[openssl] master update

tomas at openssl.org tomas at openssl.org
Wed Jun 30 08:39:06 UTC 2021


The branch master has been updated
       via  1986f6152fe3766c99f1f18d90028ba940d6923b (commit)
       via  66be663b64e05fb5524edd051b85fb919f59e054 (commit)
       via  7df56adac7cf58b4ad3e8e34077ccd988263f408 (commit)
      from  b9bc8eb0546b22d7b23b25dc62eb5a459f745b98 (commit)


- Log -----------------------------------------------------------------
commit 1986f6152fe3766c99f1f18d90028ba940d6923b
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date:   Tue Jun 29 11:11:05 2021 +0200

    OSSL_CRMF_{CERTTEMPLATE,CERTID}_get0_serialNumber(): Make result const for consistency
    
    Also make doc/man3/OSSL_CRMF_MSG_get0_tmpl.pod consistent with crmf.h.in regarding const results
    
    Reviewed-by: Tim Hudson <tjh at openssl.org>
    Reviewed-by: Paul Dale <pauli at openssl.org>
    Reviewed-by: Tomas Mraz <tomas at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/15790)

commit 66be663b64e05fb5524edd051b85fb919f59e054
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date:   Tue Jun 22 15:40:49 2021 +0200

    cmp_mock_srv.c: Add missing OldCertID check for 'kur' cert update requests
    
    Reviewed-by: Tim Hudson <tjh at openssl.org>
    Reviewed-by: Paul Dale <pauli at openssl.org>
    Reviewed-by: Tomas Mraz <tomas at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/15790)

commit 7df56adac7cf58b4ad3e8e34077ccd988263f408
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date:   Wed Jun 16 10:26:26 2021 +0200

    CMP: Add missing getter functions to CRMF API and CMP API
    
    Reviewed-by: Tim Hudson <tjh at openssl.org>
    Reviewed-by: Paul Dale <pauli at openssl.org>
    Reviewed-by: Tomas Mraz <tomas at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/15790)

-----------------------------------------------------------------------

Summary of changes:
 apps/lib/cmp_mock_srv.c                            | 23 +++++++++++++
 crypto/cmp/cmp_client.c                            | 11 +++---
 crypto/cmp/cmp_err.c                               |  2 ++
 crypto/cmp/cmp_local.h                             |  1 -
 crypto/cmp/cmp_msg.c                               |  4 +--
 crypto/cmp/cmp_server.c                            | 12 +++----
 crypto/cmp/cmp_vfy.c                               |  8 ++---
 crypto/crmf/crmf_lib.c                             | 40 ++++++++++++++++++----
 crypto/err/openssl.txt                             |  2 ++
 doc/man3/OSSL_CMP_MSG_get0_header.pod              |  6 ++++
 doc/man3/OSSL_CRMF_MSG_get0_tmpl.pod               | 19 ++++++++--
 doc/man3/OSSL_CRMF_MSG_set0_validity.pod           |  1 +
 doc/man3/OSSL_CRMF_MSG_set1_regCtrl_regToken.pod   | 29 +++++++++++++---
 doc/man3/OSSL_CRMF_MSG_set1_regInfo_certReq.pod    | 21 ++++++++++--
 include/openssl/cmp.h.in                           |  1 +
 include/openssl/cmperr.h                           |  2 ++
 include/openssl/crmf.h.in                          | 23 +++++++++++--
 test/cmp_server_test.c                             |  2 +-
 .../80-test_cmp_http_data/test_enrollment.csv      |  3 +-
 util/libcrypto.num                                 | 10 ++++++
 20 files changed, 182 insertions(+), 38 deletions(-)

diff --git a/apps/lib/cmp_mock_srv.c b/apps/lib/cmp_mock_srv.c
index cf82000c7f..1fb5adca1a 100644
--- a/apps/lib/cmp_mock_srv.c
+++ b/apps/lib/cmp_mock_srv.c
@@ -212,6 +212,29 @@ static OSSL_CMP_PKISI *process_cert_request(OSSL_CMP_SRV_CTX *srv_ctx,
         /* give final response after polling */
         ctx->curr_pollCount = 0;
 
+    if (OSSL_CMP_MSG_get_bodytype(cert_req) == OSSL_CMP_KUR
+            && crm != NULL && ctx->certOut != NULL) {
+        const OSSL_CRMF_CERTID *cid = OSSL_CRMF_MSG_get0_regCtrl_oldCertID(crm);
+        const X509_NAME *issuer = X509_get_issuer_name(ctx->certOut);
+        const ASN1_INTEGER *serial = X509_get0_serialNumber(ctx->certOut);
+
+        if (cid == NULL) {
+            ERR_raise(ERR_LIB_CMP, CMP_R_MISSING_CERTID);
+            return NULL;
+        }
+        if (issuer != NULL
+            && X509_NAME_cmp(issuer, OSSL_CRMF_CERTID_get0_issuer(cid)) != 0) {
+            ERR_raise(ERR_LIB_CMP, CMP_R_WRONG_CERTID);
+            return NULL;
+        }
+        if (serial != NULL
+            && ASN1_INTEGER_cmp(serial,
+                                OSSL_CRMF_CERTID_get0_serialNumber(cid)) != 0) {
+            ERR_raise(ERR_LIB_CMP, CMP_R_WRONG_CERTID);
+            return NULL;
+        }
+    }
+
     if (ctx->certOut != NULL
             && (*certOut = X509_dup(ctx->certOut)) == NULL)
         goto err;
diff --git a/crypto/cmp/cmp_client.c b/crypto/cmp/cmp_client.c
index c7a846f03e..c7674ce088 100644
--- a/crypto/cmp/cmp_client.c
+++ b/crypto/cmp/cmp_client.c
@@ -34,7 +34,7 @@ static int unprotected_exception(const OSSL_CMP_CTX *ctx,
                                  int invalid_protection,
                                  int expected_type /* ignored here */)
 {
-    int rcvd_type = ossl_cmp_msg_get_bodytype(rep /* may be NULL */);
+    int rcvd_type = OSSL_CMP_MSG_get_bodytype(rep /* may be NULL */);
     const char *msg_type = NULL;
 
     if (!ossl_assert(ctx != NULL && rep != NULL))
@@ -132,7 +132,7 @@ static int send_receive_check(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *req,
         || expected_type == OSSL_CMP_PKIBODY_POLLREP
         || expected_type == OSSL_CMP_PKIBODY_PKICONF;
     const char *req_type_str =
-        ossl_cmp_bodytype_to_string(ossl_cmp_msg_get_bodytype(req));
+        ossl_cmp_bodytype_to_string(OSSL_CMP_MSG_get_bodytype(req));
     const char *expected_type_str = ossl_cmp_bodytype_to_string(expected_type);
     int msg_timeout;
     int bt;
@@ -177,7 +177,7 @@ static int send_receive_check(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *req,
         return 0;
     }
 
-    bt = ossl_cmp_msg_get_bodytype(*rep);
+    bt = OSSL_CMP_MSG_get_bodytype(*rep);
     /*
      * The body type in the 'bt' variable is not yet verified.
      * Still we use this preliminary value already for a progress report because
@@ -268,7 +268,7 @@ static int poll_for_response(OSSL_CMP_CTX *ctx, int sleep, int rid,
             goto err;
 
