Chunk 8 of CMP contribution to OpenSSL: CMP server and cmp_mock_srv.c for testing

Certificate Management Protocol (CMP, RFC 4210) extension to OpenSSL
Also includes CRMF (RFC 4211) and HTTP transfer (RFC 6712).
Adds the CMP and CRMF API to libcrypto and the "cmp" app to the CLI.
Adds extensive documentation and tests.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/11142)

11 files changed, 424 insertions, 100 deletions

diff --git a/doc/internal/man3/ossl_cmp_hdr_init.pod b/doc/internal/man3/ossl_cmp_hdr_init.pod
index a7a4d87f09..31468a567b 100644
--- a/doc/internal/man3/ossl_cmp_hdr_init.pod
+++ b/doc/internal/man3/ossl_cmp_hdr_init.pod
@@ -14,7 +14,7 @@ ossl_cmp_hdr_push1_freeText,
 ossl_cmp_hdr_generalinfo_item_push0,
 ossl_cmp_hdr_generalinfo_items_push1,
 ossl_cmp_hdr_set_implicitConfirm,
-ossl_cmp_hdr_check_implicitConfirm,
+ossl_cmp_hdr_has_implicitConfirm,
 ossl_cmp_hdr_init
 - functions manipulating CMP message headers
 
@@ -41,7 +41,7 @@ ossl_cmp_hdr_init
   int ossl_cmp_hdr_push1_freeText(OSSL_CMP_PKIHEADER *hdr,
                                   ASN1_UTF8STRING *text);
   int ossl_cmp_hdr_set_implicitConfirm(OSSL_CMP_PKIHEADER *hdr);
-  int ossl_cmp_hdr_check_implicitConfirm(OSSL_CMP_PKIHEADER *hdr);
+  int ossl_cmp_hdr_has_implicitConfirm(OSSL_CMP_PKIHEADER *hdr);
   int ossl_cmp_hdr_init(OSSL_CMP_CTX *ctx, OSSL_CMP_PKIHEADER *hdr);
 
 =head1 DESCRIPTION
@@ -85,7 +85,7 @@ pointer.
 ossl_cmp_hdr_set_implicitConfirm() sets implicitConfirm in the generalInfo field
 of the PKIMessage header.
 
-ossl_cmp_hdr_check_implicitConfirm() returns 1 if implicitConfirm is
+ossl_cmp_hdr_has_implicitConfirm() returns 1 if implicitConfirm is
 set int generalInfo field of the given PKIMessage header, 0 if not.
 
