CMP: Fix total_timeout behavior; small doc and diagnostic improvements

Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14019)
author: Dr. David von Oheimb <David.von.Oheimb@siemens.com> 2021-01-20 20:41:15 +0100
committer: Dr. David von Oheimb <dev@ddvo.net> 2021-02-19 16:58:22 +0100
commit: 5e128ed1209335fb72fe50a68640331e354cbea6 (patch)
tree: 0d32b40ae7a84fbb0463b7ecbf93865a13dd7f65 /apps
parent: a3361c3755f4127a8017acf84aa924a5b8e52ff9 (diff)
1 files changed, 18 insertions, 13 deletions
diff --git a/apps/cmp.c b/apps/cmp.c
index 887ec5d22e..5778fd95a7 100644
--- a/apps/cmp.c
+++ b/apps/cmp.c
@@ -697,12 +697,13 @@ static void warn_cert_msg(const char *uri, X509 *cert, const char *msg)
 
 static void warn_cert(const char *uri, X509 *cert, int warn_EE)
 {
+    uint32_t ex_flags = X509_get_extension_flags(cert);
     int res = X509_cmp_timeframe(vpm, X509_get0_notBefore(cert),
                                  X509_get0_notAfter(cert));
 
     if (res != 0)
         warn_cert_msg(uri, cert, res > 0 ? "has expired" : "not yet valid");
-    if (warn_EE && (X509_get_extension_flags(cert) & EXFLAG_CA) == 0)
+    if (warn_EE && (ex_flags & EXFLAG_V1) == 0 && (ex_flags & EXFLAG_CA) == 0)
         warn_cert_msg(uri, cert, "is not a CA cert");
 }
 
@@ -788,14 +789,14 @@ static int write_PKIMESSAGE(const OSSL_CMP_MSG *msg, char **filenames)
         return 0;
     }
     if (*filenames == NULL) {
-        CMP_err("Not enough file names provided for writing PKIMessage");
+        CMP_err("not enough file names provided for writing PKIMessage");
         return 0;
     }
 
     file = *filenames;
     *filenames = next_item(file);
     if (OSSL_CMP_MSG_write(file, msg) < 0) {
-        CMP_err1("Cannot write PKIMessage to file '%s'", file);
+        CMP_err1("cannot write PKIMessage to file '%s'", file);
         return 0;
     }
     return 1;
@@ -812,7 +813,7 @@ static OSSL_CMP_MSG *read_PKIMESSAGE(char **filenames)
         return NULL;
     }
     if (*filenames == NULL) {
-        CMP_err("Not enough file names provided for reading PKIMessage");
+        CMP_err("not enough file names provided for reading PKIMessage");
         return NULL;
     }
 
@@ -821,7 +822,7 @@ static OSSL_CMP_MSG *read_PKIMESSAGE(char **filenames)
 
     ret = OSSL_CMP_MSG_read(file);
     if (ret == NULL)
-        CMP_err1("Cannot read PKIMessage from file '%s'", file);
+        CMP_err1("cannot read PKIMessage from file '%s'", file);
     return ret;
 }
 
@@ -1654,9 +1655,9 @@ static int setup_request_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
 
     if (opt_csr != NULL) {
         if (opt_cmd == CMP_GENM) {
-            CMP_warn("-csr option is ignored for genm command");
+            CMP_warn("-csr option is ignored for command 'genm'");
         } else {
-            csr = load_csr_autofmt(opt_csr, "PKCS#10 CSR for p10cr");
+            csr = load_csr_autofmt(opt_csr, "PKCS#10 CSR");
             if (csr == NULL)
                 return 0;
             if (!OSSL_CMP_CTX_set1_p10CSR(ctx, csr)) {
@@ -1737,10 +1738,14 @@ static int setup_request_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
 
     if (opt_oldcert != NULL) {
         if (opt_cmd == CMP_GENM) {
-            CMP_warn("-oldcert option is ignored for genm command");
+            CMP_warn("-oldcert option is ignored for command 'genm'");
         } else {
             X509 *oldcert = load_cert_pwd(opt_oldcert, opt_keypass,
-                                          "certificate to be updated/revoked");
+                                          opt_cmd == CMP_KUR ?
+                                          "certificate to be updated" :
+                                          opt_cmd == CMP_RR ?
+                                          "certificate to be revoked" :
+                                          "reference certificate (oldcert)");
             /* opt_keypass needed if opt_oldcert is an encrypted PKCS#12 file */
 
             if (oldcert == NULL)
@@ -1892,7 +1897,7 @@ static int setup_client_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
         char *ref_cert = opt_oldcert != NULL ? opt_oldcert : opt_cert;
 
         if (ref_cert == NULL && opt_csr == NULL) {
-            CMP_err("missing -oldcert or -csr option for certificate to be updated");
+            CMP_err("missing -oldcert for certificate to be updated and no fallback -csr given");
             goto err;
         }
         if (opt_subject != NULL)
@@ -1901,11 +1906,11 @@ static int setup_client_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
     }
     if (opt_cmd == CMP_RR) {
         if (opt_oldcert == NULL && opt_csr == NULL) {
-            CMP_err("missing certificate to be revoked and no fallback -csr given");
+            CMP_err("missing -oldcert for certificate to be revoked and no fallback -csr given");
             goto err;
         }
         if (opt_oldcert != NULL && opt_csr != NULL)
-            CMP_warn("Ignoring -csr since certificate to be revoked is given");
+            CMP_warn("ignoring -csr since certificate to be revoked is given");
     }
     if (opt_cmd == CMP_P10CR && opt_csr == NULL) {
         CMP_err("missing PKCS#10 CSR for p10cr");
@@ -2787,7 +2792,7 @@ int cmp_main(int argc, char **argv)
             if (req != NULL) {
                 if (strcmp(path, "") != 0 && strcmp(path, "pkix/") != 0) {
                     (void)http_server_send_status(cbio, 404, "Not Found");
-                    CMP_err1("Expecting empty path or 'pkix/' but got '%s'",
+                    CMP_err1("expecting empty path or 'pkix/' but got '%s'",
                              path);
                     OPENSSL_free(path);
                     OSSL_CMP_MSG_free(req);
author	Dr. David von Oheimb <David.von.Oheimb@siemens.com>	2021-01-20 20:41:15 +0100
committer	Dr. David von Oheimb <dev@ddvo.net>	2021-02-19 16:58:22 +0100
commit	5e128ed1209335fb72fe50a68640331e354cbea6 (patch)
tree	0d32b40ae7a84fbb0463b7ecbf93865a13dd7f65 /apps
parent	a3361c3755f4127a8017acf84aa924a5b8e52ff9 (diff)