Certificate Management Protocol (CMP, RFC 4210) extension to OpenSSL

Also includes CRMF (RFC 4211) and HTTP transfer (RFC 6712)

CMP and CRMF API is added to libcrypto, and the "cmp" app to the openssl CLI.
    Adds extensive man pages and tests.  Integration into build scripts.

Incremental pull request based on OpenSSL commit 1362190b of 2018-09-26

3rd chunk: CMP ASN.1 structures (in crypto/cmp/cmp_asn.c) and related files
Reviewed-by: NBernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: NMatt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8669)

INSTALL

@@ -314,6 +314,9 @@
                    Don't build the CAPI engine. This option will be forced if
                    on a platform that does not support CAPI.
 
+  no-cmp
+                   Don't build support for CMP features
+
   no-cms
                    Don't build support for CMS features
 

crypto/build.info

@@ -5,7 +5,7 @@ SUBDIRS=objects buffer bio stack lhash rand evp asn1 pem x509 conf \
         md2 md4 md5 sha mdc2 gmac hmac ripemd whrlpool poly1305 blake2 \
         siphash sm3 des aes rc2 rc4 rc5 idea aria bf cast camellia \
         seed sm4 chacha modes bn ec rsa dsa dh sm2 dso engine \
-        err comp ocsp cms ts srp cmac ct async kmac ess crmf
+        err comp ocsp cms ts srp cmac ct async kmac ess crmf cmp
 
