diff options
author | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2020-11-13 21:45:46 +0100 |
---|---|---|
committer | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2020-11-20 13:36:30 +0100 |
commit | f87ead980187ba39c66eb6ed5825603ea343b73f (patch) | |
tree | 2e4ff347f73f300a65caa167125c3c9de4872a1b | |
parent | 8c5c2fa544e8ca05bb756e99dbc9cb5ed82db37c (diff) |
ossl_cmp_certreq_new(): Fix POPO key mismatch in case newPkey is just public key
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13409)
-rw-r--r-- | crypto/cmp/cmp_msg.c | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/crypto/cmp/cmp_msg.c b/crypto/cmp/cmp_msg.c index 1a4a873168..45cda58879 100644 --- a/crypto/cmp/cmp_msg.c +++ b/crypto/cmp/cmp_msg.c @@ -334,7 +334,12 @@ OSSL_CMP_MSG *ossl_cmp_certreq_new(OSSL_CMP_CTX *ctx, int type, if (type != OSSL_CMP_PKIBODY_P10CR) { EVP_PKEY *privkey = OSSL_CMP_CTX_get0_newPkey(ctx, 1); - if (privkey == NULL) + /* + * privkey is NULL in case ctx->newPkey does not include a private key. + * We then may try to use ctx->pkey as fallback/default, but only + * if ctx-> newPkey does not include a (non-matching) public key: + */ + if (privkey == NULL && OSSL_CMP_CTX_get0_newPkey(ctx, 0) == NULL) privkey = ctx->pkey; /* default is independent of ctx->oldCert */ if (ctx->popoMethod == OSSL_CRMF_POPO_SIGNATURE && privkey == NULL) { ERR_raise(ERR_LIB_CMP, CMP_R_MISSING_PRIVATE_KEY); |