         /* handle potential pollRep */
-        if (ossl_cmp_msg_get_bodytype(prep) == OSSL_CMP_PKIBODY_POLLREP) {
+        if (OSSL_CMP_MSG_get_bodytype(prep) == OSSL_CMP_PKIBODY_POLLREP) {
             OSSL_CMP_POLLREPCONTENT *prc = prep->body->value.pollRep;
             OSSL_CMP_POLLREP *pollRep = NULL;
             int64_t check_after;
@@ -810,7 +810,7 @@ int OSSL_CMP_exec_RR_ses(OSSL_CMP_CTX *ctx)
         OSSL_CRMF_CERTTEMPLATE *tmpl =
             sk_OSSL_CMP_REVDETAILS_value(rr->body->value.rr, rsid)->certDetails;
         const X509_NAME *issuer = OSSL_CRMF_CERTTEMPLATE_get0_issuer(tmpl);
-        ASN1_INTEGER *serial = OSSL_CRMF_CERTTEMPLATE_get0_serialNumber(tmpl);
+        const ASN1_INTEGER *serial = OSSL_CRMF_CERTTEMPLATE_get0_serialNumber(tmpl);
 
         if (sk_OSSL_CRMF_CERTID_num(rrep->revCerts) != num_RevDetails) {
             ERR_raise(ERR_LIB_CMP, CMP_R_WRONG_RP_COMPONENT_COUNT);
@@ -818,6 +818,7 @@ int OSSL_CMP_exec_RR_ses(OSSL_CMP_CTX *ctx)
             goto err;
         }
         if ((cid = ossl_cmp_revrepcontent_get_CertId(rrep, rsid)) == NULL) {
+            ERR_raise(ERR_LIB_CMP, CMP_R_MISSING_CERTID);
             ret = 0;
             goto err;
         }
diff --git a/crypto/cmp/cmp_err.c b/crypto/cmp/cmp_err.c
index e36696bef8..67d9964dbe 100644
--- a/crypto/cmp/cmp_err.c
+++ b/crypto/cmp/cmp_err.c
@@ -86,6 +86,7 @@ static const ERR_STRING_DATA CMP_str_reasons[] = {
     "fail info out of range"},
     {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_INVALID_ARGS), "invalid args"},
     {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_INVALID_OPTION), "invalid option"},
+    {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_MISSING_CERTID), "missing certid"},
     {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_MISSING_KEY_INPUT_FOR_CREATING_PROTECTION),
     "missing key input for creating protection"},
     {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_MISSING_KEY_USAGE_DIGITALSIGNATURE),
@@ -150,6 +151,7 @@ static const ERR_STRING_DATA CMP_str_reasons[] = {
     {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_VALUE_TOO_SMALL), "value too small"},
     {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_WRONG_ALGORITHM_OID),
     "wrong algorithm oid"},
+    {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_WRONG_CERTID), "wrong certid"},
     {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_WRONG_CERTID_IN_RP), "wrong certid in rp"},
     {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_WRONG_PBM_VALUE), "wrong pbm value"},
     {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_WRONG_RP_COMPONENT_COUNT),
diff --git a/crypto/cmp/cmp_local.h b/crypto/cmp/cmp_local.h
index 1cca238916..f2a0587ca4 100644
--- a/crypto/cmp/cmp_local.h
+++ b/crypto/cmp/cmp_local.h
@@ -859,7 +859,6 @@ int ossl_cmp_msg_set0_libctx(OSSL_CMP_MSG *msg, OSSL_LIB_CTX *libctx,
                              const char *propq);
 const char *ossl_cmp_bodytype_to_string(int type);
 int ossl_cmp_msg_set_bodytype(OSSL_CMP_MSG *msg, int type);
-int ossl_cmp_msg_get_bodytype(const OSSL_CMP_MSG *msg);
 OSSL_CMP_MSG *ossl_cmp_msg_create(OSSL_CMP_CTX *ctx, int bodytype);
 OSSL_CMP_MSG *ossl_cmp_certreq_new(OSSL_CMP_CTX *ctx, int bodytype,
                                    const OSSL_CRMF_MSG *crm);
diff --git a/crypto/cmp/cmp_msg.c b/crypto/cmp/cmp_msg.c
index 4fef006933..5fb67ae2cb 100644
--- a/crypto/cmp/cmp_msg.c
+++ b/crypto/cmp/cmp_msg.c
@@ -93,7 +93,7 @@ int ossl_cmp_msg_set_bodytype(OSSL_CMP_MSG *msg, int type)
     return 1;
 }
 
-int ossl_cmp_msg_get_bodytype(const OSSL_CMP_MSG *msg)
+int OSSL_CMP_MSG_get_bodytype(const OSSL_CMP_MSG *msg)
 {
     if (!ossl_assert(msg != NULL && msg->body != NULL))
         return -1;
@@ -651,7 +651,7 @@ int ossl_cmp_msg_gen_push0_ITAV(OSSL_CMP_MSG *msg, OSSL_CMP_ITAV *itav)
     if (!ossl_assert(msg != NULL && itav != NULL))
         return 0;
 
-    bodytype = ossl_cmp_msg_get_bodytype(msg);
+    bodytype = OSSL_CMP_MSG_get_bodytype(msg);
     if (bodytype != OSSL_CMP_PKIBODY_GENM
             && bodytype != OSSL_CMP_PKIBODY_GENP) {
         ERR_raise(ERR_LIB_CMP, CMP_R_INVALID_ARGS);
diff --git a/crypto/cmp/cmp_server.c b/crypto/cmp/cmp_server.c
index 593c074f8d..6f3409468d 100644
--- a/crypto/cmp/cmp_server.c
+++ b/crypto/cmp/cmp_server.c
@@ -167,7 +167,7 @@ static OSSL_CMP_MSG *process_cert_request(OSSL_CMP_SRV_CTX *srv_ctx,
     if (!ossl_assert(srv_ctx != NULL && srv_ctx->ctx != NULL && req != NULL))
         return NULL;
 
-    switch (ossl_cmp_msg_get_bodytype(req)) {
+    switch (OSSL_CMP_MSG_get_bodytype(req)) {
     case OSSL_CMP_PKIBODY_P10CR:
     case OSSL_CMP_PKIBODY_CR:
         bodytype = OSSL_CMP_PKIBODY_CP;
@@ -183,7 +183,7 @@ static OSSL_CMP_MSG *process_cert_request(OSSL_CMP_SRV_CTX *srv_ctx,
         return NULL;
     }
 
