diff options
author | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2023-04-25 19:14:34 +0200 |
---|---|---|
committer | Dr. David von Oheimb <dev@ddvo.net> | 2023-05-12 10:52:30 +0200 |
commit | 6e4783d0c1f0b4e130f6af753cf77de35324540c (patch) | |
tree | 005c3004a2ef3b4b64226c49a6c1f8f51598cecf /apps | |
parent | 68a54ccef28682d09bc6fbcf1fadf03777c30ac2 (diff) |
CMP client: fix error response on -csr without private key, also in docs
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/20832)
(cherry picked from commit 2d6585986f3b754750b25e7a296a08e7129a5320)
Diffstat (limited to 'apps')
-rw-r--r-- | apps/cmp.c | 19 |
1 files changed, 17 insertions, 2 deletions
diff --git a/apps/cmp.c b/apps/cmp.c index e1228966fb..e9e23cd1f7 100644 --- a/apps/cmp.c +++ b/apps/cmp.c @@ -1528,10 +1528,25 @@ static int setup_request_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine) CMP_warn("no -subject given; no -csr or -oldcert or -cert available for fallback"); if (opt_cmd == CMP_IR || opt_cmd == CMP_CR || opt_cmd == CMP_KUR) { - if (opt_newkey == NULL && opt_key == NULL && opt_csr == NULL) { - CMP_err("missing -newkey (or -key) to be certified and no -csr given"); + if (opt_newkey == NULL + && opt_key == NULL && opt_csr == NULL && opt_oldcert == NULL) { + CMP_err("missing -newkey (or -key) to be certified and no -csr, -oldcert, or -cert given for fallback public key"); return 0; } + if (opt_newkey == NULL + && opt_popo != OSSL_CRMF_POPO_NONE + && opt_popo != OSSL_CRMF_POPO_RAVERIFIED) { + if (opt_csr != NULL) { + CMP_err1("no -newkey option given with private key for POPO, -csr option only provides public key%s", + opt_key == NULL ? "" : + ", and -key option superseded by by -csr"); + return 0; + } + if (opt_key == NULL) { + CMP_err("missing -newkey (or -key) option for POPO"); + return 0; + } + } if (opt_certout == NULL) { CMP_err("-certout not given, nowhere to save newly enrolled certificate"); return 0; |