 LIBS=../libcrypto
 # The Core

crypto/cmp/build.info

+LIBS=../../libcrypto
+SOURCE[../../libcrypto]= cmp_asn.c cmp_err.c

crypto/cmp/cmp_asn.c

+/*
+ * Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright Nokia 2007-2019
+ * Copyright Siemens AG 2015-2019
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ *
+ * CMP implementation by Martin Peylo, Miikka Viljanen, and David von Oheimb.
+ */
+
+#include <openssl/asn1t.h>
+
+#include "cmp_int.h"
+
+/* explicit #includes not strictly needed since implied by the above: */
+#include <openssl/cmp.h>
+#include <openssl/crmf.h>
+
+/* ASN.1 declarations from RFC4210 */
+ASN1_SEQUENCE(OSSL_CMP_REVANNCONTENT) = {
+    /* OSSL_CMP_PKISTATUS is effectively ASN1_INTEGER so it is used directly */
+    ASN1_SIMPLE(OSSL_CMP_REVANNCONTENT, status, ASN1_INTEGER),
+    ASN1_SIMPLE(OSSL_CMP_REVANNCONTENT, certId, OSSL_CRMF_CERTID),
+    ASN1_SIMPLE(OSSL_CMP_REVANNCONTENT, willBeRevokedAt, ASN1_GENERALIZEDTIME),
+    ASN1_SIMPLE(OSSL_CMP_REVANNCONTENT, badSinceDate, ASN1_GENERALIZEDTIME),
+    ASN1_OPT(OSSL_CMP_REVANNCONTENT, crlDetails, X509_EXTENSIONS)
+} ASN1_SEQUENCE_END(OSSL_CMP_REVANNCONTENT)
+IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_REVANNCONTENT)
+
+
+ASN1_SEQUENCE(OSSL_CMP_CHALLENGE) = {
+    ASN1_OPT(OSSL_CMP_CHALLENGE, owf, X509_ALGOR),
+    ASN1_SIMPLE(OSSL_CMP_CHALLENGE, witness, ASN1_OCTET_STRING),
+    ASN1_SIMPLE(OSSL_CMP_CHALLENGE, challenge, ASN1_OCTET_STRING)
+} ASN1_SEQUENCE_END(OSSL_CMP_CHALLENGE)
+IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_CHALLENGE)
+
+
+ASN1_ITEM_TEMPLATE(OSSL_CMP_POPODECKEYCHALLCONTENT) =
+    ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0,
+                          OSSL_CMP_POPODECKEYCHALLCONTENT, OSSL_CMP_CHALLENGE)
+ASN1_ITEM_TEMPLATE_END(OSSL_CMP_POPODECKEYCHALLCONTENT)
+
+
+ASN1_ITEM_TEMPLATE(OSSL_CMP_POPODECKEYRESPCONTENT) =
+    ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0,
+                          OSSL_CMP_POPODECKEYRESPCONTENT, ASN1_INTEGER)
+ASN1_ITEM_TEMPLATE_END(OSSL_CMP_POPODECKEYRESPCONTENT)
+
+
+ASN1_SEQUENCE(OSSL_CMP_CAKEYUPDANNCONTENT) = {
+    /* OSSL_CMP_CMPCERTIFICATE is effectively X509 so it is used directly */
+    ASN1_SIMPLE(OSSL_CMP_CAKEYUPDANNCONTENT, oldWithNew, X509),
+    /* OSSL_CMP_CMPCERTIFICATE is effectively X509 so it is used directly */
+    ASN1_SIMPLE(OSSL_CMP_CAKEYUPDANNCONTENT, newWithOld, X509),
+    /* OSSL_CMP_CMPCERTIFICATE is effectively X509 so it is used directly */
+    ASN1_SIMPLE(OSSL_CMP_CAKEYUPDANNCONTENT, newWithNew, X509)
+} ASN1_SEQUENCE_END(OSSL_CMP_CAKEYUPDANNCONTENT)
+IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_CAKEYUPDANNCONTENT)
+
+
+ASN1_SEQUENCE(OSSL_CMP_ERRORMSGCONTENT) = {
+    ASN1_SIMPLE(OSSL_CMP_ERRORMSGCONTENT, pKIStatusInfo, OSSL_CMP_PKISI),
+    ASN1_OPT(OSSL_CMP_ERRORMSGCONTENT, errorCode, ASN1_INTEGER),
+    /*
+     * OSSL_CMP_PKIFREETEXT is effectively a sequence of ASN1_UTF8STRING
+     * so it is used directly
+     *
+     */
+    ASN1_SEQUENCE_OF_OPT(OSSL_CMP_ERRORMSGCONTENT, errorDetails, ASN1_UTF8STRING)
+} ASN1_SEQUENCE_END(OSSL_CMP_ERRORMSGCONTENT)
+IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_ERRORMSGCONTENT)
+
+ASN1_ADB_TEMPLATE(infotypeandvalue_default) = ASN1_OPT(OSSL_CMP_ITAV,
+        infoValue.other, ASN1_ANY);
+/* ITAV means InfoTypeAndValue */
+ASN1_ADB(OSSL_CMP_ITAV) = {
+    /* OSSL_CMP_CMPCERTIFICATE is effectively X509 so it is used directly */
+    ADB_ENTRY(NID_id_it_caProtEncCert, ASN1_OPT(OSSL_CMP_ITAV,
+                                                infoValue.caProtEncCert, X509)),
+    ADB_ENTRY(NID_id_it_signKeyPairTypes,
+              ASN1_SEQUENCE_OF_OPT(OSSL_CMP_ITAV,
+                                   infoValue.signKeyPairTypes, X509_ALGOR)),
+    ADB_ENTRY(NID_id_it_encKeyPairTypes,
+              ASN1_SEQUENCE_OF_OPT(OSSL_CMP_ITAV,
+                                   infoValue.encKeyPairTypes, X509_ALGOR)),
+    ADB_ENTRY(NID_id_it_preferredSymmAlg,
+              ASN1_OPT(OSSL_CMP_ITAV, infoValue.preferredSymmAlg,
+                       X509_ALGOR)),
+    ADB_ENTRY(NID_id_it_caKeyUpdateInfo,
+              ASN1_OPT(OSSL_CMP_ITAV, infoValue.caKeyUpdateInfo,
+                       OSSL_CMP_CAKEYUPDANNCONTENT)),
+    ADB_ENTRY(NID_id_it_currentCRL,
+              ASN1_OPT(OSSL_CMP_ITAV, infoValue.currentCRL, X509_CRL)),
+    ADB_ENTRY(NID_id_it_unsupportedOIDs,
+              ASN1_SEQUENCE_OF_OPT(OSSL_CMP_ITAV,
+                                   infoValue.unsupportedOIDs, ASN1_OBJECT)),
+    ADB_ENTRY(NID_id_it_keyPairParamReq,
+              ASN1_OPT(OSSL_CMP_ITAV, infoValue.keyPairParamReq,
+                       ASN1_OBJECT)),
+    ADB_ENTRY(NID_id_it_keyPairParamRep,
+              ASN1_OPT(OSSL_CMP_ITAV, infoValue.keyPairParamRep,
+                       X509_ALGOR)),
+    ADB_ENTRY(NID_id_it_revPassphrase,
+              ASN1_OPT(OSSL_CMP_ITAV, infoValue.revPassphrase,
+                       OSSL_CRMF_ENCRYPTEDVALUE)),
+    ADB_ENTRY(NID_id_it_implicitConfirm,
+              ASN1_OPT(OSSL_CMP_ITAV, infoValue.implicitConfirm,
+                       ASN1_NULL)),
+    ADB_ENTRY(NID_id_it_confirmWaitTime,
+              ASN1_OPT(OSSL_CMP_ITAV, infoValue.confirmWaitTime,
+                       ASN1_GENERALIZEDTIME)),
+    ADB_ENTRY(NID_id_it_origPKIMessage,
+              ASN1_OPT(OSSL_CMP_ITAV, infoValue.origPKIMessage,
+                       OSSL_CMP_MSGS)),
+    ADB_ENTRY(NID_id_it_suppLangTags,
+              ASN1_SEQUENCE_OF_OPT(OSSL_CMP_ITAV, infoValue.suppLangTagsValue,
+                                   ASN1_UTF8STRING)),
+} ASN1_ADB_END(OSSL_CMP_ITAV, 0, infoType, 0,
+               &infotypeandvalue_default_tt, NULL);
+
+
+ASN1_SEQUENCE(OSSL_CMP_ITAV) = {
+    ASN1_SIMPLE(OSSL_CMP_ITAV, infoType, ASN1_OBJECT),
+    ASN1_ADB_OBJECT(OSSL_CMP_ITAV)
+} ASN1_SEQUENCE_END(OSSL_CMP_ITAV)
+IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_ITAV)
+IMPLEMENT_ASN1_DUP_FUNCTION(OSSL_CMP_ITAV)
+
+OSSL_CMP_ITAV *OSSL_CMP_ITAV_create(ASN1_OBJECT *type, ASN1_TYPE *value)
+{
+    OSSL_CMP_ITAV *itav;
+
+    if (type == NULL || (itav = OSSL_CMP_ITAV_new()) == NULL)
+        return NULL;
+    OSSL_CMP_ITAV_set0(itav, type, value);
+    return itav;
+}
+
+void OSSL_CMP_ITAV_set0(OSSL_CMP_ITAV *itav, ASN1_OBJECT *type,
+                        ASN1_TYPE *value)
+{
+    itav->infoType = type;
+    itav->infoValue.other = value;
+}
+
+ASN1_OBJECT *OSSL_CMP_ITAV_get0_type(const OSSL_CMP_ITAV *itav)
+{
+    if (itav == NULL)
+        return NULL;
+    return itav->infoType;
+}
+
+ASN1_TYPE *OSSL_CMP_ITAV_get0_value(const OSSL_CMP_ITAV *itav)
+{
+    if (itav == NULL)
+        return NULL;
+    return itav->infoValue.other;
+}
+
+int OSSL_CMP_ITAV_push0_stack_item(STACK_OF(OSSL_CMP_ITAV) **itav_sk_p,
+                                   OSSL_CMP_ITAV *itav)
+{
+    int created = 0;
+
+    if (itav_sk_p == NULL)
+        goto err;
+
+    if (*itav_sk_p == NULL) {
+        if ((*itav_sk_p = sk_OSSL_CMP_ITAV_new_null()) == NULL)
+            goto err;
+        created = 1;
+    }
+    if (itav != NULL) {
+        if (!sk_OSSL_CMP_ITAV_push(*itav_sk_p, itav))
+            goto err;
+    }
+    return 1;
+ err:
+    if (created != 0) {
+        sk_OSSL_CMP_ITAV_free(*itav_sk_p);
+        *itav_sk_p = NULL;
+    }
+    return 0;
+}
+
+ASN1_CHOICE(OSSL_CMP_CERTORENCCERT) = {
+    /* OSSL_CMP_CMPCERTIFICATE is effectively X509 so it is used directly */
+    ASN1_EXP(OSSL_CMP_CERTORENCCERT, value.certificate, X509, 0),
+    ASN1_EXP(OSSL_CMP_CERTORENCCERT, value.encryptedCert,
+             OSSL_CRMF_ENCRYPTEDVALUE, 1),
+} ASN1_CHOICE_END(OSSL_CMP_CERTORENCCERT)
+IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_CERTORENCCERT)
+
+
+ASN1_SEQUENCE(OSSL_CMP_CERTIFIEDKEYPAIR) = {
+    ASN1_SIMPLE(OSSL_CMP_CERTIFIEDKEYPAIR, certOrEncCert,
+                OSSL_CMP_CERTORENCCERT),
+    ASN1_EXP_OPT(OSSL_CMP_CERTIFIEDKEYPAIR, privateKey,
+                 OSSL_CRMF_ENCRYPTEDVALUE, 0),
+    ASN1_EXP_OPT(OSSL_CMP_CERTIFIEDKEYPAIR, publicationInfo,
+                 OSSL_CRMF_PKIPUBLICATIONINFO, 1)
+} ASN1_SEQUENCE_END(OSSL_CMP_CERTIFIEDKEYPAIR)
+IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_CERTIFIEDKEYPAIR)
+
+
+ASN1_SEQUENCE(OSSL_CMP_REVDETAILS) = {
+    ASN1_SIMPLE(OSSL_CMP_REVDETAILS, certDetails, OSSL_CRMF_CERTTEMPLATE),
+    ASN1_OPT(OSSL_CMP_REVDETAILS, crlEntryDetails, X509_EXTENSIONS)
+} ASN1_SEQUENCE_END(OSSL_CMP_REVDETAILS)
+IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_REVDETAILS)
+
+
+ASN1_ITEM_TEMPLATE(OSSL_CMP_REVREQCONTENT) =
+    ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, OSSL_CMP_REVREQCONTENT,
+                          OSSL_CMP_REVDETAILS)
+ASN1_ITEM_TEMPLATE_END(OSSL_CMP_REVREQCONTENT)
+
+
+ASN1_SEQUENCE(OSSL_CMP_REVREPCONTENT) = {
+    ASN1_SEQUENCE_OF(OSSL_CMP_REVREPCONTENT, status, OSSL_CMP_PKISI),
+    ASN1_EXP_SEQUENCE_OF_OPT(OSSL_CMP_REVREPCONTENT, revCerts, OSSL_CRMF_CERTID,
+                             0),
+    ASN1_EXP_SEQUENCE_OF_OPT(OSSL_CMP_REVREPCONTENT, crls, X509_CRL, 1)
+} ASN1_SEQUENCE_END(OSSL_CMP_REVREPCONTENT)
+IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_REVREPCONTENT)
+
+
+ASN1_SEQUENCE(OSSL_CMP_KEYRECREPCONTENT) = {
+    ASN1_SIMPLE(OSSL_CMP_KEYRECREPCONTENT, status, OSSL_CMP_PKISI),
+    ASN1_EXP_OPT(OSSL_CMP_KEYRECREPCONTENT, newSigCert, X509, 0),
+    ASN1_EXP_SEQUENCE_OF_OPT(OSSL_CMP_KEYRECREPCONTENT, caCerts, X509, 1),
+    ASN1_EXP_SEQUENCE_OF_OPT(OSSL_CMP_KEYRECREPCONTENT, keyPairHist,
+                             OSSL_CMP_CERTIFIEDKEYPAIR, 2)
+} ASN1_SEQUENCE_END(OSSL_CMP_KEYRECREPCONTENT)
+IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_KEYRECREPCONTENT)
+
+
+ASN1_ITEM_TEMPLATE(OSSL_CMP_PKISTATUS) =
+    ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_UNIVERSAL, 0, status, ASN1_INTEGER)
+ASN1_ITEM_TEMPLATE_END(OSSL_CMP_PKISTATUS)
+
+ASN1_SEQUENCE(OSSL_CMP_PKISI) = {
+    ASN1_SIMPLE(OSSL_CMP_PKISI, status, OSSL_CMP_PKISTATUS),
+    /*
+     * CMP_PKIFREETEXT is effectively a sequence of ASN1_UTF8STRING
+     * so it is used directly
+     */
+    ASN1_SEQUENCE_OF_OPT(OSSL_CMP_PKISI, statusString, ASN1_UTF8STRING),
+    /*
+     * OSSL_CMP_PKIFAILUREINFO is effectively ASN1_BIT_STRING so used directly
+     */
+    ASN1_OPT(OSSL_CMP_PKISI, failInfo, ASN1_BIT_STRING)
+} ASN1_SEQUENCE_END(OSSL_CMP_PKISI)
+IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_PKISI)
+IMPLEMENT_ASN1_DUP_FUNCTION(OSSL_CMP_PKISI)
+
+ASN1_SEQUENCE(OSSL_CMP_CERTSTATUS) = {
+    ASN1_SIMPLE(OSSL_CMP_CERTSTATUS, certHash, ASN1_OCTET_STRING),
+    ASN1_SIMPLE(OSSL_CMP_CERTSTATUS, certReqId, ASN1_INTEGER),
+    ASN1_OPT(OSSL_CMP_CERTSTATUS, statusInfo, OSSL_CMP_PKISI)
+} ASN1_SEQUENCE_END(OSSL_CMP_CERTSTATUS)
+IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_CERTSTATUS)
+
+ASN1_ITEM_TEMPLATE(OSSL_CMP_CERTCONFIRMCONTENT) =
+    ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, OSSL_CMP_CERTCONFIRMCONTENT,
+                          OSSL_CMP_CERTSTATUS)
+ASN1_ITEM_TEMPLATE_END(OSSL_CMP_CERTCONFIRMCONTENT)
+
+ASN1_SEQUENCE(OSSL_CMP_CERTRESPONSE) = {
+    ASN1_SIMPLE(OSSL_CMP_CERTRESPONSE, certReqId, ASN1_INTEGER),
+    ASN1_SIMPLE(OSSL_CMP_CERTRESPONSE, status, OSSL_CMP_PKISI),
+    ASN1_OPT(OSSL_CMP_CERTRESPONSE, certifiedKeyPair,
+             OSSL_CMP_CERTIFIEDKEYPAIR),
+    ASN1_OPT(OSSL_CMP_CERTRESPONSE, rspInfo, ASN1_OCTET_STRING)
+} ASN1_SEQUENCE_END(OSSL_CMP_CERTRESPONSE)
+IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_CERTRESPONSE)
+
+ASN1_SEQUENCE(OSSL_CMP_POLLREQ) = {
+    ASN1_SIMPLE(OSSL_CMP_POLLREQ, certReqId, ASN1_INTEGER)
+} ASN1_SEQUENCE_END(OSSL_CMP_POLLREQ)
+IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_POLLREQ)
+
+ASN1_ITEM_TEMPLATE(OSSL_CMP_POLLREQCONTENT) =
+    ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, OSSL_CMP_POLLREQCONTENT,
