -section,, -cmd,cr,, -centralkeygen, -popo,-1, -newkeyout,_RESULT_DIR/newkeyout2.pem
-1, using popo=-1 instead of central key generation, -section,, -cmd,cr,, -popo,-1, -newkeyout,_RESULT_DIR/newkeyout3.pem, -newkeypass,pass:12345, -certout,_RESULT_DIR/test.cert3.pem
-1, using centrally generated credentials , -section,, -cmd,cr,,-cert,_RESULT_DIR/test.cert3.pem, -key,_RESULT_DIR/newkeyout3.pem, -keypass,pass:12345
-0, using centrally generated credentials with wrong password , -section,, -cmd,cr,,-cert,_RESULT_DIR/test.cert3.pem, -key,_RESULT_DIR/newkeyout3.pem, -keypass,pass:wrong
-0, using popo=-1 instead of central key generation without newkeyout, -section,, -cmd,cr,, -popo,-1,,BLANK,,BLANK,,BLANK,,BLANK,
+0,using popo 1 with -centralkeygen, -section,, -cmd,cr,, -centralkeygen, -popo,1, -newkeyout,_RESULT_DIR/newkeyout.pem
+1, using popo -1 redundantly with -centralkeygen, -section,, -cmd,cr,, -centralkeygen, -popo,-1, -newkeyout,_RESULT_DIR/newkeyout2.pem
+1, using popo -1 alternatively to -centralkeygen, -section,, -cmd,cr,, -popo,-1, -newkeyout,_RESULT_DIR/newkeyout3.pem, -newkeypass,pass:12345, -certout,_RESULT_DIR/test.cert3.pem
+1, using centrally generated key (and cert) , -section,, -cmd,cr,,-cert,_RESULT_DIR/test.cert3.pem, -key,_RESULT_DIR/newkeyout3.pem, -keypass,pass:12345
+0, using centrally generated key with wrong password, -section,, -cmd,cr,,-cert,_RESULT_DIR/test.cert3.pem, -key,_RESULT_DIR/newkeyout3.pem, -keypass,pass:wrong
+0, using popo -1 (instead of -centralkeygen) without -newkeyout, -section,, -cmd,cr,, -popo,-1,,BLANK,,BLANK,,BLANK,,BLANK,

util/libcrypto.num

@@ -5734,6 +5734,17 @@ EVP_CIPHER_CTX_get_algor                5861	3_4_0	EXIST::FUNCTION:
 EVP_PKEY_CTX_set_algor_params           5862	3_4_0	EXIST::FUNCTION:
 EVP_PKEY_CTX_get_algor_params           5863	3_4_0	EXIST::FUNCTION:
 EVP_PKEY_CTX_get_algor                  5864	3_4_0	EXIST::FUNCTION:
+OSSL_CMP_SRV_CTX_centralKeygen_req      ?	3_5_0	EXIST::FUNCTION:CMP
+CMS_EnvelopedData_dup                   ?	3_5_0	EXIST::FUNCTION:CMS
+d2i_OSSL_CRMF_ENCRYPTEDKEY              ?	3_5_0	EXIST::FUNCTION:CRMF
+i2d_OSSL_CRMF_ENCRYPTEDKEY              ?	3_5_0	EXIST::FUNCTION:CRMF
+OSSL_CRMF_ENCRYPTEDKEY_free             ?	3_5_0	EXIST::FUNCTION:CRMF
+OSSL_CRMF_ENCRYPTEDKEY_new              ?	3_5_0	EXIST::FUNCTION:CRMF
+OSSL_CRMF_ENCRYPTEDKEY_it               ?	3_5_0	EXIST::FUNCTION:CRMF
+OSSL_CRMF_ENCRYPTEDKEY_get1_encCert     ?	3_5_0	EXIST::FUNCTION:CRMF
+OSSL_CRMF_ENCRYPTEDVALUE_decrypt        ?	3_5_0	EXIST::FUNCTION:CRMF
+OSSL_CRMF_ENCRYPTEDKEY_get1_pkey        ?	3_5_0	EXIST::FUNCTION:CRMF
+OSSL_CRMF_ENCRYPTEDKEY_init_envdata     ?	3_5_0	EXIST::FUNCTION:CMS,CRMF
 EVP_get1_default_properties             ?	3_5_0	EXIST::FUNCTION:
 d2i_OSSL_AUTHORITY_ATTRIBUTE_ID_SYNTAX  ?	3_5_0	EXIST::FUNCTION:
 i2d_OSSL_AUTHORITY_ATTRIBUTE_ID_SYNTAX  ?	3_5_0	EXIST::FUNCTION: