diff options
| author | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2020-09-04 15:24:14 +0200 |
|---|---|---|
| committer | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2020-09-05 18:11:12 +0200 |
| commit | 15076c26d794dbbdc5413a72e7feded0c9a2ba07 (patch) | |
| tree | 19ed48870fcc21002b9053e3e9d3f8ca5d584be7 /apps/cmp.c | |
| parent | 39082af2fa6549c3d92c917ea5a423bca57c7b42 (diff) | |
Strengthen chain building for CMP
* Add -own_trusted option to CMP app
* Add OSSL_CMP_CTX_build_cert_chain()
* Add optional trust store arg to ossl_cmp_build_cert_chain()
* Extend the tests in cmp_protect_test.c and the documentation accordingly
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12791)
Diffstat (limited to 'apps/cmp.c')
| -rw-r--r-- | apps/cmp.c | 34 |
1 files changed, 24 insertions, 10 deletions
diff --git a/apps/cmp.c b/apps/cmp.c index 1af27f7881..799ec34e1f 100644 --- a/apps/cmp.c +++ b/apps/cmp.c @@ -97,6 +97,7 @@ static char *opt_cacertsout = NULL; static char *opt_ref = NULL; static char *opt_secret = NULL; static char *opt_cert = NULL; +static char *opt_own_trusted = NULL; static char *opt_key = NULL; static char *opt_keypass = NULL; static char *opt_digest = NULL; @@ -218,7 +219,7 @@ typedef enum OPTION_choice { OPT_IGNORE_KEYUSAGE, OPT_UNPROTECTED_ERRORS, OPT_EXTRACERTSOUT, OPT_CACERTSOUT, - OPT_REF, OPT_SECRET, OPT_CERT, OPT_KEY, OPT_KEYPASS, + OPT_REF, OPT_SECRET, OPT_CERT, OPT_OWN_TRUSTED, OPT_KEY, OPT_KEYPASS, OPT_DIGEST, OPT_MAC, OPT_EXTRACERTS, OPT_UNPROTECTED_REQUESTS, @@ -383,6 +384,8 @@ const OPTIONS cmp_options[] = { "Client's current certificate (needed unless using -secret for PBM);"}, {OPT_MORE_STR, 0, 0, "any further certs included are appended in extraCerts field"}, + {"own_trusted", OPT_OWN_TRUSTED, 's', + "Optional certs to verify chain building for own CMP signer cert"}, {"key", OPT_KEY, 's', "Private key for the client's current certificate"}, {"keypass", OPT_KEYPASS, 's', "Client private key (and cert and old cert file) pass phrase source"}, @@ -536,7 +539,8 @@ static varref cmp_vars[] = { /* must be in same order as enumerated above! */ {(char **)&opt_ignore_keyusage}, {(char **)&opt_unprotected_errors}, {&opt_extracertsout}, {&opt_cacertsout}, - {&opt_ref}, {&opt_secret}, {&opt_cert}, {&opt_key}, {&opt_keypass}, + {&opt_ref}, {&opt_secret}, + {&opt_cert}, {&opt_own_trusted}, {&opt_key}, {&opt_keypass}, {&opt_digest}, {&opt_mac}, {&opt_extracerts}, {(char **)&opt_unprotected_requests}, @@ -1595,6 +1599,7 @@ static int setup_protection_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine) if (opt_cert != NULL) { X509 *cert; STACK_OF(X509) *certs = NULL; + X509_STORE *own_trusted = NULL; int ok = 0; if (!load_cert_certs(opt_cert, &cert, &certs, 0, opt_keypass, @@ -1603,18 +1608,24 @@ static int setup_protection_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine) goto err; ok = OSSL_CMP_CTX_set1_cert(ctx, cert); X509_free(cert); - - if (ok) { - /* add any remaining certs to the list of untrusted certs */ - STACK_OF(X509) *untrusted = OSSL_CMP_CTX_get0_untrusted_certs(ctx); - ok = untrusted != NULL ? - X509_add_certs(untrusted, certs, - X509_ADD_FLAG_UP_REF | X509_ADD_FLAG_NO_DUP) - : OSSL_CMP_CTX_set1_untrusted_certs(ctx, certs); + if (!ok) { + CMP_err("out of memory"); + } else { + if (opt_own_trusted != NULL) { + own_trusted = load_certstore(opt_own_trusted, + "trusted certs for verifying own CMP signer cert"); + ok = own_trusted != NULL + && set1_store_parameters(own_trusted) + && truststore_set_host_etc(own_trusted, NULL); + } + ok = ok && OSSL_CMP_CTX_build_cert_chain(ctx, own_trusted, certs); } + X509_STORE_free(own_trusted); sk_X509_pop_free(certs, X509_free); if (!ok) goto err; + } else if (opt_own_trusted != NULL) { + CMP_warn("-own_trusted option is ignored without -cert"); } if (!setup_certs(opt_extracerts, "extra certificates for CMP", ctx, @@ -2400,6 +2411,9 @@ static int get_opts(int argc, char **argv) case OPT_CERT: opt_cert = opt_str("cert"); break; + case OPT_OWN_TRUSTED: + opt_own_trusted = opt_str("own_trusted"); + break; case OPT_KEY: opt_key = opt_str("key"); break; |