 ossl_cmp_hdr_init() initializes a PKIHeader structure based on the
diff --git a/doc/internal/man3/ossl_cmp_mock_srv_new.pod b/doc/internal/man3/ossl_cmp_mock_srv_new.pod
new file mode 100644
index 0000000000..da1f44b391
--- /dev/null
+++ b/doc/internal/man3/ossl_cmp_mock_srv_new.pod
@@ -0,0 +1,85 @@
+=pod
+
+=head1 NAME
+
+ossl_cmp_mock_srv_new,
+ossl_cmp_mock_srv_free,
+ossl_cmp_mock_srv_set1_certOut,
+ossl_cmp_mock_srv_set1_chainOut,
+ossl_cmp_mock_srv_set1_caPubsOut,
+ossl_cmp_mock_srv_set_statusInfo,
+ossl_cmp_mock_srv_set_send_error,
+ossl_cmp_mock_srv_set_pollCount,
+ossl_cmp_mock_srv_set_checkAfterTime
+- functions used for testing with CMP mock server
+
+=head1 SYNOPSIS
+
+ #include <openssl/cmp.h>
+
+ OSSL_CMP_SRV_CTX *ossl_cmp_mock_srv_new(void);
+ void ossl_cmp_mock_srv_free(OSSL_CMP_SRV_CTX *srv_ctx);
+
+ int ossl_cmp_mock_srv_set1_certOut(OSSL_CMP_SRV_CTX *srv_ctx, X509 *cert);
+ int ossl_cmp_mock_srv_set1_chainOut(OSSL_CMP_SRV_CTX *srv_ctx,
+                                     STACK_OF(X509) *chain);
+ int ossl_cmp_mock_srv_set1_caPubsOut(OSSL_CMP_SRV_CTX *srv_ctx,
+                                      STACK_OF(X509) *caPubs);
+ int ossl_cmp_mock_srv_set_statusInfo(OSSL_CMP_SRV_CTX *srv_ctx, int status,
+                                      int fail_info, const char *text);
+ int ossl_cmp_mock_srv_set_send_error(OSSL_CMP_SRV_CTX *srv_ctx, int val);
+ int ossl_cmp_mock_srv_set_pollCount(OSSL_CMP_SRV_CTX *srv_ctx, int count);
+ int ossl_cmp_mock_srv_set_checkAfterTime(OSSL_CMP_SRV_CTX *srv_ctx, int sec);
+
+=head1 DESCRIPTION
+
+ossl_cmp_mock_srv_new() allocates the contexts for the CMP mock server.
+
+ossl_cmp_mock_srv_free() deallocates the contexts for the CMP mock server.
+
+OSSL_CMP_SRV_CTX_set1_certOut() sets the certificate to be returned in
+cp/ip/kup.
+
+OSSL_CMP_SRV_CTX_set1_chainOut() sets the certificate chain to be added to
+the extraCerts in a cp/ip/kup.
+It should to useful to validate B<certOut>.
+
+OSSL_CMP_SRV_CTX_set1_caPubsOut() sets the caPubs to be returned in an ip.
+
+OSSL_CMP_SRV_CTX_set_statusInfo() sets the status info to be returned.
+
+OSSL_CMP_SRV_CTX_set_send_error() enables enforcement of error responses.
+
+OSSL_CMP_SRV_CTX_set_pollCount() sets the number of polls before cert response.
+
+OSSL_CMP_SRV_CTX_set_checkAfterTime() sets the number of seconds
+the client should wait for the next poll.
+
+
+=head1 NOTES
+
+CMP is defined in RFC 4210 (and CRMF in RFC 4211).
+
+=head1 RETURN VALUES
+
+ossl_cmp_mock_srv() returns a B<OSSL_CMP_SRV_CTX> structure on success,
+NULL on error.
+
+ossl_cmp_mock_srv_free() does not return a value.
+
+All other functions return 1 on success, 0 on error.
+
+=head1 HISTORY
+
+The OpenSSL CMP support was added in OpenSSL 3.0.
+
+=head1 COPYRIGHT
+
+Copyright 2007-2020 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
+
+=cut
diff --git a/doc/internal/man3/ossl_cmp_statusinfo_new.pod b/doc/internal/man3/ossl_cmp_pkisi_get_status.pod
index ee7dd35cf5..deca1aa2bb 100644
--- a/doc/internal/man3/ossl_cmp_statusinfo_new.pod
+++ b/doc/internal/man3/ossl_cmp_pkisi_get_status.pod
@@ -2,13 +2,11 @@
 
 =head1 NAME
 
-ossl_cmp_statusinfo_new,
-ossl_cmp_pkisi_pkistatus_get,
-ossl_cmp_pkisi_pkifailureinfo_get,
-ossl_cmp_pkisi_pkifailureinfo_check,
-ossl_cmp_pkisi_failinfo_get0,
-ossl_cmp_pkisi_statusstring_get0,
-ossl_pkisi_snprint
+ossl_cmp_pkisi_get_status,
+ossl_cmp_PKIStatus_to_string,
+ossl_cmp_pkisi_get0_statusString,
+ossl_cmp_pkisi_get_pkifailureinfo,
+ossl_cmp_pkisi_check_pkifailureinfo
 - functions for managing PKI status information
 
 =head1 SYNOPSIS
@@ -44,40 +42,27 @@ ossl_pkisi_snprint
 # define OSSL_CMP_PKIFAILUREINFO_duplicateCertReq    26
 # define OSSL_CMP_PKIFAILUREINFO_MAX                 26
 
-  OSSL_CMP_PKISI *ossl_cmp_statusinfo_new(int status, int fail_info,
-                                          const char *text);
-  int ossl_cmp_pkisi_pkistatus_get(OSSL_CMP_PKISI *si);
-  int ossl_cmp_pkisi_pkifailureinfo_get(OSSL_CMP_PKISI *si);
-  int ossl_cmp_pkisi_pkifailureinfo_check(OSSL_CMP_PKISI *si, int bit_index);
-  OSSL_CMP_PKIFAILUREINFO *ossl_cmp_pkisi_failinfo_get0(const OSSL_CMP_PKISI *si);
-  OSSL_CMP_PKIFREETEXT *ossl_cmp_pkisi_statusstring_get0(const OSSL_CMP_PKISI *si);
-  char *ossl_pkisi_snprint(OSSL_CMP_PKISI *si, char *buf, int bufsize);
+  int ossl_cmp_pkisi_get_status(const OSSL_CMP_PKISI *si);
+  const char *ossl_cmp_PKIStatus_to_string(int status);
+  OSSL_CMP_PKIFREETEXT *ossl_cmp_pkisi_get0_statusString(const OSSL_CMP_PKISI *si);
+  int ossl_cmp_pkisi_get_pkifailureinfo(const OSSL_CMP_PKISI *si);
+  int ossl_cmp_pkisi_check_pkifailureinfo(const OSSL_CMP_PKISI *si, int index);
 
