diff options
author | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2022-08-01 20:34:19 +0200 |
---|---|---|
committer | Dr. David von Oheimb <dev@ddvo.net> | 2022-08-24 11:29:40 +0200 |
commit | 7af110f9f5fb9b039cc09b63768a0b989a7bf5ad (patch) | |
tree | 3d5ee51498f2e93b4cc7b040a3540930e969abdb | |
parent | aeadd2981b214d5e2a8f578179c17b0dccc77042 (diff) |
CMP: correct handling of fallback subject in OSSL_CMP_CTX_setup_CRM() and its doc
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/18929)
-rw-r--r-- | crypto/cmp/cmp_msg.c | 15 | ||||
-rw-r--r-- | doc/man1/openssl-cmp.pod.in | 13 | ||||
-rw-r--r-- | doc/man3/OSSL_CMP_MSG_get0_header.pod | 21 |
3 files changed, 29 insertions, 20 deletions
diff --git a/crypto/cmp/cmp_msg.c b/crypto/cmp/cmp_msg.c index bd141b5a7b..c6c75f3bc1 100644 --- a/crypto/cmp/cmp_msg.c +++ b/crypto/cmp/cmp_msg.c @@ -253,16 +253,16 @@ OSSL_CMP_MSG *ossl_cmp_msg_create(OSSL_CMP_CTX *ctx, int bodytype) (sk_GENERAL_NAME_num((ctx)->subjectAltNames) > 0 \ || OSSL_CMP_CTX_reqExtensions_have_SAN(ctx) == 1) -static const X509_NAME *determine_subj(OSSL_CMP_CTX *ctx, - const X509_NAME *ref_subj, - int for_KUR) +static const X509_NAME *determine_subj(OSSL_CMP_CTX *ctx, int for_KUR, + const X509_NAME *ref_subj) { if (ctx->subjectName != NULL) return IS_NULL_DN(ctx->subjectName) ? NULL : ctx->subjectName; - - if (ref_subj != NULL && (ctx->p10CSR != NULL || for_KUR || !HAS_SAN(ctx))) + if (ctx->p10CSR != NULL) /* first default is from any given CSR */ + return X509_REQ_get_subject_name(ctx->p10CSR); + if (for_KUR || !HAS_SAN(ctx)) /* - * For KUR, copy subject from the reference. + * For KUR, copy subject from any reference cert as fallback. * For IR or CR, do the same only if there is no subjectAltName. */ return ref_subj; @@ -277,9 +277,8 @@ OSSL_CRMF_MSG *OSSL_CMP_CTX_setup_CRM(OSSL_CMP_CTX *ctx, int for_KUR, int rid) EVP_PKEY *rkey = OSSL_CMP_CTX_get0_newPkey(ctx, 0); STACK_OF(GENERAL_NAME) *default_sans = NULL; const X509_NAME *ref_subj = - ctx->p10CSR != NULL ? X509_REQ_get_subject_name(ctx->p10CSR) : refcert != NULL ? X509_get_subject_name(refcert) : NULL; - const X509_NAME *subject = determine_subj(ctx, ref_subj, for_KUR); + const X509_NAME *subject = determine_subj(ctx, for_KUR, ref_subj); const X509_NAME *issuer = ctx->issuer != NULL || refcert == NULL ? (IS_NULL_DN(ctx->issuer) ? NULL : ctx->issuer) : X509_get_issuer_name(refcert); diff --git a/doc/man1/openssl-cmp.pod.in b/doc/man1/openssl-cmp.pod.in index 1fa2e99842..a27af9f645 100644 --- a/doc/man1/openssl-cmp.pod.in +++ b/doc/man1/openssl-cmp.pod.in @@ -268,11 +268,11 @@ L<openssl-passphrase-options(1)>. X509 Distinguished Name (DN) of subject to use in the requested certificate template. -For KUR, it defaults to the public key -in the PKCS#10 CSR given with the B<-csr> option, if provided, -or of the reference certificate (see B<-oldcert>) if provided. -This default is used for IR and CR only if no SANs are set. If the NULL-DN (C<"/">) is given then no subject is placed in the template. +Default is the subject DN of any PKCS#10 CSR given with the B<-csr> option. +For KUR, a further fallback is the subject DN +of the reference certificate (see B<-oldcert>) if provided. +This fallback is used for IR