-    if (ossl_cmp_msg_get_bodytype(req) == OSSL_CMP_PKIBODY_P10CR) {
+    if (OSSL_CMP_MSG_get_bodytype(req) == OSSL_CMP_PKIBODY_P10CR) {
         certReqId = OSSL_CMP_CERTREQID;
         p10cr = req->body->value.p10cr;
     } else {
@@ -247,7 +247,7 @@ static OSSL_CMP_MSG *process_rr(OSSL_CMP_SRV_CTX *srv_ctx,
     OSSL_CRMF_CERTID *certId = NULL;
     OSSL_CRMF_CERTTEMPLATE *tmpl;
     const X509_NAME *issuer;
-    ASN1_INTEGER *serial;
+    const ASN1_INTEGER *serial;
     OSSL_CMP_PKISI *si;
 
     if (!ossl_assert(srv_ctx != NULL && srv_ctx->ctx != NULL && req != NULL))
@@ -428,7 +428,7 @@ static int unprotected_exception(const OSSL_CMP_CTX *ctx,
                       invalid_protection ? "invalid" : "missing");
         return 1;
     }
-    if (ossl_cmp_msg_get_bodytype(req) == OSSL_CMP_PKIBODY_ERROR
+    if (OSSL_CMP_MSG_get_bodytype(req) == OSSL_CMP_PKIBODY_ERROR
         && OSSL_CMP_CTX_get_option(ctx, OSSL_CMP_OPT_UNPROTECTED_ERRORS) == 1) {
         ossl_cmp_warn(ctx, "ignoring missing protection of error message");
         return 1;
@@ -469,7 +469,7 @@ OSSL_CMP_MSG *OSSL_CMP_SRV_process_request(OSSL_CMP_SRV_CTX *srv_ctx,
     if (!OSSL_CMP_CTX_set1_recipient(ctx, hdr->sender->d.directoryName))
         goto err;
 
-    req_type = ossl_cmp_msg_get_bodytype(req);
+    req_type = OSSL_CMP_MSG_get_bodytype(req);
     switch (req_type) {
     case OSSL_CMP_PKIBODY_IR:
     case OSSL_CMP_PKIBODY_CR:
@@ -588,7 +588,7 @@ OSSL_CMP_MSG *OSSL_CMP_SRV_process_request(OSSL_CMP_SRV_CTX *srv_ctx,
     ctx->secretValue = backup_secret;
 
     rsp_type =
-        rsp != NULL ? ossl_cmp_msg_get_bodytype(rsp) : OSSL_CMP_PKIBODY_ERROR;
+        rsp != NULL ? OSSL_CMP_MSG_get_bodytype(rsp) : OSSL_CMP_PKIBODY_ERROR;
     if (rsp != NULL)
         ossl_cmp_log1(DEBUG, ctx,
                       "sending %s", ossl_cmp_bodytype_to_string(rsp_type));
diff --git a/crypto/cmp/cmp_vfy.c b/crypto/cmp/cmp_vfy.c
index 28c9a984d2..aa4665a562 100644
--- a/crypto/cmp/cmp_vfy.c
+++ b/crypto/cmp/cmp_vfy.c
@@ -406,7 +406,7 @@ static int check_msg_all_certs(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *msg,
 
     if (mode_3gpp
             && ((!ctx->permitTAInExtraCertsForIR
-                     || ossl_cmp_msg_get_bodytype(msg) != OSSL_CMP_PKIBODY_IP)))
+                     || OSSL_CMP_MSG_get_bodytype(msg) != OSSL_CMP_PKIBODY_IP)))
         return 0;
 
     ossl_cmp_info(ctx,
@@ -576,7 +576,7 @@ int OSSL_CMP_validate_msg(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *msg)
              * the caPubs field may be directly trusted as a root CA
              * certificate by the initiator.'
              */
-            switch (ossl_cmp_msg_get_bodytype(msg)) {
+            switch (OSSL_CMP_MSG_get_bodytype(msg)) {
             case -1:
                 return 0;
             case OSSL_CMP_PKIBODY_IP:
@@ -732,7 +732,7 @@ int ossl_cmp_msg_check_update(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *msg,
 #endif
     }
 
-    if (ossl_cmp_msg_get_bodytype(msg) < 0) {
+    if (OSSL_CMP_MSG_get_bodytype(msg) < 0) {
 #ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
         ERR_raise(ERR_LIB_CMP, CMP_R_PKIBODY_ERROR);
         return 0;
@@ -793,7 +793,7 @@ int ossl_cmp_msg_check_update(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *msg,
          * the caPubs field may be directly trusted as a root CA
          * certificate by the initiator.'
          */
-        switch (ossl_cmp_msg_get_bodytype(msg)) {
+        switch (OSSL_CMP_MSG_get_bodytype(msg)) {
         case OSSL_CMP_PKIBODY_IP:
         case OSSL_CMP_PKIBODY_CP:
         case OSSL_CMP_PKIBODY_KUP:
diff --git a/crypto/crmf/crmf_lib.c b/crypto/crmf/crmf_lib.c
index d03904a7bc..ea1e2dda09 100644
--- a/crypto/crmf/crmf_lib.c
+++ b/crypto/crmf/crmf_lib.c
@@ -42,13 +42,29 @@
  * valt = Value Type
  * ctrlinf = "regCtrl" or "regInfo"
  */
-#define IMPLEMENT_CRMF_CTRL_FUNC(atyp, valt, ctrlinf)                     \
-int OSSL_CRMF_MSG_set1_##ctrlinf##_##atyp(OSSL_CRMF_MSG *msg,             \
-                                          const valt *in)                 \
+#define IMPLEMENT_CRMF_CTRL_FUNC(atyp, valt, ctrlinf)                        \
+valt *OSSL_CRMF_MSG_get0_##ctrlinf##_##atyp(const OSSL_CRMF_MSG *msg)        \
+{                                                                            \
+    int i;                                                                   \
+    STACK_OF(OSSL_CRMF_ATTRIBUTETYPEANDVALUE) *controls;                     \
+    OSSL_CRMF_ATTRIBUTETYPEANDVALUE *atav = NULL;                            \
+                                                                             \
+    if (msg == NULL || msg->certReq == NULL)                                 \
+        return NULL;                                                         \
+    controls = msg->certReq->controls;                                       \
+    for (i = 0; i < sk_OSSL_CRMF_ATTRIBUTETYPEANDVALUE_num(controls); i++) { \
+        atav = sk_OSSL_CRMF_ATTRIBUTETYPEANDVALUE_value(controls, i);        \
+        if (OBJ_obj2nid(atav->type) == NID_id_##ctrlinf##_##atyp)            \
+            return atav->value.atyp;                                         \
+    }                                                                        \
+    return NULL;                                                             \
+}                                                                            \
+ \
+int OSSL_CRMF_MSG_set1_##ctrlinf##_##atyp(OSSL_CRMF_MSG *msg, const valt *in) \
 {                                                                         \
     OSSL_CRMF_ATTRIBUTETYPEANDVALUE *atav = NULL;                         \
                                                                           \
-    if (msg == NULL || in == NULL)                                       \
+    if (msg == NULL || in == NULL)                                        \
         goto err;                                                         \
     if ((atav = OSSL_CRMF_ATTRIBUTETYPEANDVALUE_new()) == NULL)           \
         goto err;                                                         \
@@ -509,12 +525,18 @@ int OSSL_CRMF_MSGS_verify_popo(const OSSL_CRMF_MSGS *reqs,
 }
 
 /* retrieves the serialNumber of the given cert template or NULL on error */
-ASN1_INTEGER
+const ASN1_INTEGER
 *OSSL_CRMF_CERTTEMPLATE_get0_serialNumber(const OSSL_CRMF_CERTTEMPLATE *tmpl)
 {
     return tmpl != NULL ? tmpl->serialNumber : NULL;
 }
 
