Scroll to navigation

OSSL_CRMF_MSG_GET0_TMPL(3SSL) OpenSSL OSSL_CRMF_MSG_GET0_TMPL(3SSL)

NAME

OSSL_CRMF_MSG_get0_tmpl, OSSL_CRMF_CERTTEMPLATE_get0_publicKey, OSSL_CRMF_CERTTEMPLATE_get0_subject, OSSL_CRMF_CERTTEMPLATE_get0_issuer, OSSL_CRMF_CERTTEMPLATE_get0_serialNumber, OSSL_CRMF_CERTTEMPLATE_get0_extensions, OSSL_CRMF_CERTID_get0_serialNumber, OSSL_CRMF_CERTID_get0_issuer, OSSL_CRMF_ENCRYPTEDKEY_get1_encCert, OSSL_CRMF_ENCRYPTEDKEY_get1_pkey, OSSL_CRMF_ENCRYPTEDKEY_init_envdata, OSSL_CRMF_ENCRYPTEDVALUE_decrypt, OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert, OSSL_CRMF_MSG_get_certReqId, OSSL_CRMF_MSG_centralkeygen_requested - functions reading from CRMF CertReqMsg structures

SYNOPSIS

 #include <openssl/crmf.h>
 OSSL_CRMF_CERTTEMPLATE *OSSL_CRMF_MSG_get0_tmpl(const OSSL_CRMF_MSG *crm);
 X509_PUBKEY
 *OSSL_CRMF_CERTTEMPLATE_get0_publicKey(const OSSL_CRMF_CERTTEMPLATE *tmpl);
 const X509_NAME
 *OSSL_CRMF_CERTTEMPLATE_get0_subject(const OSSL_CRMF_CERTTEMPLATE *tmpl);
 const X509_NAME
 *OSSL_CRMF_CERTTEMPLATE_get0_issuer(const OSSL_CRMF_CERTTEMPLATE *tmpl);
 const ASN1_INTEGER
 *OSSL_CRMF_CERTTEMPLATE_get0_serialNumber(const OSSL_CRMF_CERTTEMPLATE *tmpl);
 X509_EXTENSIONS
 *OSSL_CRMF_CERTTEMPLATE_get0_extensions(const OSSL_CRMF_CERTTEMPLATE *tmpl);
 const ASN1_INTEGER
 *OSSL_CRMF_CERTID_get0_serialNumber(const OSSL_CRMF_CERTID *cid);
 const X509_NAME *OSSL_CRMF_CERTID_get0_issuer(const OSSL_CRMF_CERTID *cid);
 X509 *OSSL_CRMF_ENCRYPTEDKEY_get1_encCert(const OSSL_CRMF_ENCRYPTEDKEY *ecert,
                                           OSSL_LIB_CTX *libctx, const char *propq,
                                           EVP_PKEY *pkey, unsigned int flags);
 EVP_PKEY
 *OSSL_CRMF_ENCRYPTEDKEY_get1_pkey(OSSL_CRMF_ENCRYPTEDKEY *encryptedKey,
                                   X509_STORE *ts, STACK_OF(X509) *extra,
                                   EVP_PKEY *pkey, X509 *cert,
                                   ASN1_OCTET_STRING *secret,
                                   OSSL_LIB_CTX *libctx, const char *propq);
 OSSL_CRMF_ENCRYPTEDKEY
 *OSSL_CRMF_ENCRYPTEDKEY_init_envdata(CMS_EnvelopedData *envdata);
 unsigned char
 *OSSL_CRMF_ENCRYPTEDVALUE_decrypt(const OSSL_CRMF_ENCRYPTEDVALUE *enc,
                                   OSSL_LIB_CTX *libctx, const char *propq,
                                   EVP_PKEY *pkey, int *outlen);
 X509
 *OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert(const OSSL_CRMF_ENCRYPTEDVALUE *ecert,
                                        OSSL_LIB_CTX *libctx, const char *propq,
                                        EVP_PKEY *pkey);
 int OSSL_CRMF_MSG_get_certReqId(const OSSL_CRMF_MSG *crm);
 int OSSL_CRMF_MSG_centralkeygen_requested(const OSSL_CRMF_MSG *crm,
                                           const X509_REQ *p10cr);

DESCRIPTION

OSSL_CRMF_MSG_get0_tmpl() retrieves the certificate template of crm.

OSSL_CRMF_CERTTEMPLATE_get0_publicKey() retrieves the public key of the given certificate template tmpl.

