OSSL_CMP_validate_msg, OSSL_CMP_validate_cert_path - functions for verifying CMP message protection
#include <openssl/cmp.h>
int OSSL_CMP_validate_msg(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg);
int OSSL_CMP_validate_cert_path(const OSSL_CMP_CTX *ctx,
X509_STORE *trusted_store, X509 *cert);This is the API for validating the protection of CMP messages, which includes validating CMP message sender certificates and their paths while optionally checking the revocation status of the certificates(s).
OSSL_CMP_validate_msg() validates the protection of the given msg using either password-based mac (PBM) or a signature algorithm.
In case of signature algorithm, the certificate to use for the signature check is preferably the one provided by a call to OSSL_CMP_CTX_set1_untrusted_certs(3), and then all trusted certificates provided via OSSL_CMP_CTX_set0_trustedStore(3).
If the option OSSL_CMP_OPT_PERMIT_TA_IN_EXTRACERTS_FOR_IR was set by calling OSSL_CMP_CTX_set0_trustedStore(3), such that they are available for validating subsequent messages in the same context. Those could apply to any Polling Response (pollRep), error, or PKI Confirmation (PKIConf) messages following in the same or future transactions.
OSSL_CMP_validate_cert_path() attempts to validate the given certificate and its path using the given store of trusted certs (possibly including CRLs and a cert verification callback) and non-trusted intermediate certs from the ctx.
CMP is defined in RFC 4210 (and CRMF in RFC 4211).
OSSL_CMP_validate_msg() and OSSL_CMP_validate_cert_path() return 1 on success, 0 on error or validation failed.
The OpenSSL CMP support was added in OpenSSL 3.0.
Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at https://www.openssl.org/source/license.html.