 =head1 DESCRIPTION
 
-ossl_cmp_statusinfo_new() creates a new PKIStatusInfo structure and fills it
-with the given values. It sets the status field to B<status>.
-If B<text> is not NULL, it is copied to statusString.
-B<fail_info> is is interpreted as bit pattern for the failInfo field.
-Returns a pointer to the structure on success, or NULL on error.
+ossl_cmp_pkisi_get_status() returns the PKIStatus of B<si>, or -1 on error.
 
-ossl_cmp_pkisi_pkistatus_get() returns the PKIStatus of B<si>, or -1 on error.
+ossl_cmp_PKIStatus_to_string() returns a human-readable string representing
+the PKIStatus values as specified in RFC 4210, Appendix F.
 
-ossl_cmp_pkisi_pkifailureinfo_get() returns the PKIFailureInfo bits
-of B<si>, encoded as integer, or -1 on error.
-
-ossl_cmp_pkisi_pkifailureinfo_check() returns the state of the bit (0 or 1)
-with index B<bit_index> in the PKIFailureInfo of the B<si>, or -1 on error.
-
-ossl_cmp_pkisi_failinfo_get0() returns a direct pointer to the failInfo
-field contained in B<si>, or NULL on error.
-
-ossl_cmp_pkisi_statusstring_get0() returns a direct pointer to the statusString
+ossl_cmp_pkisi_get0_statusString() returns a direct pointer to the statusString
 field contained in B<si>.
 
-ossl_pkisi_snprint() places at max B<bufsize> characters of human-readable
-error string of B<si> in pre-allocated B<buf>. Returns pointer to the same
-B<buf> containing the string, or NULL on error.
+ossl_cmp_pkisi_get_pkifailureinfo() returns the PKIFailureInfo bits
+of B<si>, encoded as integer, or -1 on error.
+
+ossl_cmp_pkisi_check_pkifailureinfo() returns the state of the bit (0 or 1)
+with index B<index> in the PKIFailureInfo of the B<si>, or -1 on error.
 
 =head1 NOTES
 
diff --git a/doc/man3/OSSL_CMP_CTX_new.pod b/doc/man3/OSSL_CMP_CTX_new.pod
index b10cfc4801..626f7d65af 100644
--- a/doc/man3/OSSL_CMP_CTX_new.pod
+++ b/doc/man3/OSSL_CMP_CTX_new.pod
@@ -239,7 +239,7 @@ The following options can be set:
 
     OSSL_CMP_OPT_MAC_ALGNID
         The MAC algorithm NID to be used in RFC 4210's MSG_MAC_ALG,
-        if applicable used for message protection. 
+        if applicable used for message protection.
         Default is HMAC-SHA1 as per RFC 4210.
 
 =item B<OSSL_CMP_OPT_REVOCATION_REASON>
@@ -404,20 +404,40 @@ The reference counts of those certificates handled successfully are increased.
 OSSL_CMP_CTX_get0_untrusted_certs(OSSL_CMP_CTX *ctx) returns a pointer to the
 list of untrusted certs, which my be empty if unset.
 
