diff options
| author | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2020-04-30 19:38:58 +0200 |
|---|---|---|
| committer | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2020-05-13 19:42:00 +0200 |
| commit | 6b326fc396d203d84f5461a0025495dfef88e1e8 (patch) | |
| tree | 2fe8a5c834dd74e0cd3e0f187ce81617089604f5 | |
| parent | 8d9a4d833f12b0669f053a504268d13a46c079ad (diff) | |
Improve CMP documentation regarding use of untrusted certs
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/11470)
| -rw-r--r-- | apps/cmp.c | 2 | ||||
| -rw-r--r-- | doc/man1/openssl-cmp.pod.in | 2 | ||||
| -rw-r--r-- | doc/man3/OSSL_CMP_CTX_new.pod | 8 |
3 files changed, 6 insertions, 6 deletions
diff --git a/apps/cmp.c b/apps/cmp.c index 24a7fcbe6c..1e4642d466 100644 --- a/apps/cmp.c +++ b/apps/cmp.c @@ -619,7 +619,7 @@ const OPTIONS cmp_options[] = { {"srv_trusted", OPT_SRV_TRUSTED, 's', "Trusted certificates for client authentication"}, {"srv_untrusted", OPT_SRV_UNTRUSTED, 's', - "Intermediate certs for constructing chains for CMP protection by client"}, + "Intermediate certs that may be useful for verifying CMP protection"}, {"rsp_cert", OPT_RSP_CERT, 's', "Certificate to be returned as mock enrollment result"}, {"rsp_extracerts", OPT_RSP_EXTRACERTS, 's', diff --git a/doc/man1/openssl-cmp.pod.in b/doc/man1/openssl-cmp.pod.in index b746d26c33..a99391ac6d 100644 --- a/doc/man1/openssl-cmp.pod.in +++ b/doc/man1/openssl-cmp.pod.in @@ -889,7 +889,7 @@ Trusted certificates for client authentication. =item B<-srv_untrusted> I<filenames> -Intermediate certs for constructing chains for CMP protection by client. +Intermediate CA certs that may be useful when verifying client certificates. =item B<-rsp_cert> I<filename> diff --git a/doc/man3/OSSL_CMP_CTX_new.pod b/doc/man3/OSSL_CMP_CTX_new.pod index 1bc9ef8cd0..b9b8ffb2e0 100644 --- a/doc/man3/OSSL_CMP_CTX_new.pod +++ b/doc/man3/OSSL_CMP_CTX_new.pod @@ -403,13 +403,13 @@ parameter the entry is cleared. OSSL_CMP_CTX_get0_trustedStore() returns a pointer to the certificate store containing trusted root CA certificates, which may be empty if unset. -OSSL_CMP_CTX_set1_untrusted_certs() takes over a list of certificates containing -non-trusted intermediate certs used for path construction in authentication -of the CMP server and potentially others (TLS server, newly enrolled cert). +OSSL_CMP_CTX_set1_untrusted_certs() sets up a list of non-trusted certificates +of intermediate CAs that may be useful for path construction when authenticating +the CMP server and when verifying newly enrolled certificates. The reference counts of those certificates handled successfully are increased. OSSL_CMP_CTX_get0_untrusted_certs(OSSL_CMP_CTX *ctx) returns a pointer to the -list of untrusted certs, which my be empty if unset. +list of untrusted certs, which may be empty if unset. OSSL_CMP_CTX_set1_clCert() sets the client certificate in the given B<ctx>. The public key of this B<clCert> must correspond to |