+                          OSSL_CMP_POLLREQ)
+ASN1_ITEM_TEMPLATE_END(OSSL_CMP_POLLREQCONTENT)
+
+ASN1_SEQUENCE(OSSL_CMP_POLLREP) = {
+    ASN1_SIMPLE(OSSL_CMP_POLLREP, certReqId, ASN1_INTEGER),
+    ASN1_SIMPLE(OSSL_CMP_POLLREP, checkAfter, ASN1_INTEGER),
+    ASN1_SEQUENCE_OF_OPT(OSSL_CMP_POLLREP, reason, ASN1_UTF8STRING),
+} ASN1_SEQUENCE_END(OSSL_CMP_POLLREP)
+IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_POLLREP)
+
+ASN1_ITEM_TEMPLATE(OSSL_CMP_POLLREPCONTENT) =
+    ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0,
+                          OSSL_CMP_POLLREPCONTENT,
+                          OSSL_CMP_POLLREP)
+ASN1_ITEM_TEMPLATE_END(OSSL_CMP_POLLREPCONTENT)
+
+ASN1_SEQUENCE(OSSL_CMP_CERTREPMESSAGE) = {
+    /* OSSL_CMP_CMPCERTIFICATE is effectively X509 so it is used directly */
+    ASN1_EXP_SEQUENCE_OF_OPT(OSSL_CMP_CERTREPMESSAGE, caPubs, X509, 1),
+    ASN1_SEQUENCE_OF(OSSL_CMP_CERTREPMESSAGE, response, OSSL_CMP_CERTRESPONSE)
+} ASN1_SEQUENCE_END(OSSL_CMP_CERTREPMESSAGE)
+IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_CERTREPMESSAGE)
+
+ASN1_ITEM_TEMPLATE(OSSL_CMP_GENMSGCONTENT) =
+    ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, OSSL_CMP_GENMSGCONTENT,
+                          OSSL_CMP_ITAV)
+ASN1_ITEM_TEMPLATE_END(OSSL_CMP_GENMSGCONTENT)
+
+ASN1_ITEM_TEMPLATE(OSSL_CMP_GENREPCONTENT) =
+    ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, OSSL_CMP_GENREPCONTENT,
+                          OSSL_CMP_ITAV)
+ASN1_ITEM_TEMPLATE_END(OSSL_CMP_GENREPCONTENT)
+
+ASN1_ITEM_TEMPLATE(OSSL_CMP_CRLANNCONTENT) =
+    ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0,
+                          OSSL_CMP_CRLANNCONTENT, X509_CRL)
+ASN1_ITEM_TEMPLATE_END(OSSL_CMP_CRLANNCONTENT)
+
+ASN1_CHOICE(OSSL_CMP_PKIBODY) = {
+    ASN1_EXP(OSSL_CMP_PKIBODY, value.ir, OSSL_CRMF_MSGS, 0),
+    ASN1_EXP(OSSL_CMP_PKIBODY, value.ip, OSSL_CMP_CERTREPMESSAGE, 1),
+    ASN1_EXP(OSSL_CMP_PKIBODY, value.cr, OSSL_CRMF_MSGS, 2),
+    ASN1_EXP(OSSL_CMP_PKIBODY, value.cp, OSSL_CMP_CERTREPMESSAGE, 3),
+    ASN1_EXP(OSSL_CMP_PKIBODY, value.p10cr, X509_REQ, 4),
+    ASN1_EXP(OSSL_CMP_PKIBODY, value.popdecc, OSSL_CMP_POPODECKEYCHALLCONTENT, 5),
+    ASN1_EXP(OSSL_CMP_PKIBODY, value.popdecr, OSSL_CMP_POPODECKEYRESPCONTENT, 6),
+    ASN1_EXP(OSSL_CMP_PKIBODY, value.kur, OSSL_CRMF_MSGS, 7),
+    ASN1_EXP(OSSL_CMP_PKIBODY, value.kup, OSSL_CMP_CERTREPMESSAGE, 8),
+    ASN1_EXP(OSSL_CMP_PKIBODY, value.krr, OSSL_CRMF_MSGS, 9),
+    ASN1_EXP(OSSL_CMP_PKIBODY, value.krp, OSSL_CMP_KEYRECREPCONTENT, 10),
+    ASN1_EXP(OSSL_CMP_PKIBODY, value.rr, OSSL_CMP_REVREQCONTENT, 11),
+    ASN1_EXP(OSSL_CMP_PKIBODY, value.rp, OSSL_CMP_REVREPCONTENT, 12),
+    ASN1_EXP(OSSL_CMP_PKIBODY, value.ccr, OSSL_CRMF_MSGS, 13),
+    ASN1_EXP(OSSL_CMP_PKIBODY, value.ccp, OSSL_CMP_CERTREPMESSAGE, 14),
+    ASN1_EXP(OSSL_CMP_PKIBODY, value.ckuann, OSSL_CMP_CAKEYUPDANNCONTENT, 15),
+    ASN1_EXP(OSSL_CMP_PKIBODY, value.cann, X509, 16),
+    ASN1_EXP(OSSL_CMP_PKIBODY, value.rann, OSSL_CMP_REVANNCONTENT, 17),
+    ASN1_EXP(OSSL_CMP_PKIBODY, value.crlann, OSSL_CMP_CRLANNCONTENT, 18),
+    ASN1_EXP(OSSL_CMP_PKIBODY, value.pkiconf, ASN1_ANY, 19),
+    ASN1_EXP(OSSL_CMP_PKIBODY, value.nested, OSSL_CMP_MSGS, 20),
+    ASN1_EXP(OSSL_CMP_PKIBODY, value.genm, OSSL_CMP_GENMSGCONTENT, 21),
+    ASN1_EXP(OSSL_CMP_PKIBODY, value.genp, OSSL_CMP_GENREPCONTENT, 22),
+    ASN1_EXP(OSSL_CMP_PKIBODY, value.error, OSSL_CMP_ERRORMSGCONTENT, 23),
+    ASN1_EXP(OSSL_CMP_PKIBODY, value.certConf, OSSL_CMP_CERTCONFIRMCONTENT, 24),
+    ASN1_EXP(OSSL_CMP_PKIBODY, value.pollReq, OSSL_CMP_POLLREQCONTENT, 25),
+    ASN1_EXP(OSSL_CMP_PKIBODY, value.pollRep, OSSL_CMP_POLLREPCONTENT, 26),
+} ASN1_CHOICE_END(OSSL_CMP_PKIBODY)
+IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_PKIBODY)
+
+ASN1_SEQUENCE(OSSL_CMP_PKIHEADER) = {
+    ASN1_SIMPLE(OSSL_CMP_PKIHEADER, pvno, ASN1_INTEGER),
+    ASN1_SIMPLE(OSSL_CMP_PKIHEADER, sender, GENERAL_NAME),
+    ASN1_SIMPLE(OSSL_CMP_PKIHEADER, recipient, GENERAL_NAME),
+    ASN1_EXP_OPT(OSSL_CMP_PKIHEADER, messageTime, ASN1_GENERALIZEDTIME, 0),
+    ASN1_EXP_OPT(OSSL_CMP_PKIHEADER, protectionAlg, X509_ALGOR, 1),
+    ASN1_EXP_OPT(OSSL_CMP_PKIHEADER, senderKID, ASN1_OCTET_STRING, 2),
+    ASN1_EXP_OPT(OSSL_CMP_PKIHEADER, recipKID, ASN1_OCTET_STRING, 3),
+    ASN1_EXP_OPT(OSSL_CMP_PKIHEADER, transactionID, ASN1_OCTET_STRING, 4),
+    ASN1_EXP_OPT(OSSL_CMP_PKIHEADER, senderNonce, ASN1_OCTET_STRING, 5),
+    ASN1_EXP_OPT(OSSL_CMP_PKIHEADER, recipNonce, ASN1_OCTET_STRING, 6),
+    /*
+     * OSSL_CMP_PKIFREETEXT is effectively a sequence of ASN1_UTF8STRING
+     * so it is used directly
+     */
+    ASN1_EXP_SEQUENCE_OF_OPT(OSSL_CMP_PKIHEADER, freeText, ASN1_UTF8STRING, 7),
+    ASN1_EXP_SEQUENCE_OF_OPT(OSSL_CMP_PKIHEADER, generalInfo,
+                             OSSL_CMP_ITAV, 8)
+} ASN1_SEQUENCE_END(OSSL_CMP_PKIHEADER)
+IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_PKIHEADER)
+
+ASN1_SEQUENCE(CMP_PROTECTEDPART) = {
+    ASN1_SIMPLE(OSSL_CMP_MSG, header, OSSL_CMP_PKIHEADER),
+    ASN1_SIMPLE(OSSL_CMP_MSG, body, OSSL_CMP_PKIBODY)
+} ASN1_SEQUENCE_END(CMP_PROTECTEDPART)
+IMPLEMENT_ASN1_FUNCTIONS(CMP_PROTECTEDPART)
+
+ASN1_SEQUENCE(OSSL_CMP_MSG) = {
+    ASN1_SIMPLE(OSSL_CMP_MSG, header, OSSL_CMP_PKIHEADER),
+    ASN1_SIMPLE(OSSL_CMP_MSG, body, OSSL_CMP_PKIBODY),
+    ASN1_EXP_OPT(OSSL_CMP_MSG, protection, ASN1_BIT_STRING, 0),
+    /* OSSL_CMP_CMPCERTIFICATE is effectively X509 so it is used directly */
+    ASN1_EXP_SEQUENCE_OF_OPT(OSSL_CMP_MSG, extraCerts, X509, 1)
+} ASN1_SEQUENCE_END(OSSL_CMP_MSG)
+IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_MSG)
+IMPLEMENT_ASN1_DUP_FUNCTION(OSSL_CMP_MSG)
+
+ASN1_ITEM_TEMPLATE(OSSL_CMP_MSGS) =
+    ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, OSSL_CMP_MSGS,
+                          OSSL_CMP_MSG)
+ASN1_ITEM_TEMPLATE_END(OSSL_CMP_MSGS)