-OSSL_CMP_CTX_set1_clCert() sets the client certificate in the given
-OSSL_CMP_CTX structure. The client certificate will then be used by the
-functions to set the "sender" field for outgoing messages and it will be
-included in the extraCerts field.
-
-OSSL_CMP_CTX_set1_pkey() sets the private key corresponding to the client
-certificate set with B<OSSL_CMP_CTX_set1_clCert()> in the given CMP context.
-Used to create the protection in case of MSG_SIG_ALG.
-
-OSSL_CMP_CTX_set1_referenceValue() sets the given referenceValue in the given
-B<ctx> or clears it if the B<ref> argument is NULL.
-
-OSSL_CMP_CTX_set1_secretValue() sets the B<sec> with the length B<len> in the
-given B<ctx> or clears it if the B<sec> argument is NULL.
+OSSL_CMP_CTX_set1_clCert() sets the client certificate in the given B<ctx>.
+The public key of this B<clCert> must correspond to
+the private key set via B<OSSL_CMP_CTX_set1_pkey()>.
+When using signature-based protection of CMP request messages
+this "protection certificate" will be included first in the extraCerts field.
+The subject of this B<clCert> will be used as the "sender" field
+of outgoing CMP messages, with the fallback being
+the B<subjectName> set via B<OSSL_CMP_CTX_set1_subjectName()>.
+The B<cert> argument may be NULL to clear the entry.
+
+OSSL_CMP_CTX_set1_pkey() sets the private key corresponding to
+the client certificate B<clCert> set via B<OSSL_CMP_CTX_set1_clCert()>.
+This key is used create signature-based protection (protectionAlg = MSG_SIG_ALG)
+of outgoing messages
+unless a PBM secret has been set via  B<OSSL_CMP_CTX_set1_secretValue()>.
+The B<pkey> argument may be NULL to clear the entry.
+
+OSSL_CMP_CTX_set1_secretValue() sets the byte string B<sec> with length B<len>
+as PBM secret in the given B<ctx> or clears it if the B<sec> argument is NULL.
+If present, this secret is used to create PBM-based protection of outgoing
+messages and to verify any PBM-based protection of incoming messages
+(protectionAlg = MSG_MAC_ALG). PBM stands for Password-Based MAC.
+PBM-based protection takes precedence over signature-based protection.
+
+OSSL_CMP_CTX_set1_referenceValue() sets the given referenceValue B<ref> with
+length B<len> in the given B<ctx> or clears it if the B<ref> argument is NULL.
+According to RFC 4210 section 5.1.1, if no value for the "sender" field in
+CMP message headers can be determined (i.e., no B<clCert> and no B<subjectName>
+is given) then the "sender" field will contain the NULL-DN
+and the senderKID field of the CMP message header must be set.
+When signature-based protection is used the senderKID will be set to
+the subjectKeyIdentifier of the <clCert> as far as present.
+If not present or when PBM-based protection is used
+the B<ref> value is taken as the fallback value for the senderKID.
 
 OSSL_CMP_CTX_set1_recipient() sets the recipient name that will be used in the
 PKIHeader of a request message, i.e. the X509 name of the (CA) server.
diff --git a/doc/man3/OSSL_CMP_CTX_snprint_PKIStatus.pod b/doc/man3/OSSL_CMP_CTX_snprint_PKIStatus.pod
deleted file mode 100644
index 3ae6831ee2..0000000000
--- a/doc/man3/OSSL_CMP_CTX_snprint_PKIStatus.pod
+++ /dev/null
@@ -1,46 +0,0 @@
-=pod
-
-=head1 NAME
-
-OSSL_CMP_CTX_snprint_PKIStatus
-- function(s) for managing the CMP PKIStatus
-
-=head1 SYNOPSIS
-
- #include <openssl/cmp.h>
-
- char *OSSL_CMP_CTX_snprint_PKIStatus(OSSL_CMP_CTX *ctx, char *buf, int bufsize);
-
-=head1 DESCRIPTION
-
-This is the PKIStatus API for using CMP (Certificate Management Protocol) with
-OpenSSL.
-
-OSSL_CMP_CTX_snprint_PKIStatus() takes the PKIStatusInfo components contained
-in the given CMP context and places a human-readable string created from them
-in the given buffer, with the given maximal length.
-On success it returns a copy of the buffer pointer containing the string.
-
-=head1 NOTES
-
-CMP is defined in RFC 4210 (and CRMF in RFC 4211).
-
-=head1 RETURN VALUES
-
-OSSL_CMP_CTX_snprint_PKIStatus()
-returns the intended pointer value as described above or NULL on error.
-
-=head1 HISTORY
-
-The OpenSSL CMP support was added in OpenSSL 3.0.
-
-=head1 COPYRIGHT
-
-Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved.
-
-Licensed under the Apache License 2.0 (the "License").  You may not use
-this file except in compliance with the License.  You can obtain a copy
-in the file LICENSE in the source distribution or at
-L<https://www.openssl.org/source/license.html>.
-
-=cut
diff --git a/doc/man3/OSSL_CMP_MSG_get0_header.pod b/doc/man3/OSSL_CMP_MSG_get0_header.pod
index 3ed1140082..cee99cd00b 100644
--- a/doc/man3/OSSL_CMP_MSG_get0_header.pod
+++ b/doc/man3/OSSL_CMP_MSG_get0_header.pod
@@ -2,7 +2,9 @@
 