+const X509_NAME
+    *OSSL_CRMF_CERTTEMPLATE_get0_subject(const OSSL_CRMF_CERTTEMPLATE *tmpl)
+{
+    return tmpl != NULL ? tmpl->subject : NULL;
+}
+
 /* retrieves the issuer name of the given cert template or NULL on error */
 const X509_NAME
     *OSSL_CRMF_CERTTEMPLATE_get0_issuer(const OSSL_CRMF_CERTTEMPLATE *tmpl)
@@ -522,6 +544,12 @@ const X509_NAME
     return tmpl != NULL ? tmpl->issuer : NULL;
 }
 
+X509_EXTENSIONS
+    *OSSL_CRMF_CERTTEMPLATE_get0_extensions(const OSSL_CRMF_CERTTEMPLATE *tmpl)
+{
+    return tmpl != NULL ? tmpl->extensions : NULL;
+}
+
 /* retrieves the issuer name of the given CertId or NULL on error */
 const X509_NAME *OSSL_CRMF_CERTID_get0_issuer(const OSSL_CRMF_CERTID *cid)
 {
@@ -530,7 +558,7 @@ const X509_NAME *OSSL_CRMF_CERTID_get0_issuer(const OSSL_CRMF_CERTID *cid)
 }
 
 /* retrieves the serialNumber of the given CertId or NULL on error */
-ASN1_INTEGER *OSSL_CRMF_CERTID_get0_serialNumber(const OSSL_CRMF_CERTID *cid)
+const ASN1_INTEGER *OSSL_CRMF_CERTID_get0_serialNumber(const OSSL_CRMF_CERTID *cid)
 {
     return cid != NULL ? cid->serialNumber : NULL;
 }
diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
index eb0ace5474..05005a8eaf 100644
--- a/crypto/err/openssl.txt
+++ b/crypto/err/openssl.txt
@@ -225,6 +225,7 @@ CMP_R_FAILURE_OBTAINING_RANDOM:110:failure obtaining random
 CMP_R_FAIL_INFO_OUT_OF_RANGE:129:fail info out of range
 CMP_R_INVALID_ARGS:100:invalid args
 CMP_R_INVALID_OPTION:174:invalid option
+CMP_R_MISSING_CERTID:165:missing certid
 CMP_R_MISSING_KEY_INPUT_FOR_CREATING_PROTECTION:130:\
 	missing key input for creating protection
 CMP_R_MISSING_KEY_USAGE_DIGITALSIGNATURE:142:missing key usage digitalsignature
@@ -268,6 +269,7 @@ CMP_R_UNSUPPORTED_PROTECTION_ALG_DHBASEDMAC:154:\
 CMP_R_VALUE_TOO_LARGE:175:value too large
 CMP_R_VALUE_TOO_SMALL:177:value too small
 CMP_R_WRONG_ALGORITHM_OID:138:wrong algorithm oid
+CMP_R_WRONG_CERTID:189:wrong certid
 CMP_R_WRONG_CERTID_IN_RP:187:wrong certid in rp
 CMP_R_WRONG_PBM_VALUE:155:wrong pbm value
 CMP_R_WRONG_RP_COMPONENT_COUNT:188:wrong rp component count
diff --git a/doc/man3/OSSL_CMP_MSG_get0_header.pod b/doc/man3/OSSL_CMP_MSG_get0_header.pod
index 2ecb48d7a1..32cdf81187 100644
--- a/doc/man3/OSSL_CMP_MSG_get0_header.pod
+++ b/doc/man3/OSSL_CMP_MSG_get0_header.pod
@@ -3,6 +3,7 @@
 =head1 NAME
 
 OSSL_CMP_MSG_get0_header,
+OSSL_CMP_MSG_get_bodytype,
 OSSL_CMP_MSG_update_transactionID,
 OSSL_CMP_CTX_setup_CRM,
 OSSL_CMP_MSG_read,
@@ -16,6 +17,7 @@ i2d_OSSL_CMP_MSG_bio
   #include <openssl/cmp.h>
 
   OSSL_CMP_PKIHEADER *OSSL_CMP_MSG_get0_header(const OSSL_CMP_MSG *msg);
+  int OSSL_CMP_MSG_get_bodytype(const OSSL_CMP_MSG *msg);
   int OSSL_CMP_MSG_update_transactionID(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg);
   OSSL_CRMF_MSG *OSSL_CMP_CTX_setup_CRM(OSSL_CMP_CTX *ctx, int for_KUR, int rid);
   OSSL_CMP_MSG *OSSL_CMP_MSG_read(const char *file);
@@ -27,6 +29,8 @@ i2d_OSSL_CMP_MSG_bio
 
 OSSL_CMP_MSG_get0_header() returns the header of the given CMP message.
 
+OSSL_CMP_MSG_get_bodytype() returns the body type of the given CMP message.
+
 OSSL_CMP_MSG_update_transactionID() updates the transactionID field
 in the header of the given message according to the CMP_CTX.
 This requires re-protecting the message (if it was protected).
@@ -58,6 +62,8 @@ CMP is defined in RFC 4210.
 OSSL_CMP_MSG_get0_header() returns the intended pointer value as described above
 or NULL if the respective entry does not exist and on error.
 
+OSSL_CMP_MSG_get_bodytype() returns the body type or -1 on error.
+
 OSSL_CMP_CTX_setup_CRM() returns a pointer to a OSSL_CRMF_MSG on success,
 NULL on error.
 
diff --git a/doc/man3/OSSL_CRMF_MSG_get0_tmpl.pod b/doc/man3/OSSL_CRMF_MSG_get0_tmpl.pod
index f59abb4f11..bc268d64ca 100644
--- a/doc/man3/OSSL_CRMF_MSG_get0_tmpl.pod
+++ b/doc/man3/OSSL_CRMF_MSG_get0_tmpl.pod
@@ -4,7 +4,9 @@
 
 OSSL_CRMF_MSG_get0_tmpl,
 OSSL_CRMF_CERTTEMPLATE_get0_serialNumber,
+OSSL_CRMF_CERTTEMPLATE_get0_subject,
 OSSL_CRMF_CERTTEMPLATE_get0_issuer,
+OSSL_CRMF_CERTTEMPLATE_get0_extensions,
 OSSL_CRMF_CERTID_get0_serialNumber,
 OSSL_CRMF_CERTID_get0_issuer,
 OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert,
@@ -16,12 +18,17 @@ OSSL_CRMF_MSG_get_certReqId
  #include <openssl/crmf.h>
 
  OSSL_CRMF_CERTTEMPLATE *OSSL_CRMF_MSG_get0_tmpl(const OSSL_CRMF_MSG *crm);
- ASN1_INTEGER
+ const ASN1_INTEGER
  *OSSL_CRMF_CERTTEMPLATE_get0_serialNumber(const OSSL_CRMF_CERTTEMPLATE *tmpl);
- X509_NAME
+ const X509_NAME
+ *OSSL_CRMF_CERTTEMPLATE_get0_subject(const OSSL_CRMF_CERTTEMPLATE *tmpl);
+ const X509_NAME
  *OSSL_CRMF_CERTTEMPLATE_get0_issuer(const OSSL_CRMF_CERTTEMPLATE *tmpl);
+ X509_EXTENSIONS
+ *OSSL_CRMF_CERTTEMPLATE_get0_extensions(const OSSL_CRMF_CERTTEMPLATE *tmpl);
 
- ASN1_INTEGER *OSSL_CRMF_CERTID_get0_serialNumber(const OSSL_CRMF_CERTID *cid);
+ const ASN1_INTEGER
+ *OSSL_CRMF_CERTID_get0_serialNumber(const OSSL_CRMF_CERTID *cid);
  const X509_NAME *OSSL_CRMF_CERTID_get0_issuer(const OSSL_CRMF_CERTID *cid);
 
  X509
@@ -39,9 +46,15 @@ OSSL_CRMF_MSG_get0_tmpl() retrieves the certificate template of I<crm>.
 OSSL_CRMF_CERTTEMPLATE_get0_serialNumber() retrieves the serialNumber of the
 given certificate template I<tmpl>.
 
