aboutsummaryrefslogtreecommitdiff
path: root/secure/lib/libcrypto/man/man3/OSSL_CMP_validate_msg.3
diff options
context:
space:
mode:
Diffstat (limited to 'secure/lib/libcrypto/man/man3/OSSL_CMP_validate_msg.3')
-rw-r--r--secure/lib/libcrypto/man/man3/OSSL_CMP_validate_msg.3145
1 files changed, 37 insertions, 108 deletions
diff --git a/secure/lib/libcrypto/man/man3/OSSL_CMP_validate_msg.3 b/secure/lib/libcrypto/man/man3/OSSL_CMP_validate_msg.3
index 8baced1731e6..d05fb26e6aff 100644
--- a/secure/lib/libcrypto/man/man3/OSSL_CMP_validate_msg.3
+++ b/secure/lib/libcrypto/man/man3/OSSL_CMP_validate_msg.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
.\"
.\" Standard preamble:
.\" ========================================================================
@@ -15,29 +16,12 @@
.ft R
.fi
..
-.\" Set up some character translations and predefined strings. \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote. \*(C+ will
-.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
.ie n \{\
-. ds -- \(*W-
-. ds PI pi
-. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
-. ds L" ""
-. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
-. ds -- \|\(em\|
-. ds PI \(*p
-. ds L" ``
-. ds R" ''
. ds C`
. ds C'
'br\}
@@ -68,79 +52,19 @@
. \}
.\}
.rr rF
-.\" Fear. Run. Save yourself. No user-serviceable parts.
-. \" fudge factors for nroff and troff
-.if n \{\
-. ds #H 0
-. ds #V .8m
-. ds #F .3m
-. ds #[ \f1
-. ds #] \fP
-.\}
-.if t \{\
-. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-. ds #V .6m
-. ds #F 0
-. ds #[ \&
-. ds #] \&
-.\}
-. \" simple accents for nroff and troff
-.if n \{\
-. ds ' \&
-. ds ` \&
-. ds ^ \&
-. ds , \&
-. ds ~ ~
-. ds /
-.\}
-.if t \{\
-. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-. \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-. \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-. \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-. ds : e
-. ds 8 ss
-. ds o a
-. ds d- d\h'-1'\(ga
-. ds D- D\h'-1'\(hy
-. ds th \o'bp'
-. ds Th \o'LP'
-. ds ae ae
-. ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "OSSL_CMP_VALIDATE_MSG 3ossl"
-.TH OSSL_CMP_VALIDATE_MSG 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH OSSL_CMP_VALIDATE_MSG 3ossl 2025-07-01 3.5.1 OpenSSL
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
-.SH "NAME"
+.SH NAME
OSSL_CMP_validate_msg,
OSSL_CMP_validate_cert_path
\&\- functions for verifying CMP message protection
-.SH "SYNOPSIS"
+.SH SYNOPSIS
.IX Header "SYNOPSIS"
.Vb 4
\& #include <openssl/cmp.h>
@@ -148,15 +72,15 @@ OSSL_CMP_validate_cert_path
\& int OSSL_CMP_validate_cert_path(const OSSL_CMP_CTX *ctx,
\& X509_STORE *trusted_store, X509 *cert);
.Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
.IX Header "DESCRIPTION"
-This is the \s-1API\s0 for validating the protection of \s-1CMP\s0 messages,
-which includes validating \s-1CMP\s0 message sender certificates and their paths
+This is the API for validating the protection of CMP messages,
+which includes validating CMP message sender certificates and their paths
while optionally checking the revocation status of the certificates(s).
.PP
\&\fBOSSL_CMP_validate_msg()\fR validates the protection of the given \fImsg\fR,
-which must be signature-based or using password-based \s-1MAC\s0 (\s-1PBM\s0).
-In the former case a suitable trust anchor must be given in the \s-1CMP\s0 context
+which must be signature-based or using password-based MAC (PBM).
+In the former case a suitable trust anchor must be given in the CMP context
\&\fIctx\fR, and in the latter case the matching secret must have been set there
using \fBOSSL_CMP_CTX_set1_secretValue\fR\|(3).
.PP
@@ -165,21 +89,26 @@ is preferably the one provided by a call to \fBOSSL_CMP_CTX_set1_srvCert\fR\|(3)
If no such sender cert has been pinned then candidate sender certificates are
taken from the list of certificates received in the \fImsg\fR extraCerts, then any
certificates provided before via \fBOSSL_CMP_CTX_set1_untrusted\fR\|(3), and
-then all trusted certificates provided via \fBOSSL_CMP_CTX_set0_trustedStore\fR\|(3),
-where a candidate is acceptable only if has not expired, its subject \s-1DN\s0 matches
-the \fImsg\fR sender \s-1DN\s0 (as far as present), and its subject key identifier
-is present and matches the senderKID (as far as the latter present).