 =head1 NAME
 
-OSSL_CMP_MSG_get0_header
+OSSL_CMP_MSG_get0_header,
+OSSL_d2i_CMP_MSG_bio,
+OSSL_i2d_CMP_MSG_bio
 - function(s) manipulating CMP messages
 
 =head1 SYNOPSIS
@@ -10,20 +12,31 @@ OSSL_CMP_MSG_get0_header
   #include <openssl/cmp.h>
 
   OSSL_CMP_PKIHEADER *OSSL_CMP_MSG_get0_header(const OSSL_CMP_MSG *msg);
+  OSSL_CMP_MSG *OSSL_d2i_CMP_MSG_bio(BIO *bio, OSSL_CMP_MSG **msg);
+  int OSSL_i2d_CMP_MSG_bio(BIO *bio, const OSSL_CMP_MSG *msg);
 
 =head1 DESCRIPTION
 
 OSSL_CMP_MSG_get0_header returns the header of the given CMP message.
 
+OSSL_d2i_CMP_MSG_bio parses an ASN.1-encoded OSSL_CMP_MSG from the BIO I<bio>.
+It assigns a pointer to the new structure to I<*msg> if I<msg> is not NULL.
+
+OSSL_i2d_CMP_MSG_bio writes the OSSL_CMP_MSG I<msg> in ASN.1 encoding to BIO I<bio>.
+
 =head1 NOTES
 
 CMP is defined in RFC 4210.
 
 =head1 RETURN VALUES
 
-CMP_MSG_get0_header() returns the intended pointer value as described above
+OSSL_CMP_MSG_get0_header() returns the intended pointer value as described above
 or NULL if the respective entry does not exist and on error.
 
+OSSL_d2i_CMP_MSG_bio() returns the parsed message or NULL on error.
+
+OSSL_i2d_CMP_MSG_bio() returns 1 on success or 0 on error.
+
 =head1 HISTORY
 