OSSL_CRMF_CERTTEMPLATE_get0_subject() retrieves the subject name of the given certificate template tmpl.

OSSL_CRMF_CERTTEMPLATE_get0_issuer() retrieves the issuer name of the given certificate template tmpl.

OSSL_CRMF_CERTTEMPLATE_get0_serialNumber() retrieves the serialNumber of the given certificate template tmpl.

OSSL_CRMF_CERTTEMPLATE_get0_extensions() retrieves the X.509 extensions of the given certificate template tmpl, or NULL if not present.

OSSL_CRMF_CERTID_get0_serialNumber retrieves the serialNumber of the given CertId cid.

OSSL_CRMF_CERTID_get0_issuer retrieves the issuer name of the given CertId cid, which must be of ASN.1 type GEN_DIRNAME.

OSSL_CRMF_ENCRYPTEDKEY_get1_encCert() decrypts the certificate in the given encryptedKey ecert, using the private key pkey, library context libctx and property query string propq (see OSSL_LIB_CTX(3)). This is needed for the indirect POPO method as in RFC 4210 section 5.2.8.2. The function returns the decrypted certificate as a copy, leaving its ownership with the caller, who is responsible for freeing it.

OSSL_CRMF_ENCRYPTEDKEY_get1_pkey() decrypts the private key in encryptedKey. If encryptedKey is not of type OSSL_CRMF_ENCRYPTEDKEY_ENVELOPEDDATA, decryption uses the private key pkey. The library context libctx and property query propq are taken into account as usual. The rest of this paragraph is relevant only if CMS support not disabled for the OpenSSL build and encryptedKey is of type case OSSL_CRMF_ENCRYPTEDKEY_ENVELOPEDDATA. Decryption uses the secret parameter if not NULL; otherwise uses the private key <pkey> and the certificate cert related to pkey, where cert is recommended to be given if available. On success, the function verifies the decrypted data as signed data, using the trust store ts and any untrusted certificates in extra. Doing so, it checks for the purpose "CMP Key Generation Authority" (cmKGA).

OSSL_CRMF_ENCRYPTEDKEY_init_envdata() returns OSSL_CRMF_ENCRYPTEDKEY, intialized with the enveloped data envdata.

OSSL_CRMF_ENCRYPTEDVALUE_decrypt() decrypts the encrypted value in the given encryptedValue enc, using the private key pkey, library context libctx and property query string propq (see OSSL_LIB_CTX(3)).

OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert() decrypts the certificate in the given encryptedValue ecert, using the private key pkey, library context libctx and property query string propq (see OSSL_LIB_CTX(3)). This is needed for the indirect POPO method as in RFC 4210 section 5.2.8.2. The function returns the decrypted certificate as a copy, leaving its ownership with the caller, who is responsible for freeing it.

OSSL_CRMF_MSG_get_certReqId() retrieves the certReqId of crm.

OSSL_CRMF_MSG_centralkeygen_requested() returns 1 if central key generation is requested i.e., the public key in the certificate request (crm is taken if it is non-NULL, otherwise p10cr) is NULL or has an empty key value (with length zero). In case crm is non-NULL, this is checked for consistency with its popo field (must be NULL if and only if central key generation is requested). Otherwise it returns 0, and on error a negative value.

RETURN VALUES

OSSL_CRMF_MSG_get_certReqId() returns the certificate request ID as a nonnegative integer or -1 on error.

OSSL_CRMF_MSG_centralkeygen_requested() returns 1 if central key generation is requested, 0 if it is not requested, and a negative value on error.

All other functions return a pointer with the intended result or NULL on error.

SEE ALSO

RFC 4211

HISTORY

The OpenSSL CRMF support was added in OpenSSL 3.0.

OSSL_CRMF_CERTTEMPLATE_get0_publicKey() was added in OpenSSL 3.2.

OSSL_CRMF_ENCRYPTEDKEY_get1_encCert(), OSSL_CRMF_ENCRYPTEDKEY_get1_pkey(), OSSL_CRMF_ENCRYPTEDKEY_init_envdata(), OSSL_CRMF_ENCRYPTEDVALUE_decrypt() and OSSL_CRMF_MSG_centralkeygen_requested() were added in OpenSSL 3.5.

COPYRIGHT

Copyright 2007-2025 The OpenSSL Project Authors. All Rights Reserved.

Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at <https://www.openssl.org/source/license.html>.

2025-03-26 3.5.0-beta1