crypto/cmp/cmp_err.c

+/*
+ * Generated by util/mkerr.pl DO NOT EDIT
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <openssl/err.h>
+#include <openssl/cmperr.h>
+
+#ifndef OPENSSL_NO_ERR
+
+static const ERR_STRING_DATA CMP_str_functs[] = {
+    {0, NULL}
+};
+
+static const ERR_STRING_DATA CMP_str_reasons[] = {
+    {0, NULL}
+};
+
+#endif
+
+int ERR_load_CMP_strings(void)
+{
+#ifndef OPENSSL_NO_ERR
+    if (ERR_func_error_string(CMP_str_functs[0].error) == NULL) {
+        ERR_load_strings_const(CMP_str_functs);
+        ERR_load_strings_const(CMP_str_reasons);
+    }
+#endif
+    return 1;
+}

crypto/crmf/crmf_asn.c

 /*-
- * Copyright 2007-2018 The OpenSSL Project Authors. All Rights Reserved.
- * Copyright Nokia 2007-2018
- * Copyright Siemens AG 2015-2018
+ * Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright Nokia 2007-2019
+ * Copyright Siemens AG 2015-2019
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy

crypto/crmf/crmf_int.h

 /*-
- * Copyright 2007-2018 The OpenSSL Project Authors. All Rights Reserved.
- * Copyright Nokia 2007-2018
- * Copyright Siemens AG 2015-2018
+ * Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright Nokia 2007-2019
+ * Copyright Siemens AG 2015-2019
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy

crypto/crmf/crmf_lib.c

 /*-
- * Copyright 2007-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved.
  * Copyright Nokia 2007-2018
- * Copyright Siemens AG 2015-2018
+ * Copyright Siemens AG 2015-2019
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy

crypto/crmf/crmf_pbm.c

 /*-
- * Copyright 2007-2018 The OpenSSL Project Authors. All Rights Reserved.
- * Copyright Nokia 2007-2018
- * Copyright Siemens AG 2015-2018
+ * Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright Nokia 2007-2019
+ * Copyright Siemens AG 2015-2019
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy

crypto/err/err.c

@@ -59,6 +59,7 @@ static ERR_STRING_DATA ERR_str_libraries[] = {
     {ERR_PACK(ERR_LIB_FIPS, 0, 0), "FIPS routines"},
     {ERR_PACK(ERR_LIB_CMS, 0, 0), "CMS routines"},
     {ERR_PACK(ERR_LIB_CRMF, 0, 0), "CRMF routines"},
+    {ERR_PACK(ERR_LIB_CMP, 0, 0), "CMP routines"},
     {ERR_PACK(ERR_LIB_HMAC, 0, 0), "HMAC routines"},
     {ERR_PACK(ERR_LIB_CT, 0, 0), "CT routines"},
     {ERR_PACK(ERR_LIB_ASYNC, 0, 0), "ASYNC routines"},

crypto/err/err_all.c

@@ -35,6 +35,7 @@
 #include <openssl/tserr.h>
 #include <openssl/cmserr.h>
 #include <openssl/crmferr.h>
+#include <openssl/cmperr.h>
 #include <openssl/cterr.h>
 #include <openssl/asyncerr.h>
 #include <openssl/kdferr.h>
@@ -94,6 +95,7 @@ int err_load_crypto_strings_int(void)
 # endif
 # ifndef OPENSSL_NO_CRMF
         ERR_load_CRMF_strings() == 0 ||
+        ERR_load_CMP_strings() == 0 ||
 # endif
 # ifndef OPENSSL_NO_CT
         ERR_load_CT_strings() == 0 ||

crypto/err/openssl.ec

@@ -30,6 +30,7 @@ L COMP          include/openssl/comp.h          crypto/comp/comp_err.c
 L TS            include/openssl/ts.h            crypto/ts/ts_err.c
 L CMS           include/openssl/cms.h           crypto/cms/cms_err.c
 L CRMF          include/openssl/crmf.h          crypto/crmf/crmf_err.c
+L CMP           include/openssl/cmp.h           crypto/cmp/cmp_err.c
 L CT            include/openssl/ct.h            crypto/ct/ct_err.c
 L ASYNC         include/openssl/async.h         crypto/async/async_err.c
 L KDF           include/openssl/kdf.h           crypto/kdf/kdf_err.c

doc/man3/OSSL_CMP_ITAV_set0.pod

+=pod
+
+=head1 NAME
+
+OSSL_CMP_ITAV_create,
+OSSL_CMP_ITAV_set0,
+OSSL_CMP_ITAV_get0_type,
+OSSL_CMP_ITAV_get0_value,
+OSSL_CMP_ITAV_push0_stack_item
+- OSSL_CMP_ITAV utility functions
+
+=head1 SYNOPSIS
+
+  #include <openssl/cmp.h>
+  OSSL_CMP_ITAV *OSSL_CMP_ITAV_create(ASN1_OBJECT *type, ASN1_TYPE *value);
+  void OSSL_CMP_ITAV_set0(OSSL_CMP_ITAV *itav, ASN1_OBJECT *type,
+                          ASN1_TYPE *value);
+  ASN1_OBJECT *OSSL_CMP_ITAV_get0_type(const OSSL_CMP_ITAV *itav);
+  ASN1_TYPE *OSSL_CMP_ITAV_get0_value(const OSSL_CMP_ITAV *itav);
+
+  int OSSL_CMP_ITAV_push0_stack_item(STACK_OF(OSSL_CMP_ITAV) **itav_sk_p,
+                                     OSSL_CMP_ITAV *itav);
+
+=head1 DESCRIPTION
+
+ITAV is short for InfoTypeAndValue. This type is defined in RFC 4210
+section 5.3.19 and Appendix F. It is used at various places in CMP messages,
+e.g., in the generalInfo PKIHeader field, to hold a key-value pair.
+
+OSSL_CMP_ITAV_create() creates a new OSSL_CMP_ITAV structure and fills it in.
+It combines B<OSSL_CMP_ITAV_new()> and B<OSSL_CMP_ITAV_set0>.
+
+OSSL_CMP_ITAV_set0() sets the B<itav> with an infoType of B<type> and an
+infoValue of B<value>. This function uses the pointers B<type> and B<value>
+internally, so they must B<not> be freed up after the call.
+
+OSSL_CMP_ITAV_get0_type() returns a direct pointer to the infoType in the
+B<itav>.
+
+OSSL_CMP_ITAV_get0_value() returns a direct pointer to the infoValue in
+the B<itav> as generic ASN1_TYPE*.
+
+OSSL_CMP_ITAV_push0_stack_item() pushes B<itav> to the stack pointed to
+by B<*itav_sk_p>. It creates a new stack if B<*itav_sk_p> points to NULL.
+
+=head1 NOTES
+
+CMP is defined in RFC 4210 (and CRMF in RFC 4211).
+
+=head1 RETURN VALUES
+
+OSSL_CMP_ITAV_create() returns a pointer to the ITAV structure on success,
+or NULL on error.
+
+OSSL_CMP_ITAV_set0() does not return a value.
+
+OSSL_CMP_ITAV_get0_type() and OSSL_CMP_ITAV_get0_value()
+return the respective pointer or NULL if their input is NULL.
+
+OSSL_CMP_ITAV_push0_stack_item() returns 1 on success, 0 on error.
+
+=head1 EXAMPLE
+
+The following code creates and sets a structure representing a generic
+InfoTypeAndValue sequence, using an OID created from text as type, and an
+integer as value. Afterwards, it is pushed to the OSSL_CMP_CTX to be later
+included in the requests' PKIHeader's genInfo field.
+
+    ASN1_OBJECT *type = OBJ_txt2obj("1.2.3.4.5", 1);
+    if (type == NULL) ...
+
+    ASN1_INTEGER *asn1int = ASN1_INTEGER_new();
+    if (asn1int == NULL || !ASN1_INTEGER_set(asn1int, 12345)) ...
+
+    ASN1_TYPE *val = ASN1_TYPE_new();
+    if (val == NULL) ...
+    ASN1_TYPE_set(val, V_ASN1_INTEGER, asn1int);
+
+    OSSL_CMP_ITAV *itav = OSSL_CMP_ITAV_create(type, val);
+    if (itav == NULL) ...
+
+    OSSL_CMP_CTX *ctx = OSSL_CMP_CTX_new();
+    if (ctx == NULL || !OSSL_CMP_CTX_geninfo_push0_ITAV(ctx, itav)) {
+        OSSL_CMP_ITAV_free(itav); /* also frees type and val */
+        goto err;
+    }
+
+    ...
+
+    OSSL_CMP_CTX_free(ctx); /* also frees itav */
+
+=head1 SEE ALSO
+
+L<OSSL_CMP_CTX_new(3)>, L<OSSL_CMP_CTX_free(3)>, L<ASN1_TYPE_set(3)>
+
+=head1 COPYRIGHT
+
+Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
+
+=cut