+OSSL_CRMF_CERTTEMPLATE_get0_subject() retrieves the subject name of the
+given certificate template I<tmpl>.
+
 OSSL_CRMF_CERTTEMPLATE_get0_issuer() retrieves the issuer name of the
 given certificate template I<tmpl>.
 
+OSSL_CRMF_CERTTEMPLATE_get0_extensions() retrieves the X.509 extensions
+of the given certificate template I<tmpl>, or NULL if not present.
+
 OSSL_CRMF_CERTID_get0_serialNumber retrieves the serialNumber
 of the given CertId I<cid>.
 
diff --git a/doc/man3/OSSL_CRMF_MSG_set0_validity.pod b/doc/man3/OSSL_CRMF_MSG_set0_validity.pod
index 70a4120e86..fd42159d67 100644
--- a/doc/man3/OSSL_CRMF_MSG_set0_validity.pod
+++ b/doc/man3/OSSL_CRMF_MSG_set0_validity.pod
@@ -51,6 +51,7 @@ OSSL_CRMF_MSG_set_certReqId() sets I<rid> as the certReqId of I<crm>.
 OSSL_CRMF_CERTTEMPLATE_fill() sets those fields of the certTemplate I<tmpl>
 for which non-NULL values are provided: I<pubkey>, I<subject>, I<issuer>,
 and/or I<serial>.
+X.509 extensions may be set using OSSL_CRMF_MSG_set0_extensions().
 On success the reference counter of the I<pubkey> (if given) is incremented,
 while the I<subject>, I<issuer>, and I<serial> structures (if given) are copied.
 
diff --git a/doc/man3/OSSL_CRMF_MSG_set1_regCtrl_regToken.pod b/doc/man3/OSSL_CRMF_MSG_set1_regCtrl_regToken.pod
index b1f732257e..77377ef7eb 100644
--- a/doc/man3/OSSL_CRMF_MSG_set1_regCtrl_regToken.pod
+++ b/doc/man3/OSSL_CRMF_MSG_set1_regCtrl_regToken.pod
@@ -2,23 +2,32 @@
 
 =head1 NAME
 
+OSSL_CRMF_MSG_get0_regCtrl_regToken,
 OSSL_CRMF_MSG_set1_regCtrl_regToken,
+OSSL_CRMF_MSG_get0_regCtrl_authenticator,
 OSSL_CRMF_MSG_set1_regCtrl_authenticator,
 OSSL_CRMF_MSG_PKIPublicationInfo_push0_SinglePubInfo,
 OSSL_CRMF_MSG_set0_SinglePubInfo,
 OSSL_CRMF_MSG_set_PKIPublicationInfo_action,
+OSSL_CRMF_MSG_get0_regCtrl_pkiPublicationInfo,
 OSSL_CRMF_MSG_set1_regCtrl_pkiPublicationInfo,
+OSSL_CRMF_MSG_get0_regCtrl_protocolEncrKey,
 OSSL_CRMF_MSG_set1_regCtrl_protocolEncrKey,
+OSSL_CRMF_MSG_get0_regCtrl_oldCertID,
 OSSL_CRMF_MSG_set1_regCtrl_oldCertID,
 OSSL_CRMF_CERTID_gen
-- functions setting CRMF Registration Controls
+- functions getting or setting CRMF Registration Controls
 
 =head1 SYNOPSIS
 
  #include <openssl/crmf.h>
 
+ ASN1_UTF8STRING
+    *OSSL_CRMF_MSG_get0_regCtrl_regToken(const OSSL_CRMF_MSG *msg);
  int OSSL_CRMF_MSG_set1_regCtrl_regToken(OSSL_CRMF_MSG *msg,
                                          const ASN1_UTF8STRING *tok);
+ ASN1_UTF8STRING
+    *OSSL_CRMF_MSG_get0_regCtrl_authenticator(const OSSL_CRMF_MSG *msg);
  int OSSL_CRMF_MSG_set1_regCtrl_authenticator(OSSL_CRMF_MSG *msg,
                                               const ASN1_UTF8STRING *auth);
  int OSSL_CRMF_MSG_PKIPublicationInfo_push0_SinglePubInfo(
@@ -28,10 +37,16 @@ OSSL_CRMF_CERTID_gen
                                       int method, GENERAL_NAME *nm);
  int OSSL_CRMF_MSG_set_PKIPublicationInfo_action(
                                   OSSL_CRMF_PKIPUBLICATIONINFO *pi, int action);
+ OSSL_CRMF_PKIPUBLICATIONINFO
+    *OSSL_CRMF_MSG_get0_regCtrl_pkiPublicationInfo(const OSSL_CRMF_MSG *msg);
  int OSSL_CRMF_MSG_set1_regCtrl_pkiPublicationInfo(OSSL_CRMF_MSG *msg,
                                         const OSSL_CRMF_PKIPUBLICATIONINFO *pi);
+ X509_PUBKEY
+    *OSSL_CRMF_MSG_get0_regCtrl_protocolEncrKey(const OSSL_CRMF_MSG *msg);
  int OSSL_CRMF_MSG_set1_regCtrl_protocolEncrKey(OSSL_CRMF_MSG *msg,
                                                 const X509_PUBKEY *pubkey);
+ OSSL_CRMF_CERTID
+    *OSSL_CRMF_MSG_get0_regCtrl_oldCertID(const OSSL_CRMF_MSG *msg);
  int OSSL_CRMF_MSG_set1_regCtrl_oldCertID(OSSL_CRMF_MSG *msg,
                                           const OSSL_CRMF_CERTID *cid);
  OSSL_CRMF_CERTID *OSSL_CRMF_CERTID_gen(const X509_NAME *issuer,
@@ -39,6 +54,9 @@ OSSL_CRMF_CERTID_gen
 
 =head1 DESCRIPTION
 
+Each of the OSSL_CRMF_MSG_get0_regCtrl_X() functions
+returns the respective control X in the given I<msg>, if present.
+
 OSSL_CRMF_MSG_set1_regCtrl_regToken() sets the regToken control in the given
 I<msg> copying the given I<tok> as value. See RFC 4211, section 6.1.
 
@@ -79,10 +97,13 @@ given I<issuer> name and I<serial> number.
 
 =head1 RETURN VALUES
 
-OSSL_CRMF_CERTID_gen returns a pointer to the resulting structure
-or NULL on error.
+All OSSL_CRMF_MSG_get0_*() functions
+return the respective pointer value or NULL if not present and on error.
 
-All other functions return 1 on success, 0 on error.
+All OSSL_CRMF_MSG_set1_*() functions return 1 on success, 0 on error.
+
+OSSL_CRMF_CERTID_gen() returns a pointer to the resulting structure
+or NULL on error.
 