 The OpenSSL CMP support was added in OpenSSL 3.0.
diff --git a/doc/man3/OSSL_CMP_SRV_CTX_new.pod b/doc/man3/OSSL_CMP_SRV_CTX_new.pod
new file mode 100644
index 0000000000..45ac0174b7
--- /dev/null
+++ b/doc/man3/OSSL_CMP_SRV_CTX_new.pod
@@ -0,0 +1,159 @@
+=pod
+
+=head1 NAME
+
+OSSL_CMP_SRV_process_request,
+OSSL_CMP_CTX_server_perform,
+OSSL_CMP_SRV_CTX_new,
+OSSL_CMP_SRV_CTX_free,
+OSSL_CMP_SRV_cert_request_cb_t,
+OSSL_CMP_SRV_rr_cb_t,
+OSSL_CMP_SRV_certConf_cb_t,
+OSSL_CMP_SRV_genm_cb_t,
+OSSL_CMP_SRV_error_cb_t,
+OSSL_CMP_SRV_pollReq_cb_t,
+OSSL_CMP_SRV_CTX_init,
+OSSL_CMP_SRV_CTX_get0_cmp_ctx,
+OSSL_CMP_SRV_CTX_get0_custom_ctx,
+OSSL_CMP_SRV_CTX_set_send_unprotected_errors,
+OSSL_CMP_SRV_CTX_set_accept_unprotected,
+OSSL_CMP_SRV_CTX_set_accept_raverified,
+OSSL_CMP_SRV_CTX_set_grant_implicit_confirm
+- generic functions to set up and control a CMP server
+
+=head1 SYNOPSIS
+
+ #include <openssl/cmp.h>
+
+ OSSL_CMP_MSG *OSSL_CMP_SRV_process_request(OSSL_CMP_SRV_CTX *srv_ctx,
+                                            const OSSL_CMP_MSG *req);
+ OSSL_CMP_MSG *OSSL_CMP_CTX_server_perform(OSSL_CMP_CTX *client_ctx,
+                                           const OSSL_CMP_MSG *req);
+ OSSL_CMP_SRV_CTX *OSSL_CMP_SRV_CTX_new(void);
+ void OSSL_CMP_SRV_CTX_free(OSSL_CMP_SRV_CTX *srv_ctx);
+
+ typedef OSSL_CMP_PKISI *(*OSSL_CMP_SRV_cert_request_cb_t)(
+                                                 OSSL_CMP_SRV_CTX *srv_ctx,
+                                                 const OSSL_CMP_MSG *req,
+                                                 int certReqId,
+                                                 const OSSL_CRMF_MSG *crm,
+                                                 const X509_REQ *p10cr,
+                                                 X509 **certOut,
+                                                 STACK_OF(X509) **chainOut,
+                                                 STACK_OF(X509) **caPubs);
+ typedef OSSL_CMP_PKISI *(*OSSL_CMP_SRV_rr_cb_t)(OSSL_CMP_SRV_CTX *srv_ctx,
+                                                 const OSSL_CMP_MSG *req,
+                                                 const X509_NAME *issuer,
+                                                 const ASN1_INTEGER *serial);
+ typedef int (*OSSL_CMP_SRV_genm_cb_t)(OSSL_CMP_SRV_CTX *srv_ctx,
+                                       const OSSL_CMP_MSG *req,
+                                       STACK_OF(OSSL_CMP_ITAV) *in,
+                                       STACK_OF(OSSL_CMP_ITAV) **out);
+ typedef void (*OSSL_CMP_SRV_error_cb_t)(OSSL_CMP_SRV_CTX *srv_ctx,
+                                         const OSSL_CMP_MSG *req,
+                                         const OSSL_CMP_PKISI *statusInfo,
+                                         const ASN1_INTEGER *errorCode,
+                                         const OSSL_CMP_PKIFREETEXT *errorDetails);
+ typedef int (*OSSL_CMP_SRV_certConf_cb_t)(OSSL_CMP_SRV_CTX *srv_ctx,
+                                           const OSSL_CMP_MSG *req,
+                                           int certReqId,
+                                           const ASN1_OCTET_STRING *certHash,
+                                           const OSSL_CMP_PKISI *si);
+ typedef int (*OSSL_CMP_SRV_pollReq_cb_t)(OSSL_CMP_SRV_CTX *srv_ctx,
+                                          const OSSL_CMP_MSG *req,
+                                          int certReqId,
+                                          OSSL_CMP_MSG **certReq,
+                                          int64_t *check_after);
+ int OSSL_CMP_SRV_CTX_init(OSSL_CMP_SRV_CTX *srv_ctx, void *custom_ctx,
+                           OSSL_CMP_SRV_cert_request_cb_t process_cert_request,
