Move part of OSSL_CMP_validate_msg() to ossl_cmp_msg_check_update()

[oweals/openssl.git] / doc / internal / man3 / ossl_cmp_msg_check_update.pod

=pod

=head1 NAME

ossl_cmp_allow_unprotected_cb_t,
ossl_cmp_msg_check_update
- generic checks on a received CMP message, updating the context

=head1 SYNOPSIS

 #include "cmp_local.h"

 typedef int (*ossl_cmp_allow_unprotected_cb_t)(const OSSL_CMP_CTX *ctx,
                                                const OSSL_CMP_MSG *msg,
                                                int invalid_protection, int arg);

 int ossl_cmp_msg_check_update(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *msg,
                               ossl_cmp_allow_unprotected_cb_t cb, int cb_arg);

=head1 DESCRIPTION

ossl_cmp_msg_check_update() does all generic checks on the given message B<msg>,
which may be a server response or a request by some client,
and updates the B<ctx> accordingly.

The B<msg> is checked for the following:

=over 4

=item its sender is of appropriate type (currently only B<X509_NAME>)
      and matches any expected sender or srvCert subject given in B<ctx>,

=item its protection is present and valid (or a callback function B<cb>
is present and indicates that a missing or invalid protection is acceptable),

=item its CMP protocol version is acceptable, namely B<OSSL_CMP_PVNO>,

=item its body type is valid,

=item its transaction ID matches any transaction ID given in B<ctx>, and

=item its recipNonce matches any senderNonce given in B<ctx>.

=back

In case no protection is present and B<cb> is not NULL then this callback
function is called with its B<invalid_protection> parameter being 0, while in
case an invalid protection is present the B<invalid_protection> parameter is 1.
The callback is passed also the arguments B<ctx>, B<msg>, and <cb_arg>
(which typically contains the expected message type).
The callback should return 1 on acceptance, 0 on rejection, or -1 on error.
It should not put an error on the error stack since this could be misleading.

ossl_cmp_msg_check_update() adds all extraCerts contained in the <msg> to
the list of untrusted certificates in B<ctx> such that they are already usable
for OSSL_CMP_validate_msg(), which is called internally, and for future use.
Thus they are available also to the certificate confirmation callback, and the
peer does not need to send them again (at least not in the same transaction).
Note that it does not help validating the message before storing the extraCerts
because they are not part of the protected portion of the message anyway.
For efficiency, the extraCerts are prepended to the list so they get used first.

If all checks pass then ossl_cmp_msg_check_update()
records in B<ctx> the senderNonce of the received message as the new recipNonce
and learns the transaction ID if none is currently present in B<ctx>.

Moreover, according to RFC 4210 section 5.3.2, if the message protection is
PBM-based then any certificates in the caPubs field are added to the list of
trusted certificates (if set via L<OSSL_CMP_CTX_set0_trustedStore(3)>).
This way these certs are available for validating subsequent messages in the
same context and could apply to any Polling Response (pollRep), error, or PKI
Confirmation (PKIConf) messages following in the same or future transactions.

=head1 RETURN VALUES

ossl_cmp_msg_check_update() returns 1 on success, -1 on error.

=head1 SEE ALSO

L<OSSL_CMP_validate_msg(3)>

=head1 HISTORY

The OpenSSL CMP support was added in OpenSSL 3.0.

=head1 COPYRIGHT

Copyright 2007-2020 The OpenSSL Project Authors. All Rights Reserved.

Licensed under the Apache License 2.0 (the "License").  You may not use
this file except in compliance with the License.  You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.

=cut