1e1051a39Sopenharmony_ci=pod
2e1051a39Sopenharmony_ci
3e1051a39Sopenharmony_ci=head1 NAME
4e1051a39Sopenharmony_ci
5e1051a39Sopenharmony_ciOSSL_ESS_signing_cert_new_init,
6e1051a39Sopenharmony_ciOSSL_ESS_signing_cert_v2_new_init,
7e1051a39Sopenharmony_ciOSSL_ESS_check_signing_certs
8e1051a39Sopenharmony_ci- Enhanced Security Services (ESS) functions
9e1051a39Sopenharmony_ci
10e1051a39Sopenharmony_ci=head1 SYNOPSIS
11e1051a39Sopenharmony_ci
12e1051a39Sopenharmony_ci #include <openssl/ess.h>
13e1051a39Sopenharmony_ci
14e1051a39Sopenharmony_ci ESS_SIGNING_CERT *OSSL_ESS_signing_cert_new_init(const X509 *signcert,
15e1051a39Sopenharmony_ci                                                  const STACK_OF(X509) *certs,
16e1051a39Sopenharmony_ci                                                  int set_issuer_serial);
17e1051a39Sopenharmony_ci ESS_SIGNING_CERT_V2 *OSSL_ESS_signing_cert_v2_new_init(const EVP_MD *hash_alg,
18e1051a39Sopenharmony_ci                                                        const X509 *signcert,
19e1051a39Sopenharmony_ci                                                        const
20e1051a39Sopenharmony_ci                                                        STACK_OF(X509) *certs,
21e1051a39Sopenharmony_ci                                                        int set_issuer_serial);
22e1051a39Sopenharmony_ci int OSSL_ESS_check_signing_certs(const ESS_SIGNING_CERT *ss,
23e1051a39Sopenharmony_ci                                  const ESS_SIGNING_CERT_V2 *ssv2,
24e1051a39Sopenharmony_ci                                  const STACK_OF(X509) *chain,
25e1051a39Sopenharmony_ci                                  int require_signing_cert);
26e1051a39Sopenharmony_ci
27e1051a39Sopenharmony_ci=head1 DESCRIPTION
28e1051a39Sopenharmony_ci
29e1051a39Sopenharmony_ciOSSL_ESS_signing_cert_new_init() generates a new B<ESS_SIGNING_CERT> structure
30e1051a39Sopenharmony_cireferencing the given I<signcert> and any given further I<certs>
31e1051a39Sopenharmony_ciusing their SHA-1 fingerprints.
32e1051a39Sopenharmony_ciIf I<set_issuer_serial> is nonzero then also the issuer and serial number
33e1051a39Sopenharmony_ciof I<signcert> are included in the B<ESS_CERT_ID> as the B<issuerSerial> field.
34e1051a39Sopenharmony_ciFor all members of I<certs> the  B<issuerSerial> field is always included.
35e1051a39Sopenharmony_ci
36e1051a39Sopenharmony_ciOSSL_ESS_signing_cert_v2_new_init() is the same as
37e1051a39Sopenharmony_ciOSSL_ESS_signing_cert_new_init() except that it uses the given I<hash_alg> and
38e1051a39Sopenharmony_cigenerates a B<ESS_SIGNING_CERT_V2> structure with B<ESS_CERT_ID_V2> elements.
39e1051a39Sopenharmony_ci
40e1051a39Sopenharmony_ciOSSL_ESS_check_signing_certs() checks if the validation chain I<chain> contains
41e1051a39Sopenharmony_cithe certificates required by the identifiers given in I<ss> and/or I<ssv2>.
42e1051a39Sopenharmony_ciIf I<require_signing_cert> is nonzero, I<ss> or I<ssv2> must not be NULL.
43e1051a39Sopenharmony_ciIf both I<ss> and I<ssv2> are not NULL, they are evaluated independently.
44e1051a39Sopenharmony_ciThe list of certificate identifiers in I<ss> is of type B<ESS_CERT_ID>,
45e1051a39Sopenharmony_ciwhile the list contained in I<ssv2> is of type B<ESS_CERT_ID_V2>.
46e1051a39Sopenharmony_ciAs far as these lists are present, they must be nonempty.
47e1051a39Sopenharmony_ciThe certificate identified by their first entry must be the first element of
48e1051a39Sopenharmony_ciI<chain>, i.e. the signer certificate.
49e1051a39Sopenharmony_ciAny further certficates referenced in the list must also be found in I<chain>.
50e1051a39Sopenharmony_ciThe matching is done using the given certificate hash algorithm and value.
51e1051a39Sopenharmony_ciIn addition to the checks required by RFCs 2624 and 5035,
52e1051a39Sopenharmony_ciif the B<issuerSerial> field is included in an B<ESSCertID> or B<ESSCertIDv2>
53e1051a39Sopenharmony_ciit must match the certificate issuer and serial number attributes.
54e1051a39Sopenharmony_ci
55e1051a39Sopenharmony_ci=head1 NOTES
56e1051a39Sopenharmony_ci
57e1051a39Sopenharmony_ciESS has been defined in RFC 2634, which has been updated in RFC 5035
58e1051a39Sopenharmony_ci(ESS version 2) to support hash algorithms other than SHA-1.
59e1051a39Sopenharmony_ciThis is used for TSP (RFC 3161) and CAdES-BES (informational RFC 5126).
60e1051a39Sopenharmony_ci
61e1051a39Sopenharmony_ci=head1 RETURN VALUES
62e1051a39Sopenharmony_ci
63e1051a39Sopenharmony_ciOSSL_ESS_signing_cert_new_init() and OSSL_ESS_signing_cert_v2_new_init()
64e1051a39Sopenharmony_cireturn a pointer to the new structure or NULL on malloc failure.
65e1051a39Sopenharmony_ci
66e1051a39Sopenharmony_ciOSSL_ESS_check_signing_certs() returns 1 on success,
67e1051a39Sopenharmony_ci0 if a required certificate cannot be found, -1 on other error.
68e1051a39Sopenharmony_ci
69e1051a39Sopenharmony_ci=head1 SEE ALSO
70e1051a39Sopenharmony_ci
71e1051a39Sopenharmony_ciL<TS_VERIFY_CTX_set_certs(3)>,
72e1051a39Sopenharmony_ciL<CMS_verify(3)>
73e1051a39Sopenharmony_ci
74e1051a39Sopenharmony_ci=head1 HISTORY
75e1051a39Sopenharmony_ci
76e1051a39Sopenharmony_ciOSSL_ESS_signing_cert_new_init(), OSSL_ESS_signing_cert_v2_new_init(), and
77e1051a39Sopenharmony_ciOSSL_ESS_check_signing_certs() were added in OpenSSL 3.0.
78e1051a39Sopenharmony_ci
79e1051a39Sopenharmony_ci=head1 COPYRIGHT
80e1051a39Sopenharmony_ci
81e1051a39Sopenharmony_ciCopyright 2021 The OpenSSL Project Authors. All Rights Reserved.
82e1051a39Sopenharmony_ci
83e1051a39Sopenharmony_ciLicensed under the Apache License 2.0 (the "License").  You may not use
84e1051a39Sopenharmony_cithis file except in compliance with the License.  You can obtain a copy
85e1051a39Sopenharmony_ciin the file LICENSE in the source distribution or at
86e1051a39Sopenharmony_ciL<https://www.openssl.org/source/license.html>.
87e1051a39Sopenharmony_ci
88e1051a39Sopenharmony_ci=cut
89