 =head1 NOTES
 
diff --git a/doc/man3/OSSL_CRMF_MSG_set1_regInfo_certReq.pod b/doc/man3/OSSL_CRMF_MSG_set1_regInfo_certReq.pod
index 56a6814ea0..f3d8fb1217 100644
--- a/doc/man3/OSSL_CRMF_MSG_set1_regInfo_certReq.pod
+++ b/doc/man3/OSSL_CRMF_MSG_set1_regInfo_certReq.pod
@@ -2,34 +2,49 @@
 
 =head1 NAME
 
+OSSL_CRMF_MSG_get0_regInfo_utf8Pairs,
 OSSL_CRMF_MSG_set1_regInfo_utf8Pairs,
+OSSL_CRMF_MSG_get0_regInfo_certReq,
 OSSL_CRMF_MSG_set1_regInfo_certReq
-- functions setting CRMF Registration Info
+- functions getting or setting CRMF Registration Info
 
 =head1 SYNOPSIS
 
  #include <openssl/crmf.h>
 
+ ASN1_UTF8STRING
+     *OSSL_CRMF_MSG_get0_regInfo_utf8Pairs(const OSSL_CRMF_MSG *msg);
  int OSSL_CRMF_MSG_set1_regInfo_utf8Pairs(OSSL_CRMF_MSG *msg,
                                           const ASN1_UTF8STRING *utf8pairs);
+ OSSL_CRMF_CERTREQUEST
+     *OSSL_CRMF_MSG_get0_regInfo_certReq(const OSSL_CRMF_MSG *msg);
  int OSSL_CRMF_MSG_set1_regInfo_certReq(OSSL_CRMF_MSG *msg,
                                         const OSSL_CRMF_CERTREQUEST *cr);
 
 =head1 DESCRIPTION
 
+OSSL_CRMF_MSG_get0_regInfo_utf8Pairs() returns the first utf8Pairs regInfo
+in the given I<msg>, if present.
+
 OSSL_CRMF_MSG_set1_regInfo_utf8Pairs() adds a copy of the given I<utf8pairs>
 value as utf8Pairs regInfo to the given I<msg>. See RFC 4211 section 7.1.
 
+OSSL_CRMF_MSG_get0_regInfo_certReq() returns the first certReq regInfo
+in the given I<msg>, if present.
+
 OSSL_CRMF_MSG_set1_regInfo_certReq() adds a copy of the given I<cr> value
 as certReq regInfo to the given I<msg>. See RFC 4211 section 7.2.
 
 =head1 RETURN VALUES
 
-All functions return 1 on success, 0 on error.
+All get0_*() functions return the respective pointer value, NULL if not present.
+
+All set1_*() functions return 1 on success, 0 on error.
 
 =head1 NOTES
 
-Calling these functions multiple times adds multiple instances of the respective
+Calling the set1_*() functions multiple times
+adds multiple instances of the respective
 control to the regInfo structure of the given I<msg>. While RFC 4211 expects
 multiple utf8Pairs in one regInfo structure, it does not allow multiple certReq.
 
diff --git a/include/openssl/cmp.h.in b/include/openssl/cmp.h.in
index 27afa27d6a..b47344215b 100644
--- a/include/openssl/cmp.h.in
+++ b/include/openssl/cmp.h.in
@@ -378,6 +378,7 @@ ASN1_OCTET_STRING *OSSL_CMP_HDR_get0_recipNonce(const OSSL_CMP_PKIHEADER *hdr);
 
 /* from cmp_msg.c */
 OSSL_CMP_PKIHEADER *OSSL_CMP_MSG_get0_header(const OSSL_CMP_MSG *msg);
+int OSSL_CMP_MSG_get_bodytype(const OSSL_CMP_MSG *msg);
 int OSSL_CMP_MSG_update_transactionID(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg);
 OSSL_CRMF_MSG *OSSL_CMP_CTX_setup_CRM(OSSL_CMP_CTX *ctx, int for_KUR, int rid);
 OSSL_CMP_MSG *OSSL_CMP_MSG_read(const char *file, OSSL_LIB_CTX *libctx,
diff --git a/include/openssl/cmperr.h b/include/openssl/cmperr.h
index b8ac43e525..3a26fd0bda 100644
--- a/include/openssl/cmperr.h
+++ b/include/openssl/cmperr.h
@@ -61,6 +61,7 @@
 #  define CMP_R_FAIL_INFO_OUT_OF_RANGE                     129
 #  define CMP_R_INVALID_ARGS                               100
 #  define CMP_R_INVALID_OPTION                             174
+#  define CMP_R_MISSING_CERTID                             165
 #  define CMP_R_MISSING_KEY_INPUT_FOR_CREATING_PROTECTION  130
 #  define CMP_R_MISSING_KEY_USAGE_DIGITALSIGNATURE         142
 #  define CMP_R_MISSING_P10CSR                             121
@@ -101,6 +102,7 @@
 #  define CMP_R_VALUE_TOO_LARGE                            175
 #  define CMP_R_VALUE_TOO_SMALL                            177
 #  define CMP_R_WRONG_ALGORITHM_OID                        138
+#  define CMP_R_WRONG_CERTID                               189
 #  define CMP_R_WRONG_CERTID_IN_RP                         187
 #  define CMP_R_WRONG_PBM_VALUE                            155
 #  define CMP_R_WRONG_RP_COMPONENT_COUNT                   188
diff --git a/include/openssl/crmf.h.in b/include/openssl/crmf.h.in
index 73d4a0f1f0..beb73d7bf0 100644
--- a/include/openssl/crmf.h.in
+++ b/include/openssl/crmf.h.in
@@ -89,8 +89,12 @@ int OSSL_CRMF_pbm_new(OSSL_LIB_CTX *libctx, const char *propq,
 /* crmf_lib.c */
 int OSSL_CRMF_MSG_set1_regCtrl_regToken(OSSL_CRMF_MSG *msg,
                                         const ASN1_UTF8STRING *tok);
+ASN1_UTF8STRING
+*OSSL_CRMF_MSG_get0_regCtrl_regToken(const OSSL_CRMF_MSG *msg);
 int OSSL_CRMF_MSG_set1_regCtrl_authenticator(OSSL_CRMF_MSG *msg,
                                              const ASN1_UTF8STRING *auth);
+ASN1_UTF8STRING
+*OSSL_CRMF_MSG_get0_regCtrl_authenticator(const OSSL_CRMF_MSG *msg);
 int
 OSSL_CRMF_MSG_PKIPublicationInfo_push0_SinglePubInfo(OSSL_CRMF_PKIPUBLICATIONINFO *pi,
                                                      OSSL_CRMF_SINGLEPUBINFO *spi);
@@ -106,17 +110,27 @@ int OSSL_CRMF_MSG_set_PKIPublicationInfo_action(OSSL_CRMF_PKIPUBLICATIONINFO *pi
                                                 int action);
 int OSSL_CRMF_MSG_set1_regCtrl_pkiPublicationInfo(OSSL_CRMF_MSG *msg,
                                                   const OSSL_CRMF_PKIPUBLICATIONINFO *pi);
+OSSL_CRMF_PKIPUBLICATIONINFO
+*OSSL_CRMF_MSG_get0_regCtrl_pkiPublicationInfo(const OSSL_CRMF_MSG *msg);
 int OSSL_CRMF_MSG_set1_regCtrl_protocolEncrKey(OSSL_CRMF_MSG *msg,
                                                const X509_PUBKEY *pubkey);
+X509_PUBKEY
+*OSSL_CRMF_MSG_get0_regCtrl_protocolEncrKey(const OSSL_CRMF_MSG *msg);
 int OSSL_CRMF_MSG_set1_regCtrl_oldCertID(OSSL_CRMF_MSG *msg,
                                          const OSSL_CRMF_CERTID *cid);
+OSSL_CRMF_CERTID
+*OSSL_CRMF_MSG_get0_regCtrl_oldCertID(const OSSL_CRMF_MSG *msg);
 OSSL_CRMF_CERTID *OSSL_CRMF_CERTID_gen(const X509_NAME *issuer,
                                        const ASN1_INTEGER *serial);
 