doc/man3/OSSL_CRMF_MSG_get0_tmpl.pod

@@ -56,7 +56,7 @@ B<RFC 4211>
 
 =head1 COPYRIGHT
 
-Copyright 2007-2018 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy

doc/man3/OSSL_CRMF_MSG_set1_regCtrl_regToken.pod

@@ -96,7 +96,7 @@ RFC 4211
 
 =head1 COPYRIGHT
 
-Copyright 2007-2018 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy

doc/man3/OSSL_CRMF_MSG_set1_regInfo_certReq.pod

@@ -39,7 +39,7 @@ RFC 4211
 
 =head1 COPYRIGHT
 
-Copyright 2007-2018 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy

doc/man3/OSSL_CRMF_MSG_set_validity.pod

@@ -95,7 +95,7 @@ RFC 4211
 
 =head1 COPYRIGHT
 
-Copyright 2007-2018 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy

doc/man3/OSSL_CRMF_pbmp_new.pod

@@ -68,7 +68,7 @@ RFC 4211 section 4.4
 
 =head1 COPYRIGHT
 
-Copyright 2007-2018 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy

doc/man3/X509_dup.pod

@@ -116,20 +116,39 @@ OCSP_SIGNATURE_free,
 OCSP_SIGNATURE_new,
 OCSP_SINGLERESP_free,
 OCSP_SINGLERESP_new,
+OSSL_CMP_ITAV_free,
+OSSL_CMP_MSG_dup,
+OSSL_CMP_MSG_it,
+OSSL_CMP_MSG_free,
+OSSL_CMP_PKIHEADER_free,
+OSSL_CMP_PKIHEADER_it,
+OSSL_CMP_PKIHEADER_new,
+OSSL_CMP_PKISI_free,
+OSSL_CMP_PKISTATUS_it,
 OSSL_CRMF_CERTID_free,
+OSSL_CRMF_CERTID_it,
 OSSL_CRMF_CERTID_new,
 OSSL_CRMF_CERTTEMPLATE_free,
+OSSL_CRMF_CERTTEMPLATE_it,
 OSSL_CRMF_CERTTEMPLATE_new,
 OSSL_CRMF_ENCRYPTEDVALUE_free,
+OSSL_CRMF_ENCRYPTEDVALUE_it,
 OSSL_CRMF_ENCRYPTEDVALUE_new,
+OSSL_CRMF_MSGS_free,
+OSSL_CRMF_MSGS_it,
+OSSL_CRMF_MSGS_new,
 OSSL_CRMF_MSG_free,
+OSSL_CRMF_MSG_it,
 OSSL_CRMF_MSG_new,
 OSSL_CRMF_PBMPARAMETER_free,
+OSSL_CRMF_PBMPARAMETER_it,
 OSSL_CRMF_PBMPARAMETER_new,
 OSSL_CRMF_PKIPUBLICATIONINFO_free,
+OSSL_CRMF_PKIPUBLICATIONINFO_it,
 OSSL_CRMF_PKIPUBLICATIONINFO_new,
-OSSL_CRMF_MSGS_free,
-OSSL_CRMF_MSGS_new,
+OSSL_CRMF_SINGLEPUBINFO_free,
+OSSL_CRMF_SINGLEPUBINFO_it,
+OSSL_CRMF_SINGLEPUBINFO_new,
 OTHERNAME_free,
 OTHERNAME_new,
 PBE2PARAM_free,

doc/man3/d2i_X509.pod

@@ -93,6 +93,16 @@ d2i_OCSP_REVOKEDINFO,
 d2i_OCSP_SERVICELOC,
 d2i_OCSP_SIGNATURE,
 d2i_OCSP_SINGLERESP,
+d2i_OSSL_CMP_MSG,
+d2i_OSSL_CMP_PKIHEADER,
+d2i_OSSL_CRMF_CERTID,
+d2i_OSSL_CRMF_CERTTEMPLATE,
+d2i_OSSL_CRMF_ENCRYPTEDVALUE,
+d2i_OSSL_CRMF_MSG,
+d2i_OSSL_CRMF_MSGS,
+d2i_OSSL_CRMF_PBMPARAMETER,
+d2i_OSSL_CRMF_PKIPUBLICATIONINFO,
+d2i_OSSL_CRMF_SINGLEPUBINFO,
 d2i_OTHERNAME,
 d2i_PBE2PARAM,
 d2i_PBEPARAM,
@@ -269,6 +279,16 @@ i2d_OCSP_REVOKEDINFO,
 i2d_OCSP_SERVICELOC,
 i2d_OCSP_SIGNATURE,
 i2d_OCSP_SINGLERESP,
+i2d_OSSL_CMP_MSG,
+i2d_OSSL_CMP_PKIHEADER,
+i2d_OSSL_CRMF_CERTID,
+i2d_OSSL_CRMF_CERTTEMPLATE,
+i2d_OSSL_CRMF_ENCRYPTEDVALUE,
+i2d_OSSL_CRMF_MSG,
+i2d_OSSL_CRMF_MSGS,
+i2d_OSSL_CRMF_PBMPARAMETER,
+i2d_OSSL_CRMF_PKIPUBLICATIONINFO,
+i2d_OSSL_CRMF_SINGLEPUBINFO,
 i2d_OTHERNAME,
 i2d_PBE2PARAM,
 i2d_PBEPARAM,