+then all trusted certificates provided via \fBOSSL_CMP_CTX_set0_trusted\fR\|(3).
+A candidate certificate is acceptable only if it is currently valid
+(or the trust store contains a verification callback that overrides the verdict
+that the certificate is expired or not yet valid), its subject DN matches
+the \fImsg\fR sender DN (as far as present), and its subject key identifier
+is present and matches the senderKID (as far as the latter is present).
Each acceptable cert is tried in the given order to see if the message
signature check succeeds and the cert and its path can be verified
-using any trust store set via \fBOSSL_CMP_CTX_set0_trustedStore\fR\|(3).
+using any trust store set via \fBOSSL_CMP_CTX_set0_trusted\fR\|(3).
.PP
-If the option \s-1OSSL_CMP_OPT_PERMIT_TA_IN_EXTRACERTS_FOR_IR\s0 was set by calling
-\&\fBOSSL_CMP_CTX_set_option\fR\|(3), for an Initialization Response (\s-1IP\s0) message
-any self-issued certificate from the \fImsg\fR extraCerts field may also be used
-as trust anchor for the path verification of an acceptable cert if it can be
-used also to validate the issued certificate returned in the \s-1IP\s0 message. This is
-according to \s-1TS 33.310\s0 [Network Domain Security (\s-1NDS\s0); Authentication Framework
-(\s-1AF\s0)] document specified by the The 3rd Generation Partnership Project (3GPP).
+If the option OSSL_CMP_OPT_PERMIT_TA_IN_EXTRACERTS_FOR_IR was set by calling
+\&\fBOSSL_CMP_CTX_set_option\fR\|(3), for an Initialization Response (IP) message
+any self-issued certificate from the \fImsg\fR extraCerts field may be used
+as a trust anchor for the path verification of an 'acceptable' cert if it can be
+used also to validate the issued certificate returned in the IP message. This is
+according to TS 33.310 [Network Domain Security (NDS); Authentication Framework
+(AF)] document specified by The 3rd Generation Partnership Project (3GPP).
+Note that using this option is dangerous as the certificate obtained this way
+has not been authenticated (at least not at CMP level).
+Taking it over as a trust anchor implements trust-on-first-use (TOFU).
.PP
Any cert that has been found as described above is cached and tried first when
validating the signatures of subsequent messages in the same transaction.
@@ -187,9 +116,9 @@ validating the signatures of subsequent messages in the same transaction.
\&\fBOSSL_CMP_validate_cert_path()\fR attempts to validate the given certificate and its
path using the given store of trusted certs (possibly including CRLs and a cert
verification callback) and non-trusted intermediate certs from the \fIctx\fR.
-.SH "NOTES"
+.SH NOTES
.IX Header "NOTES"
-\&\s-1CMP\s0 is defined in \s-1RFC 4210\s0 (and \s-1CRMF\s0 in \s-1RFC 4211\s0).
+CMP is defined in RFC 4210 (and CRMF in RFC 4211).
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBOSSL_CMP_validate_msg()\fR and \fBOSSL_CMP_validate_cert_path()\fR
@@ -198,15 +127,15 @@ return 1 on success, 0 on error or validation failed.
.IX Header "SEE ALSO"
\&\fBOSSL_CMP_CTX_new\fR\|(3), \fBOSSL_CMP_exec_certreq\fR\|(3),
\&\fBOSSL_CMP_CTX_set1_secretValue\fR\|(3), \fBOSSL_CMP_CTX_set1_srvCert\fR\|(3),
-\&\fBOSSL_CMP_CTX_set1_untrusted\fR\|(3), \fBOSSL_CMP_CTX_set0_trustedStore\fR\|(3)
-.SH "HISTORY"
+\&\fBOSSL_CMP_CTX_set1_untrusted\fR\|(3), \fBOSSL_CMP_CTX_set0_trusted\fR\|(3)
+.SH HISTORY
.IX Header "HISTORY"
-The OpenSSL \s-1CMP\s0 support was added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+The OpenSSL CMP support was added in OpenSSL 3.0.
+.SH COPYRIGHT
.IX Header "COPYRIGHT"
-Copyright 2007\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2007\-2025 The OpenSSL Project Authors. All Rights Reserved.
.PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R"). You may not use
+Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
<https://www.openssl.org/source/license.html>.
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-12 18:56:04 +0000