diff options
author | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2021-02-14 20:25:42 +0100 |
---|---|---|
committer | Dmitry Belyavskiy <beldmit@gmail.com> | 2021-02-17 17:13:32 +0100 |
commit | b51bed05c2ab54a1933b5c18862e68cd4540278c (patch) | |
tree | 03634b37b4c1b5e23ccb4333bd63b7bec6f983c0 | |
parent | d44a8a16c8a2851af7f70575ff3dd23cc06f30e1 (diff) |
apps/cmp.c: Improve initialization of ext_ctx structure w.r.t. CSR
Also improve doc how the -reqexts option affects the CSR given with the -csr option.
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/14181)
-rw-r--r-- | apps/cmp.c | 54 | ||||
-rw-r--r-- | doc/man1/openssl-cmp.pod.in | 2 |
2 files changed, 30 insertions, 26 deletions
diff --git a/apps/cmp.c b/apps/cmp.c index 1dbd1f7339..887ec5d22e 100644 --- a/apps/cmp.c +++ b/apps/cmp.c @@ -1601,6 +1601,10 @@ static int setup_protection_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine) */ static int setup_request_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine) { + X509_REQ *csr = NULL; + X509_EXTENSIONS *exts = NULL; + X509V3_CTX ext_ctx; + if (opt_subject == NULL && opt_csr == NULL && opt_oldcert == NULL && opt_cert == NULL && opt_cmd != CMP_RR && opt_cmd != CMP_GENM) @@ -1648,30 +1652,41 @@ static int setup_request_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine) return 0; } + if (opt_csr != NULL) { + if (opt_cmd == CMP_GENM) { + CMP_warn("-csr option is ignored for genm command"); + } else { + csr = load_csr_autofmt(opt_csr, "PKCS#10 CSR for p10cr"); + if (csr == NULL) + return 0; + if (!OSSL_CMP_CTX_set1_p10CSR(ctx, csr)) { + X509_REQ_free(csr); + goto oom; + } + } + } if (opt_reqexts != NULL || opt_policies != NULL) { - X509V3_CTX ext_ctx; - X509_EXTENSIONS *exts = sk_X509_EXTENSION_new_null(); - - if (exts == NULL) - return 0; - X509V3_set_ctx(&ext_ctx, NULL, NULL, NULL, NULL, 0); + if ((exts = sk_X509_EXTENSION_new_null()) == NULL) + goto exts_err; + X509V3_set_ctx(&ext_ctx, NULL, NULL, csr, NULL, X509V3_CTX_REPLACE); X509V3_set_nconf(&ext_ctx, conf); if (opt_reqexts != NULL && !X509V3_EXT_add_nconf_sk(conf, &ext_ctx, opt_reqexts, &exts)) { CMP_err1("cannot load certificate request extension section '%s'", opt_reqexts); - sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free); - return 0; + goto exts_err; } if (opt_policies != NULL && !X509V3_EXT_add_nconf_sk(conf, &ext_ctx, opt_policies, &exts)) { CMP_err1("cannot load policy cert request extension section '%s'", opt_policies); - sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free); - return 0; + goto exts_err; } OSSL_CMP_CTX_set0_reqExtensions(ctx, exts); + exts = NULL; } + X509_REQ_free(csr); + csr = NULL; if (OSSL_CMP_CTX_reqExtensions_have_SAN(ctx) && opt_sans != NULL) { CMP_err("cannot have Subject Alternative Names both via -reqexts and via -sans"); return 0; @@ -1720,22 +1735,6 @@ static int setup_request_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine) if (opt_popo >= OSSL_CRMF_POPO_NONE) (void)OSSL_CMP_CTX_set_option(ctx, OSSL_CMP_OPT_POPO_METHOD, opt_popo); - if (opt_csr != NULL) { - if (opt_cmd == CMP_GENM) { - CMP_warn("-csr option is ignored for genm command"); - } else { - X509_REQ *csr = load_csr_autofmt(opt_csr, "PKCS#10 CSR for p10cr"); - - if (csr == NULL) - return 0; - if (!OSSL_CMP_CTX_set1_p10CSR(ctx, csr)) { - X509_REQ_free(csr); - goto oom; - } - X509_REQ_free(csr); - } - } - if (opt_oldcert != NULL) { if (opt_cmd == CMP_GENM) { CMP_warn("-oldcert option is ignored for genm command"); @@ -1762,6 +1761,9 @@ static int setup_request_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine) oom: CMP_err("out of memory"); + exts_err: + sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free); + X509_REQ_free(csr); return 0; } diff --git a/doc/man1/openssl-cmp.pod.in b/doc/man1/openssl-cmp.pod.in index 3f2b742a36..9800de6465 100644 --- a/doc/man1/openssl-cmp.pod.in +++ b/doc/man1/openssl-cmp.pod.in @@ -298,6 +298,8 @@ validity period starts from the current time (as seen by the host). =item B<-reqexts> I<name> Name of section in OpenSSL config file defining certificate request extensions. +If the B<-csr> option is present, these extensions augment the extensions +contained the given PKCS#10 CSR, overriding any extensions with same OIDs. =item B<-sans> I<spec> |