+                           OSSL_CMP_SRV_rr_cb_t process_rr,
+                           OSSL_CMP_SRV_genm_cb_t process_genm,
+                           OSSL_CMP_SRV_error_cb_t process_error,
+                           OSSL_CMP_SRV_certConf_cb_t process_certConf,
+                           OSSL_CMP_SRV_pollReq_cb_t process_pollReq);
+
+ OSSL_CMP_CTX *OSSL_CMP_SRV_CTX_get0_cmp_ctx(const OSSL_CMP_SRV_CTX *srv_ctx);
+ void *OSSL_CMP_SRV_CTX_get0_custom_ctx(const OSSL_CMP_SRV_CTX *srv_ctx);
+
+ int OSSL_CMP_SRV_CTX_set_send_unprotected_errors(OSSL_CMP_SRV_CTX *srv_ctx,
+                                                  int val);
+ int OSSL_CMP_SRV_CTX_set_accept_unprotected(OSSL_CMP_SRV_CTX *srv_ctx, int val);
+ int OSSL_CMP_SRV_CTX_set_accept_raverified(OSSL_CMP_SRV_CTX *srv_ctx, int val);
+ int OSSL_CMP_SRV_CTX_set_grant_implicit_confirm(OSSL_CMP_SRV_CTX *srv_ctx,
+                                                 int val);
+
+=head1 DESCRIPTION
+
+OSSL_CMP_SRV_process_request() implements the generic aspects of a CMP server.
+It does the typical generic checks on the given request message, calls
+the respective callback function (if present) for more specific processing,
+and then assembles a result message, which may be a CMP error message.
+
+OSSL_CMP_CTX_server_perform() is an interface to
+B<OSSL_CMP_SRV_process_request()> that can be used by a CMP client
+in the same way as B<OSSL_CMP_MSG_http_perform()>.
+The B<OSSL_CMP_SRV_CTX> must be set as B<transfer_cb_arg> of B<client_ctx>.
+
+OSSL_CMP_SRV_CTX_new() creates and initializes an OSSL_CMP_SRV_CTX structure
+and returns a pointer to it on success, NULL on error.
+
+OSSL_CMP_SRV_CTX_free() deletes the given B<srv_ctx>.
+
+OSSL_CMP_SRV_CTX_init() sets in the given B<srv_ctx> a custom server context
+pointer as well as callback functions performing the specific processing of CMP
+certificate requests, revocation requests, certificate confirmation requests,
+general messages, error messages, and poll requests.
+All arguments except B<srv_ctx> may be NULL.
+If a callback for some message type is not given this means that the respective
+type of CMP message is not supported by the server.
+
+OSSL_CMP_SRV_CTX_get0_cmp_ctx() returns the B<OSSL_CMP_CTX> from the B<srv_ctx>.
+
+OSSL_CMP_SRV_CTX_get0_custom_ctx() returns the custom server context from
+B<srv_ctx> that has been set using B<OSSL_CMP_SRV_CTX_init>.
+
+OSSL_CMP_SRV_CTX_set_send_unprotected_errors() enables sending error messages
+and other forms of negative responses unprotected.
+
+OSSL_CMP_SRV_CTX_set_accept_unprotected() enables acceptance of requests
+without protection of with invalid protection.
+
+OSSL_CMP_SRV_CTX_set_accept_raverified() enables acceptance of ir/cr/kur
+messages with POPO 'RAVerified'.
+
+OSSL_CMP_SRV_CTX_set_grant_implicit_confirm() enables granting implicit
+confirmation of newly enrolled certificates if requested.
+
+=head1 NOTES
+
+CMP is defined in RFC 4210 (and CRMF in RFC 4211).
+
+=head1 RETURN VALUES
+
+OSSL_CMP_SRV_CTX_new() returns a B<OSSL_CMP_SRV_CTX> structure on success,
+NULL on error.
+
+OSSL_CMP_SRV_CTX_free() does not return a value.
+
+OSSL_CMP_SRV_CTX_get0_cmp_ctx() returns a B<OSSL_CMP_CTX> structure on success,
+NULL on error.
+
+OSSL_CMP_SRV_CTX_get0_custom_ctx() returns the custom server context
+that has been set using B<OSSL_CMP_SRV_CTX_init>.
+
+All other functions return 1 on success, 0 on error.
+
+=head1 HISTORY
+
+The OpenSSL CMP support was added in OpenSSL 3.0.
+
+=head1 COPYRIGHT
+
+Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
+
+=cut
diff --git a/doc/man3/OSSL_CMP_STATUSINFO_new.pod b/doc/man3/OSSL_CMP_STATUSINFO_new.pod
new file mode 100644
index 0000000000..520a104d7e
--- /dev/null
+++ b/doc/man3/OSSL_CMP_STATUSINFO_new.pod
@@ -0,0 +1,66 @@
+=pod