 int OSSL_CRMF_MSG_set1_regInfo_utf8Pairs(OSSL_CRMF_MSG *msg,
                                          const ASN1_UTF8STRING *utf8pairs);
+ASN1_UTF8STRING
+*OSSL_CRMF_MSG_get0_regInfo_utf8Pairs(const OSSL_CRMF_MSG *msg);
 int OSSL_CRMF_MSG_set1_regInfo_certReq(OSSL_CRMF_MSG *msg,
                                        const OSSL_CRMF_CERTREQUEST *cr);
+OSSL_CRMF_CERTREQUEST
+*OSSL_CRMF_MSG_get0_regInfo_certReq(const OSSL_CRMF_MSG *msg);
 
 int OSSL_CRMF_MSG_set0_validity(OSSL_CRMF_MSG *crm,
                                 ASN1_TIME *notBefore, ASN1_TIME *notAfter);
@@ -137,13 +151,18 @@ int OSSL_CRMF_MSGS_verify_popo(const OSSL_CRMF_MSGS *reqs,
                                int rid, int acceptRAVerified,
                                OSSL_LIB_CTX *libctx, const char *propq);
 OSSL_CRMF_CERTTEMPLATE *OSSL_CRMF_MSG_get0_tmpl(const OSSL_CRMF_MSG *crm);
-ASN1_INTEGER
+const ASN1_INTEGER
 *OSSL_CRMF_CERTTEMPLATE_get0_serialNumber(const OSSL_CRMF_CERTTEMPLATE *tmpl);
 const X509_NAME
+*OSSL_CRMF_CERTTEMPLATE_get0_subject(const OSSL_CRMF_CERTTEMPLATE *tmpl);
+const X509_NAME
 *OSSL_CRMF_CERTTEMPLATE_get0_issuer(const OSSL_CRMF_CERTTEMPLATE *tmpl);
+X509_EXTENSIONS
+*OSSL_CRMF_CERTTEMPLATE_get0_extensions(const OSSL_CRMF_CERTTEMPLATE *tmpl);
 const X509_NAME
 *OSSL_CRMF_CERTID_get0_issuer(const OSSL_CRMF_CERTID *cid);
-ASN1_INTEGER *OSSL_CRMF_CERTID_get0_serialNumber(const OSSL_CRMF_CERTID *cid);
+const ASN1_INTEGER
+*OSSL_CRMF_CERTID_get0_serialNumber(const OSSL_CRMF_CERTID *cid);
 int OSSL_CRMF_CERTTEMPLATE_fill(OSSL_CRMF_CERTTEMPLATE *tmpl,
                                 EVP_PKEY *pubkey,
                                 const X509_NAME *subject,
diff --git a/test/cmp_server_test.c b/test/cmp_server_test.c
index 9f20d27ac9..e270bb924b 100644
--- a/test/cmp_server_test.c
+++ b/test/cmp_server_test.c
@@ -94,7 +94,7 @@ static int execute_test_handle_request(CMP_SRV_TEST_FIXTURE *fixture)
         goto end;
 