include/openssl/cmp.h

+/*-
+ * Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright Nokia 2007-2019
+ * Copyright Siemens AG 2015-2019
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ *
+ * CMP (RFC 4210) implementation by M. Peylo, M. Viljanen, and D. von Oheimb.
+ */
+
+#ifndef OSSL_HEADER_CMP_H
+# define OSSL_HEADER_CMP_H
+
+# include <openssl/opensslconf.h>
+# ifndef OPENSSL_NO_CMP
+
+#  include <openssl/crmf.h>
+#  include <openssl/cmperr.h>
+
+/* explicit #includes not strictly needed since implied by the above: */
+#  include <openssl/ossl_typ.h>
+#  include <openssl/safestack.h>
+#  include <openssl/x509.h>
+#  include <openssl/x509v3.h>
+
+#  ifdef  __cplusplus
+extern "C" {
+#  endif
+
+#  define OSSL_CMP_PVNO 2
+
+/*-
+ *   PKIFailureInfo ::= BIT STRING {
+ *   -- since we can fail in more than one way!
+ *   -- More codes may be added in the future if/when required.
+ *       badAlg              (0),
+ *       -- unrecognized or unsupported Algorithm Identifier
+ *       badMessageCheck     (1),
+ *       -- integrity check failed (e.g., signature did not verify)
+ *       badRequest          (2),
+ *       -- transaction not permitted or supported
+ *       badTime             (3),
+ *       -- messageTime was not sufficiently close to the system time,
+ *       -- as defined by local policy
+ *       badCertId           (4),
+ *       -- no certificate could be found matching the provided criteria
+ *       badDataFormat       (5),
+ *       -- the data submitted has the wrong format
+ *       wrongAuthority      (6),
+ *       -- the authority indicated in the request is different from the
+ *       -- one creating the response token
+ *       incorrectData       (7),
+ *       -- the requester's data is incorrect (for notary services)
+ *       missingTimeStamp    (8),
+ *       -- when the timestamp is missing but should be there
+ *       -- (by policy)
+ *       badPOP              (9),
+ *       -- the proof-of-possession failed
+ *       certRevoked         (10),
+ *          -- the certificate has already been revoked
+ *       certConfirmed       (11),
+ *          -- the certificate has already been confirmed
+ *       wrongIntegrity      (12),
+ *          -- invalid integrity, password based instead of signature or
+ *          -- vice versa
+ *       badRecipientNonce   (13),
+ *          -- invalid recipient nonce, either missing or wrong value
+ *       timeNotAvailable    (14),
+ *          -- the TSA's time source is not available
+ *       unacceptedPolicy    (15),
+ *          -- the requested TSA policy is not supported by the TSA.
+ *       unacceptedExtension (16),
+ *          -- the requested extension is not supported by the TSA.
+ *       addInfoNotAvailable (17),
+ *          -- the additional information requested could not be
+ *          -- understood or is not available
+ *       badSenderNonce      (18),
+ *          -- invalid sender nonce, either missing or wrong size
+ *       badCertTemplate     (19),
+ *          -- invalid cert. template or missing mandatory information
+ *       signerNotTrusted    (20),
+ *          -- signer of the message unknown or not trusted
+ *       transactionIdInUse  (21),
+ *          -- the transaction identifier is already in use
+ *       unsupportedVersion  (22),
+ *          -- the version of the message is not supported
+ *       notAuthorized       (23),
+ *          -- the sender was not authorized to make the preceding
+ *          -- request or perform the preceding action
+ *       systemUnavail       (24),
+ *       -- the request cannot be handled due to system unavailability
+ *       systemFailure       (25),
+ *       -- the request cannot be handled due to system failure
+ *       duplicateCertReq    (26)
+ *       -- certificate cannot be issued because a duplicate
+ *       -- certificate already exists
+ *   }
+ */
+#  define OSSL_CMP_PKIFAILUREINFO_badAlg 0
+#  define OSSL_CMP_PKIFAILUREINFO_badMessageCheck 1
+#  define OSSL_CMP_PKIFAILUREINFO_badRequest 2
+#  define OSSL_CMP_PKIFAILUREINFO_badTime 3
+#  define OSSL_CMP_PKIFAILUREINFO_badCertId 4
+#  define OSSL_CMP_PKIFAILUREINFO_badDataFormat 5
+#  define OSSL_CMP_PKIFAILUREINFO_wrongAuthority 6
+#  define OSSL_CMP_PKIFAILUREINFO_incorrectData 7
+#  define OSSL_CMP_PKIFAILUREINFO_missingTimeStamp 8
+#  define OSSL_CMP_PKIFAILUREINFO_badPOP 9
+#  define OSSL_CMP_PKIFAILUREINFO_certRevoked 10
+#  define OSSL_CMP_PKIFAILUREINFO_certConfirmed 11
+#  define OSSL_CMP_PKIFAILUREINFO_wrongIntegrity 12
+#  define OSSL_CMP_PKIFAILUREINFO_badRecipientNonce 13
+#  define OSSL_CMP_PKIFAILUREINFO_timeNotAvailable 14
+#  define OSSL_CMP_PKIFAILUREINFO_unacceptedPolicy 15
+#  define OSSL_CMP_PKIFAILUREINFO_unacceptedExtension 16
+#  define OSSL_CMP_PKIFAILUREINFO_addInfoNotAvailable 17
+#  define OSSL_CMP_PKIFAILUREINFO_badSenderNonce 18
+#  define OSSL_CMP_PKIFAILUREINFO_badCertTemplate 19
+#  define OSSL_CMP_PKIFAILUREINFO_signerNotTrusted 20
+#  define OSSL_CMP_PKIFAILUREINFO_transactionIdInUse 21
+#  define OSSL_CMP_PKIFAILUREINFO_unsupportedVersion 22
+#  define OSSL_CMP_PKIFAILUREINFO_notAuthorized 23
+#  define OSSL_CMP_PKIFAILUREINFO_systemUnavail 24
+#  define OSSL_CMP_PKIFAILUREINFO_systemFailure 25
+#  define OSSL_CMP_PKIFAILUREINFO_duplicateCertReq 26
+#  define OSSL_CMP_PKIFAILUREINFO_MAX 26
+#  define OSSL_CMP_PKIFAILUREINFO_MAX_BIT_PATTERN \
+    ( (1<<(OSSL_CMP_PKIFAILUREINFO_MAX+1)) - 1)
+#  if OSSL_CMP_PKIFAILUREINFO_MAX_BIT_PATTERN > INT_MAX
+#   error  CMP_PKIFAILUREINFO_MAX bit pattern does not fit in type int
+#  endif
+
+typedef ASN1_BIT_STRING OSSL_CMP_PKIFAILUREINFO;
+
+#  define OSSL_CMP_CTX_FAILINFO_badAlg (1 << 0)
+#  define OSSL_CMP_CTX_FAILINFO_badMessageCheck (1 << 1)
+#  define OSSL_CMP_CTX_FAILINFO_badRequest (1 << 2)
+#  define OSSL_CMP_CTX_FAILINFO_badTime (1 << 3)
+#  define OSSL_CMP_CTX_FAILINFO_badCertId (1 << 4)
+#  define OSSL_CMP_CTX_FAILINFO_badDataFormat (1 << 5)
+#  define OSSL_CMP_CTX_FAILINFO_wrongAuthority (1 << 6)
+#  define OSSL_CMP_CTX_FAILINFO_incorrectData (1 << 7)
+#  define OSSL_CMP_CTX_FAILINFO_missingTimeStamp (1 << 8)
+#  define OSSL_CMP_CTX_FAILINFO_badPOP (1 << 9)
+#  define OSSL_CMP_CTX_FAILINFO_certRevoked (1 << 10)
+#  define OSSL_CMP_CTX_FAILINFO_certConfirmed (1 << 11)
+#  define OSSL_CMP_CTX_FAILINFO_wrongIntegrity (1 << 12)
+#  define OSSL_CMP_CTX_FAILINFO_badRecipientNonce (1 << 13)
+#  define OSSL_CMP_CTX_FAILINFO_timeNotAvailable (1 << 14)
+#  define OSSL_CMP_CTX_FAILINFO_unacceptedPolicy (1 << 15)
+#  define OSSL_CMP_CTX_FAILINFO_unacceptedExtension (1 << 16)
+#  define OSSL_CMP_CTX_FAILINFO_addInfoNotAvailable (1 << 17)
+#  define OSSL_CMP_CTX_FAILINFO_badSenderNonce (1 << 18)
+#  define OSSL_CMP_CTX_FAILINFO_badCertTemplate (1 << 19)
+#  define OSSL_CMP_CTX_FAILINFO_signerNotTrusted (1 << 20)
+#  define OSSL_CMP_CTX_FAILINFO_transactionIdInUse (1 << 21)
+#  define OSSL_CMP_CTX_FAILINFO_unsupportedVersion (1 << 22)
+#  define OSSL_CMP_CTX_FAILINFO_notAuthorized (1 << 23)
+#  define OSSL_CMP_CTX_FAILINFO_systemUnavail (1 << 24)
+#  define OSSL_CMP_CTX_FAILINFO_systemFailure (1 << 25)
+#  define OSSL_CMP_CTX_FAILINFO_duplicateCertReq (1 << 26)
+
+/*-
+ *   PKIStatus ::= INTEGER {
+ *       accepted                (0),
+ *       -- you got exactly what you asked for
+ *       grantedWithMods        (1),
+ *       -- you got something like what you asked for; the
+ *       -- requester is responsible for ascertaining the differences
+ *       rejection              (2),
+ *       -- you don't get it, more information elsewhere in the message
+ *       waiting                (3),
+ *       -- the request body part has not yet been processed; expect to
+ *       -- hear more later (note: proper handling of this status
+ *       -- response MAY use the polling req/rep PKIMessages specified
+ *       -- in Section 5.3.22; alternatively, polling in the underlying
+ *       -- transport layer MAY have some utility in this regard)
+ *       revocationWarning      (4),
+ *       -- this message contains a warning that a revocation is
+ *       -- imminent
+ *       revocationNotification (5),
+ *       -- notification that a revocation has occurred
+ *       keyUpdateWarning       (6)
+ *       -- update already done for the oldCertId specified in
+ *       -- CertReqMsg
+ *   }
+ */
+#  define OSSL_CMP_PKISTATUS_accepted 0
+#  define OSSL_CMP_PKISTATUS_grantedWithMods 1
+#  define OSSL_CMP_PKISTATUS_rejection 2
+#  define OSSL_CMP_PKISTATUS_waiting 3
+#  define OSSL_CMP_PKISTATUS_revocationWarning 4
+#  define OSSL_CMP_PKISTATUS_revocationNotification 5
+#  define OSSL_CMP_PKISTATUS_keyUpdateWarning 6
+
+typedef ASN1_INTEGER OSSL_CMP_PKISTATUS;
+DECLARE_ASN1_ITEM(OSSL_CMP_PKISTATUS)
+
+#  define OSSL_CMP_CERTORENCCERT_CERTIFICATE 0
+#  define OSSL_CMP_CERTORENCCERT_ENCRYPTEDCERT 1
+
+/* data type declarations */
+typedef struct OSSL_cmp_ctx_st OSSL_CMP_CTX;
+typedef struct OSSL_cmp_pkiheader_st OSSL_CMP_PKIHEADER;
+DECLARE_ASN1_FUNCTIONS(OSSL_CMP_PKIHEADER)
+typedef struct OSSL_cmp_msg_st OSSL_CMP_MSG;
+DECLARE_ASN1_ENCODE_FUNCTIONS(OSSL_CMP_MSG, OSSL_CMP_MSG, OSSL_CMP_MSG)
+typedef struct OSSL_cmp_certstatus_st OSSL_CMP_CERTSTATUS;
+DEFINE_STACK_OF(OSSL_CMP_CERTSTATUS)
+typedef struct OSSL_cmp_itav_st OSSL_CMP_ITAV;
+DEFINE_STACK_OF(OSSL_CMP_ITAV)
+typedef struct OSSL_cmp_revrepcontent_st OSSL_CMP_REVREPCONTENT;
+typedef struct OSSL_cmp_pkisi_st OSSL_CMP_PKISI;
+DEFINE_STACK_OF(OSSL_CMP_PKISI)
+typedef struct OSSL_cmp_certrepmessage_st OSSL_CMP_CERTREPMESSAGE;
+DEFINE_STACK_OF(OSSL_CMP_CERTREPMESSAGE)
+typedef struct OSSL_cmp_pollrep_st OSSL_CMP_POLLREP;
+typedef STACK_OF(OSSL_CMP_POLLREP) OSSL_CMP_POLLREPCONTENT;
+typedef struct OSSL_cmp_certresponse_st OSSL_CMP_CERTRESPONSE;
+DEFINE_STACK_OF(OSSL_CMP_CERTRESPONSE)
+typedef STACK_OF(ASN1_UTF8STRING) OSSL_CMP_PKIFREETEXT;
+
+/* from cmp_asn.c */
+OSSL_CMP_ITAV *OSSL_CMP_ITAV_create(ASN1_OBJECT *type, ASN1_TYPE *value);
+void OSSL_CMP_ITAV_set0(OSSL_CMP_ITAV *itav, ASN1_OBJECT *type,
+                        ASN1_TYPE *value);
+ASN1_OBJECT *OSSL_CMP_ITAV_get0_type(const OSSL_CMP_ITAV *itav);
+ASN1_TYPE *OSSL_CMP_ITAV_get0_value(const OSSL_CMP_ITAV *itav);
+int OSSL_CMP_ITAV_push0_stack_item(STACK_OF(OSSL_CMP_ITAV) **itav_sk_p,
+                                   OSSL_CMP_ITAV *itav);
+void OSSL_CMP_ITAV_free(OSSL_CMP_ITAV *itav);
+void OSSL_CMP_MSG_free(OSSL_CMP_MSG *msg);
+void OSSL_CMP_PKISI_free(OSSL_CMP_PKISI *si);
+DECLARE_ASN1_DUP_FUNCTION(OSSL_CMP_MSG)
+
+#   ifdef  __cplusplus
+}
+#   endif
+# endif /* !defined OPENSSL_NO_CMP */
+#endif /* !defined OSSL_HEADER_CMP_H */