+
+=head1 NAME
+
+OSSL_CMP_STATUSINFO_new,
+OSSL_CMP_snprint_PKIStatusInfo,
+OSSL_CMP_CTX_snprint_PKIStatus
+- function(s) for managing the CMP PKIStatus
+
+=head1 SYNOPSIS
+
+ #include <openssl/cmp.h>
+
+ OSSL_CMP_PKISI *OSSL_CMP_STATUSINFO_new(int status, int fail_info,
+                                         const char *text);
+ char *OSSL_CMP_snprint_PKIStatusInfo(const OSSL_CMP_PKISI *statusInfo,
+                                      char *buf, size_t bufsize);
+ char *OSSL_CMP_CTX_snprint_PKIStatus(const OSSL_CMP_CTX *ctx, char *buf,
+                                      size_t bufsize);
+
+=head1 DESCRIPTION
+
+This is the PKIStatus API for using CMP (Certificate Management Protocol) with
+OpenSSL.
+
+OSSL_CMP_STATUSINFO_new() creates a new PKIStatusInfo structure
+and fills in the given values.
+It sets the status field to B<status>,
+copies B<text> (unless it is NULL) to statusString,
+and interprets B<fail_info> as bit pattern for the failInfo field.
+
+OSSL_CMP_snprint_PKIStatusInfo() places a human-readable string
+representing the given statusInfo
+in the given buffer, with the given maximal length.
+
+OSSL_CMP_CTX_snprint_PKIStatus() places a human-readable string
+representing the PKIStatusInfo components of the CMP context B<ctx>
+in the given buffer, with the given maximal length.
+
+=head1 NOTES
+
+CMP is defined in RFC 4210 (and CRMF in RFC 4211).
+
+=head1 RETURN VALUES
+
+OSSL_CMP_STATUSINFO_new()
+returns a pointer to the structure on success, or NULL on error.
+
+OSSL_CMP_snprint_PKIStatusInfo() and
+OSSL_CMP_CTX_snprint_PKIStatus()
+return a copy of the buffer pointer containing the string or NULL on error.
+
+=head1 HISTORY
+
+The OpenSSL CMP support was added in OpenSSL 3.0.
+
+=head1 COPYRIGHT
+
+Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
+
+=cut
diff --git a/doc/man3/OSSL_CMP_X509_digest.pod b/doc/man3/OSSL_CMP_X509_digest.pod
new file mode 100644
index 0000000000..824d3497c3
--- /dev/null
+++ b/doc/man3/OSSL_CMP_X509_digest.pod
@@ -0,0 +1,36 @@
+=pod
+
+=head1 NAME
+
+OSSL_CMP_X509_digest
+- CMP certificate utility functions
+
+=head1 SYNOPSIS
+
+ #include <openssl/cmp_util.h>
+
+ ASN1_OCTET_STRING *OSSL_CMP_X509_digest(const X509 *cert);
+
+=head1 DESCRIPTION
+
+OSSL_CMP_X509_digest() calculates a digest of the given certificate
+using the same hash algorithm as in the certificate signature.
+
+=head1 RETURN VALUES
+
+OSSL_CMP_X509_digest() returns an ASN1_OCTET_STRING on success, else NULL.
+
+=head1 HISTORY
+
+The OpenSSL CMP support was added in OpenSSL 3.0.
+
+=head1 COPYRIGHT
+
+Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
+
+=cut
diff --git a/doc/man3/X509_dup.pod b/doc/man3/X509_dup.pod
index d7d8477896..cb1e9edf2c 100644
--- a/doc/man3/X509_dup.pod
+++ b/doc/man3/X509_dup.pod
@@ -122,13 +122,17 @@ OCSP_SIGNATURE_free,
 OCSP_SIGNATURE_new,
 OCSP_SINGLERESP_free,
 OCSP_SINGLERESP_new,
+OSSL_CMP_ITAV_dup,
 OSSL_CMP_ITAV_free,
+OSSL_CMP_MSG_dup,
 OSSL_CMP_MSG_it,
 OSSL_CMP_MSG_free,
 OSSL_CMP_PKIHEADER_free,
 OSSL_CMP_PKIHEADER_it,
 OSSL_CMP_PKIHEADER_new,
+OSSL_CMP_PKISI_dup,
 OSSL_CMP_PKISI_free,
+OSSL_CMP_PKISI_it,
 OSSL_CMP_PKISI_new,
 OSSL_CMP_PKISTATUS_it,
 OSSL_CRMF_CERTID_free,
diff --git a/doc/man3/d2i_X509.pod b/doc/man3/d2i_X509.pod
index d41d2e0c4b..354757387f 100644
--- a/doc/man3/d2i_X509.pod
+++ b/doc/man3/d2i_X509.pod
@@ -98,6 +98,7 @@ d2i_OCSP_SIGNATURE,
 d2i_OCSP_SINGLERESP,
 d2i_OSSL_CMP_MSG,
 d2i_OSSL_CMP_PKIHEADER,
+d2i_OSSL_CMP_PKISI,
 d2i_OSSL_CRMF_CERTID,
 d2i_OSSL_CRMF_CERTTEMPLATE,
 d2i_OSSL_CRMF_ENCRYPTEDVALUE,
@@ -289,6 +290,7 @@ i2d_OCSP_SIGNATURE,
 i2d_OCSP_SINGLERESP,
 i2d_OSSL_CMP_MSG,
 i2d_OSSL_CMP_PKIHEADER,
+i2d_OSSL_CMP_PKISI,
 i2d_OSSL_CRMF_CERTID,
 i2d_OSSL_CRMF_CERTTEMPLATE,
 i2d_OSSL_CRMF_ENCRYPTEDVALUE,