and CR only if no SANs are set. If provided and neither of B<-cert>, B<-oldcert>, or B<-csr> is given, the subject DN is used as fallback sender of outgoing CMP messages. @@ -357,8 +357,9 @@ is provided via the B<-newkey> or B<-key> options. PKCS#10 CSR in PEM or DER format containing a certificate request. With B<-cmd> I<p10cr> it is used directly in a legacy P10CR message. -When used with B<-cmd> I<ir>, I<cr>, or I<kur>, it is transformed into the -respective regular CMP request. +When used with B<-cmd> I<ir>, I<cr>, or I<kur>, +it is transformed into the respective regular CMP request, +while its public key is ignored if I<-newkey> is given. It may also be used with B<-cmd> I<rr> to specify the certificate to be revoked via the included subject name and public key. Its subject is used as fallback sender in CMP message headers diff --git a/doc/man3/OSSL_CMP_MSG_get0_header.pod b/doc/man3/OSSL_CMP_MSG_get0_header.pod index 76e24e1bad..6fc620f83b 100644 --- a/doc/man3/OSSL_CMP_MSG_get0_header.pod +++ b/doc/man3/OSSL_CMP_MSG_get0_header.pod @@ -45,12 +45,14 @@ the first available value of these: =over 4 -=item any subject name in I<ctx> set via L<OSSL_CMP_CTX_set1_subjectName(3)>, +=item any subject name in I<ctx> set via L<OSSL_CMP_CTX_set1_subjectName(3)> - +if it is the NULL-DN (i.e., any empty sequence of RDNs), no subject is included, -=item the subject field of any PKCS#10 CSR is given in I<ctx>, or +=item the subject field of any PKCS#10 CSR set in I<ctx> +via L<OSSL_CMP_CTX_set1_p10CSR(3)>, =item the subject field of any reference certificate given in I<ctx> -(see L<OSSL_CMP_CTX_set1_oldCert(3)>), if I<for_KUR> is nonzero +(see L<OSSL_CMP_CTX_set1_oldCert(3)>), but only if I<for_KUR> is nonzero or the I<ctx> does not include a Subject Alternative Name. =back @@ -61,9 +63,9 @@ The public key included is the first available value of these: =item the public key derived from any key set via L<OSSL_CMP_CTX_set0_newPkey(3)>, -=item the public key of any PKCS#10 CSR is given in I<ctx>, +=item the public key of any PKCS#10 CSR given in I<ctx>, -=item the public key of any reference certificate given in I<ctx>, or +=item the public key of any reference certificate given in I<ctx>, =item the public key derived from any client's private key set via L<OSSL_CMP_CTX_set1_pkey(3)>. @@ -108,7 +110,7 @@ or NULL if the respective entry does not exist and on error. OSSL_CMP_MSG_get_bodytype() returns the body type or -1 on error. -OSSL_CMP_CTX_setup_CRM() returns a pointer to a OSSL_CRMF_MSG on success, +OSSL_CMP_CTX_setup_CRM() returns a pointer to a B<OSSL_CRMF_MSG> on success, NULL on error. d2i_OSSL_CMP_MSG_bio() returns the parsed message or NULL on error. @@ -121,6 +123,13 @@ the number of bytes successfully encoded or a negative value if an error occurs. OSSL_CMP_MSG_update_transactionID() returns 1 on success, 0 on error. +=head1 SEE ALSO + +L<OSSL_CMP_CTX_set1_subjectName(3)>, L<OSSL_CMP_CTX_set1_p10CSR(3)>, +L<OSSL_CMP_CTX_set1_oldCert(3)>, L<OSSL_CMP_CTX_set0_newPkey(3)>, +L<OSSL_CMP_CTX_set1_pkey(3)>, L<OSSL_CMP_CTX_set0_reqExtensions(3)>, +L<OSSL_CMP_CTX_push1_subjectAltName(3)>, L<OSSL_CMP_CTX_push0_policy(3)> + =head1 HISTORY The OpenSSL CMP support was added in OpenSSL 3.0. |