include/openssl/cmperr.h

+/*
+ * Generated by util/mkerr.pl DO NOT EDIT
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#ifndef HEADER_CMPERR_H
+# define HEADER_CMPERR_H
+
+# include <openssl/opensslconf.h>
+
+# ifndef OPENSSL_NO_CMP
+
+#  ifdef  __cplusplus
+extern "C"
+#  endif
+int ERR_load_CMP_strings(void);
+
+/*
+ * CMP function codes.
+ */
+
+/*
+ * CMP reason codes.
+ */
+
+# endif
+#endif

include/openssl/crmf.h

 /*-
- * Copyright 2007-2018 The OpenSSL Project Authors. All Rights Reserved.
- * Copyright Nokia 2007-2018
- * Copyright Siemens AG 2015-2018
+ * Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright Nokia 2007-2019
+ * Copyright Siemens AG 2015-2019
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy

include/openssl/err.h

@@ -99,6 +99,7 @@ typedef struct err_state_st {
 # define ERR_LIB_PROP            55
 # define ERR_LIB_CRMF            56
 # define ERR_LIB_PROV            57
+# define ERR_LIB_CMP             58
 
 # define ERR_LIB_USER            128
 
@@ -133,6 +134,7 @@ typedef struct err_state_st {
 # define FIPSerr(f,r) ERR_PUT_error(ERR_LIB_FIPS,(f),(r),OPENSSL_FILE,OPENSSL_LINE)
 # define CMSerr(f,r) ERR_PUT_error(ERR_LIB_CMS,(f),(r),OPENSSL_FILE,OPENSSL_LINE)
 # define CRMFerr(f,r) ERR_PUT_error(ERR_LIB_CRMF,(f),(r),OPENSSL_FILE,OPENSSL_LINE)
+# define CMPerr(f,r) ERR_PUT_error(ERR_LIB_CMP,(f),(r),OPENSSL_FILE,OPENSSL_LINE)
 # define TSerr(f,r) ERR_PUT_error(ERR_LIB_TS,(f),(r),OPENSSL_FILE,OPENSSL_LINE)
 # define HMACerr(f,r) ERR_PUT_error(ERR_LIB_HMAC,(f),(r),OPENSSL_FILE,OPENSSL_LINE)
 # define CTerr(f,r) ERR_PUT_error(ERR_LIB_CT,(f),(r),OPENSSL_FILE,OPENSSL_LINE)