diff options
author | Dr. David von Oheimb <dev@ddvo.net> | 2024-04-25 20:05:22 +0200 |
---|---|---|
committer | Todd Short <todd.short@me.com> | 2024-06-18 13:52:57 -0400 |
commit | 5aec3f4a72604d76970581f1ea445b331beda608 (patch) | |
tree | ef2f00013cf159441b18aa001c0c54fe439df8f4 | |
parent | f4b4a185b546044150821f1929e5cd6fd0dfba99 (diff) |
CMP app: fix combination of -certout and -chainout with equal filename argument
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/24267)
-rw-r--r-- | apps/cmp.c | 27 | ||||
-rw-r--r-- | doc/man1/openssl-cmp.pod.in | 6 | ||||
-rw-r--r-- | doc/man3/OSSL_CMP_CTX_new.pod | 2 | ||||
-rw-r--r-- | test/recipes/80-test_cmp_http_data/test_enrollment.csv | 4 |
4 files changed, 32 insertions, 7 deletions
diff --git a/apps/cmp.c b/apps/cmp.c index 7639ab2cf8..8d880c50c8 100644 --- a/apps/cmp.c +++ b/apps/cmp.c @@ -3594,13 +3594,28 @@ int cmp_main(int argc, char **argv) opt_extracertsout, "extra") < 0) goto err; if (newcert != NULL && (opt_cmd == CMP_IR || opt_cmd == CMP_CR - || opt_cmd == CMP_KUR || opt_cmd == CMP_P10CR)) - if (!save_cert_or_delete(newcert, opt_certout, "newly enrolled") - || save_free_certs(OSSL_CMP_CTX_get1_newChain(cmp_ctx), - opt_chainout, "chain") < 0 - || save_free_certs(OSSL_CMP_CTX_get1_caPubs(cmp_ctx), - opt_cacertsout, "CA") < 0) + || opt_cmd == CMP_KUR || opt_cmd == CMP_P10CR)) { + STACK_OF(X509) *newchain = OSSL_CMP_CTX_get1_newChain(cmp_ctx); + + if (newcert != NULL && newchain != NULL /* NULL is on error only */ + && opt_certout != NULL && opt_chainout != NULL + && strcmp(opt_certout, opt_chainout) == 0) { + if (!X509_add_cert(newchain, newcert, X509_ADD_FLAG_PREPEND + | X509_ADD_FLAG_UP_REF)) { + sk_X509_pop_free(newchain, X509_free); + goto err; + } + if (!save_free_certs(newchain, opt_chainout, "newly enrolled cert and chain")) + goto err; + } else { + if (save_free_certs(newchain, opt_chainout, "chain") < 0 + || !save_cert_or_delete(newcert, opt_certout, "newly enrolled")) + goto err; + } + if (save_free_certs(OSSL_CMP_CTX_get1_caPubs(cmp_ctx), + opt_cacertsout, "CA") < 0) goto err; + } if (!OSSL_CMP_CTX_reinit(cmp_ctx)) goto err; } diff --git a/doc/man1/openssl-cmp.pod.in b/doc/man1/openssl-cmp.pod.in index 5b36e821be..d42666331a 100644 --- a/doc/man1/openssl-cmp.pod.in +++ b/doc/man1/openssl-cmp.pod.in @@ -420,6 +420,12 @@ The file where any newly enrolled certificate should be saved. =item B<-chainout> I<filename> The file where the chain of any newly enrolled certificate should be saved. +This chain excludes the leaf certificate, i.e., the newly enrolled certificate. +Also the trust anchor (the root certificate) is not included. + +If the B<-certout> option is given, too, with equal I<filename> argument, +then the file produced contains both outputs concatenated: +the newly enrolled certificate followed by its chain. =back diff --git a/doc/man3/OSSL_CMP_CTX_new.pod b/doc/man3/OSSL_CMP_CTX_new.pod index 2f8e8dee51..b9d89dbc3d 100644 --- a/doc/man3/OSSL_CMP_CTX_new.pod +++ b/doc/man3/OSSL_CMP_CTX_new.pod @@ -647,6 +647,8 @@ If the callback argument is NULL the function tries building an approximate chain as far as possible using the same untrusted certificates from the I<ctx>, and if this fails it takes the received extraCerts as fallback. The resulting cert chain can be retrieved using OSSL_CMP_CTX_get1_newChain(). +This chain excludes the leaf certificate, i.e., the newly enrolled certificate. +Also the trust anchor (the root certificate) is not included. OSSL_CMP_CTX_set_certConf_cb() sets the callback used for evaluating the newly enrolled certificate before the library sends, depending on its result, diff --git a/test/recipes/80-test_cmp_http_data/test_enrollment.csv b/test/recipes/80-test_cmp_http_data/test_enrollment.csv index 3d14c78a46..a66afdc837 100644 --- a/test/recipes/80-test_cmp_http_data/test_enrollment.csv +++ b/test/recipes/80-test_cmp_http_data/test_enrollment.csv @@ -66,7 +66,9 @@ expected,description, -section,val, -cmd,val, -newkey,val,val, -newkeypass,val, 1,disable_confirm, -section,, -cmd,ir, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -disable_confirm,, -certout,_RESULT_DIR/test.certout_disable.pem,, -out_trusted,root.crt,,BLANK,,BLANK,,, 0,disable_confirm with parameter, -section,, -cmd,ir, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -disable_confirm,abc, -certout,_RESULT_DIR/test.certout_disable1.pem,, -out_trusted,root.crt,,BLANK,,BLANK,,, ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, -1,use certout (and chainout), -section,, -cmd,ir, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, ,,, -out_trusted,root.crt,,BLANK,,BLANK,,,,-cert,_RESULT_DIR/test.certout_newkey.pem,-untrusted,_RESULT_DIR/test.chainout.pem +1,use certout (and chainout) , -section,, -cmd,ir, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, ,,, -out_trusted,root.crt,,BLANK,,BLANK,,,,-cert,_RESULT_DIR/test.certout_newkey.pem,-untrusted,_RESULT_DIR/test.chainout.pem +1,certout and chainout sent to same file, -section,, -cmd,ir, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, ,,, -out_trusted,root.crt,,BLANK,,BLANK,,,,-certout,_RESULT_DIR/test.certout_chainout.pem,,-chainout,_RESULT_DIR/test.certout_chainout.pem +1,use certout and chainout from same file, -section,, -cmd,ir, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, ,,, -out_trusted,root.crt,,BLANK,,BLANK,,,,-cert,_RESULT_DIR/test.certout_chainout.pem,-untrusted,"""" 0,no certout, -section,, -cmd,ir, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -certout,"""",, -out_trusted,root.crt,,BLANK,,BLANK,,, 0,certout missing arg, -section,, -cmd,ir, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -certout,,, -out_trusted,root.crt,,BLANK,,BLANK,,, 0,certout is non-existing directory and file, -section,, -cmd,ir, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -certout,idontexist/idontexist,, -out_trusted,root.crt,,BLANK,,BLANK,,, |