diff options
| author | Dr. David von Oheimb <dev@ddvo.net> | 2024-03-11 13:06:13 +0100 |
|---|---|---|
| committer | Dr. David von Oheimb <dev@ddvo.net> | 2024-06-17 11:00:01 +0200 |
| commit | b38ebb31ae64c83cf55cc083fddabbea4e0e40dd (patch) | |
| tree | daa46a7695cf022954a90f059e0fa464cc9b2aa4 | |
| parent | 9283c2bdb7914a9a004cc71c21718383afab7575 (diff) | |
OSSL_CMP_{validate_msg,CTX_new}.pod: add warning notes on OSSL_CMP_OPT_PERMIT_TA_IN_EXTRACERTS_FOR_IR
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23814)
(cherry picked from commit 40948c4c74099ae21843d9265dfe65f13cb9e6c5)
| -rw-r--r-- | doc/man3/OSSL_CMP_CTX_new.pod | 5 | ||||
| -rw-r--r-- | doc/man3/OSSL_CMP_validate_msg.pod | 7 |
2 files changed, 10 insertions, 2 deletions
diff --git a/doc/man3/OSSL_CMP_CTX_new.pod b/doc/man3/OSSL_CMP_CTX_new.pod index 8109970171..874174c3ac 100644 --- a/doc/man3/OSSL_CMP_CTX_new.pod +++ b/doc/man3/OSSL_CMP_CTX_new.pod @@ -340,6 +340,11 @@ RFC 4210. Allow retrieving a trust anchor from extraCerts and using that to validate the certificate chain of an IP message. + This is a quirk option added to support 3GPP TS 33.310. + + Note that using this option is dangerous as the certificate obtained + this way has not been authenticated (at least not at CMP level). + Taking it over as a trust anchor implements trust-on-first-use (TOFU). =back diff --git a/doc/man3/OSSL_CMP_validate_msg.pod b/doc/man3/OSSL_CMP_validate_msg.pod index c416a49d77..2fe94dabc8 100644 --- a/doc/man3/OSSL_CMP_validate_msg.pod +++ b/doc/man3/OSSL_CMP_validate_msg.pod @@ -42,11 +42,14 @@ using any trust store set via L<OSSL_CMP_CTX_set0_trusted(3)>. If the option OSSL_CMP_OPT_PERMIT_TA_IN_EXTRACERTS_FOR_IR was set by calling L<OSSL_CMP_CTX_set_option(3)>, for an Initialization Response (IP) message -any self-issued certificate from the I<msg> extraCerts field may also be used -as trust anchor for the path verification of an acceptable cert if it can be +any self-issued certificate from the I<msg> extraCerts field may be used +as a trust anchor for the path verification of an 'acceptable' cert if it can be used also to validate the issued certificate returned in the IP message. This is according to TS 33.310 [Network Domain Security (NDS); Authentication Framework (AF)] document specified by the The 3rd Generation Partnership Project (3GPP). +Note that using this option is dangerous as the certificate obtained this way +has not been authenticated (at least not at CMP level). +Taking it over as a trust anchor implements trust-on-first-use (TOFU). Any cert that has been found as described above is cached and tried first when validating the signatures of subsequent messages in the same transaction. |