     if (!TEST_ptr(rsp = OSSL_CMP_CTX_server_perform(client_ctx, fixture->req))
-            || !TEST_int_eq(ossl_cmp_msg_get_bodytype(rsp),
+            || !TEST_int_eq(OSSL_CMP_MSG_get_bodytype(rsp),
                             OSSL_CMP_PKIBODY_ERROR)
             || !TEST_ptr(errorContent = rsp->body->value.error)
             || !TEST_int_eq(ASN1_INTEGER_get(errorContent->errorCode),
diff --git a/test/recipes/80-test_cmp_http_data/test_enrollment.csv b/test/recipes/80-test_cmp_http_data/test_enrollment.csv
index db44b46d27..358521de28 100644
--- a/test/recipes/80-test_cmp_http_data/test_enrollment.csv
+++ b/test/recipes/80-test_cmp_http_data/test_enrollment.csv
@@ -47,7 +47,7 @@ expected,description, -section,val, -cmd,val, -newkey,val,val, -newkeypass,val,
 1,sans 2 ip, -section,, -cmd,ir, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,,,BLANK,, -sans,127.0.0.1 1.2.3.4,BLANK,,BLANK,,BLANK,,BLANK,, -certout,_RESULT_DIR/test.certout_sans_two_ip.pem,, -out_trusted,root.crt,,BLANK,,BLANK,,,
 1,sans 1 uri, -section,, -cmd,ir, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,,,BLANK,, -sans,https://www.sample.com,BLANK,,BLANK,,BLANK,,BLANK,, -certout,_RESULT_DIR/test.certout_sans_uri.pem,, -out_trusted,root.crt,,BLANK,,BLANK,,,
 1,san_nodefault, -section,, -cmd,ir, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,,,BLANK,, -sans,127.0.0.1 1.2.3.4, -san_nodefault,,BLANK,,BLANK,,BLANK,, -certout,_RESULT_DIR/test.certout_sans_nodefault.pem,, -out_trusted,root.crt,,BLANK,,BLANK,,,
-1,san default, -section,, -cmd,ir, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,,,BLANK,, -sans,127.0.0.1 1.2.3.4,BLANK,,BLANK,,BLANK,,BLANK,, -certout,_RESULT_DIR/test.certout_sans_default.pem,, -out_trusted,root.crt,, -oldcert,_RESULT_DIR/test.certout_newkey.pem,BLANK,,,
+1,san default via oldcert, -section,, -cmd,ir, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,,,BLANK,, -sans,127.0.0.1 1.2.3.4,BLANK,,BLANK,,BLANK,,BLANK,, -certout,_RESULT_DIR/test.certout_sans_default.pem,, -out_trusted,root.crt,, -oldcert,_RESULT_DIR/test.certout_newkey.pem,BLANK,,,
 ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
 1,popo SIGNATURE, -section,, -cmd,ir, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -popo,1,BLANK,,BLANK,, -certout,_RESULT_DIR/test.certout_popo.pem,, -out_trusted,root.crt,,BLANK,,BLANK,,,
 0,popo RAVERIFIED, -section,, -cmd,ir, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -popo,0,BLANK,,BLANK,, -certout,_RESULT_DIR/test.certout_popo1.pem,, -out_trusted,root.crt,,BLANK,,BLANK,,,
@@ -105,5 +105,6 @@ TODO,p10cr wrong csr, -section,, -cmd,p10cr, -newkey,new.key,, -newkeypass,pass:
 0,kur newkey parameter count no match, -section,, -cmd,kur, -newkey,abc,def, -newkeypass,pass:,,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -certout,_RESULT_DIR/test.certout_kur3.pem,, -out_trusted,root.crt,, -oldcert,_RESULT_DIR/test.certout_newkey.pem,BLANK,,,,,-server,_SERVER_HOST:_KUR_PORT
 0,kur newkey missing argument, -section,, -cmd,kur, -newkey,BLANK,, -newkeypass,pass:,,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -certout,_RESULT_DIR/test.certout_kur4.pem,, -out_trusted,root.crt,, -oldcert,_RESULT_DIR/test.certout_newkey.pem,BLANK,,,,,-server,_SERVER_HOST:_KUR_PORT
 0,kur oldcert not existing, -section,, -cmd,kur, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -certout,_RESULT_DIR/test.certout_kur6.pem,, -out_trusted,root.crt,, -oldcert,idontexist,BLANK,,,,,-server,_SERVER_HOST:_KUR_PORT
+0,kur wrong oldcert, -section,, -cmd,kur, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -certout,_RESULT_DIR/test.certout_kur6.pem,, -out_trusted,root.crt,, -oldcert,root.crt,BLANK,,,,,-server,_SERVER_HOST:_KUR_PORT
 0,kur empty oldcert file, -section,, -cmd,kur, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -certout,_RESULT_DIR/test.certout_kur7.pem,, -out_trusted,root.crt,, -oldcert,empty.txt,BLANK,,,,,-server,_SERVER_HOST:_KUR_PORT
 0,kur without cert and oldcert, -section,, -cmd,kur, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -certout,_RESULT_DIR/test.certout_kur8.pem,, -out_trusted,root.crt,, -cert,"""",BLANK,,,,,-server,_SERVER_HOST:_KUR_PORT
diff --git a/util/libcrypto.num b/util/libcrypto.num
index 73e84ff08e..c7862c568d 100644
--- a/util/libcrypto.num
+++ b/util/libcrypto.num
@@ -4502,16 +4502,23 @@ OSSL_CRMF_MSGS_new                      ?	3_0_0	EXIST::FUNCTION:CRMF
 OSSL_CRMF_MSGS_it                       ?	3_0_0	EXIST::FUNCTION:CRMF
 OSSL_CRMF_pbmp_new                      ?	3_0_0	EXIST::FUNCTION:CRMF
 OSSL_CRMF_pbm_new                       ?	3_0_0	EXIST::FUNCTION:CRMF
+OSSL_CRMF_MSG_get0_regCtrl_regToken     ?	3_0_0	EXIST::FUNCTION:CRMF
 OSSL_CRMF_MSG_set1_regCtrl_regToken     ?	3_0_0	EXIST::FUNCTION:CRMF
+OSSL_CRMF_MSG_get0_regCtrl_authenticator ?	3_0_0	EXIST::FUNCTION:CRMF
 OSSL_CRMF_MSG_set1_regCtrl_authenticator ?	3_0_0	EXIST::FUNCTION:CRMF
 OSSL_CRMF_MSG_PKIPublicationInfo_push0_SinglePubInfo ?	3_0_0	EXIST::FUNCTION:CRMF
 OSSL_CRMF_MSG_set0_SinglePubInfo        ?	3_0_0	EXIST::FUNCTION:CRMF
+OSSL_CRMF_MSG_get0_regCtrl_pkiPublicationInfo ?	3_0_0	EXIST::FUNCTION:CRMF
 OSSL_CRMF_MSG_set_PKIPublicationInfo_action ?	3_0_0	EXIST::FUNCTION:CRMF
 OSSL_CRMF_MSG_set1_regCtrl_pkiPublicationInfo ?	3_0_0	EXIST::FUNCTION:CRMF
+OSSL_CRMF_MSG_get0_regCtrl_protocolEncrKey ?	3_0_0	EXIST::FUNCTION:CRMF
 OSSL_CRMF_MSG_set1_regCtrl_protocolEncrKey ?	3_0_0	EXIST::FUNCTION:CRMF
+OSSL_CRMF_MSG_get0_regCtrl_oldCertID    ?	3_0_0	EXIST::FUNCTION:CRMF
 OSSL_CRMF_MSG_set1_regCtrl_oldCertID    ?	3_0_0	EXIST::FUNCTION:CRMF
 OSSL_CRMF_CERTID_gen                    ?	3_0_0	EXIST::FUNCTION:CRMF
+OSSL_CRMF_MSG_get0_regInfo_utf8Pairs    ?	3_0_0	EXIST::FUNCTION:CRMF
 OSSL_CRMF_MSG_set1_regInfo_utf8Pairs    ?	3_0_0	EXIST::FUNCTION:CRMF
+OSSL_CRMF_MSG_get0_regInfo_certReq      ?	3_0_0	EXIST::FUNCTION:CRMF
 OSSL_CRMF_MSG_set1_regInfo_certReq      ?	3_0_0	EXIST::FUNCTION:CRMF
 OSSL_CRMF_MSG_set0_validity             ?	3_0_0	EXIST::FUNCTION:CRMF
 OSSL_CRMF_MSG_set_certReqId             ?	3_0_0	EXIST::FUNCTION:CRMF
@@ -4522,7 +4529,9 @@ OSSL_CRMF_MSG_create_popo               ?	3_0_0	EXIST::FUNCTION:CRMF
 OSSL_CRMF_MSGS_verify_popo              ?	3_0_0	EXIST::FUNCTION:CRMF
 OSSL_CRMF_MSG_get0_tmpl                 ?	3_0_0	EXIST::FUNCTION:CRMF
 OSSL_CRMF_CERTTEMPLATE_get0_serialNumber ?	3_0_0	EXIST::FUNCTION:CRMF
+OSSL_CRMF_CERTTEMPLATE_get0_subject     ?	3_0_0	EXIST::FUNCTION:CRMF
 OSSL_CRMF_CERTTEMPLATE_get0_issuer      ?	3_0_0	EXIST::FUNCTION:CRMF
+OSSL_CRMF_CERTTEMPLATE_get0_extensions  ?	3_0_0	EXIST::FUNCTION:CRMF
 OSSL_CRMF_CERTTEMPLATE_fill             ?	3_0_0	EXIST::FUNCTION:CRMF
 OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert   ?	3_0_0	EXIST::FUNCTION:CRMF
 OSSL_PARAM_locate                       ?	3_0_0	EXIST::FUNCTION:
@@ -4846,6 +4855,7 @@ i2d_X509_PUBKEY_bio                     ?	3_0_0	EXIST::FUNCTION:
 RSA_get0_pss_params                     ?	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0
 X509_cmp_timeframe                      ?	3_0_0	EXIST::FUNCTION:
 OSSL_CMP_MSG_get0_header                ?	3_0_0	EXIST::FUNCTION:CMP
+OSSL_CMP_MSG_get_bodytype               ?	3_0_0	EXIST::FUNCTION:CMP
 OSSL_CMP_MSG_update_transactionID       ?	3_0_0	EXIST::FUNCTION:CMP
 OSSL_CMP_CTX_setup_CRM                  ?	3_0_0	EXIST::FUNCTION:CMP
 BIO_f_prefix                            ?	3_0_0	EXIST::FUNCTION:


More information about the openssl-commits mailing list