diff options
author | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2022-12-19 11:31:10 +0100 |
---|---|---|
committer | Dr. David von Oheimb <dev@ddvo.net> | 2024-01-17 15:03:41 +0100 |
commit | 1caaf073b071dcd184f10bd9cfbdb6ff73b9e945 (patch) | |
tree | 4c0c434dbb44078f75d153cb8c27fcf55083fcc6 /apps | |
parent | fd514375e22d3039ab0ab12e3017aadf2c38b761 (diff) |
CMP app and doc: add -no_cache_extracerts option / OSSL_CMP_OPT_NO_CACHE_EXTRACERTS
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/19948)
Diffstat (limited to 'apps')
-rw-r--r-- | apps/cmp.c | 12 |
1 files changed, 11 insertions, 1 deletions
diff --git a/apps/cmp.c b/apps/cmp.c index 8a0d182fbe..c92c666f4a 100644 --- a/apps/cmp.c +++ b/apps/cmp.c @@ -86,6 +86,7 @@ static char *opt_srvcert = NULL; static char *opt_expect_sender = NULL; static int opt_ignore_keyusage = 0; static int opt_unprotected_errors = 0; +static int opt_no_cache_extracerts = 0; static char *opt_srvcertout = NULL; static char *opt_extracertsout = NULL; static char *opt_cacertsout = NULL; @@ -231,7 +232,7 @@ typedef enum OPTION_choice { OPT_TRUSTED, OPT_UNTRUSTED, OPT_SRVCERT, OPT_EXPECT_SENDER, - OPT_IGNORE_KEYUSAGE, OPT_UNPROTECTED_ERRORS, + OPT_IGNORE_KEYUSAGE, OPT_UNPROTECTED_ERRORS, OPT_NO_CACHE_EXTRACERTS, OPT_SRVCERTOUT, OPT_EXTRACERTSOUT, OPT_CACERTSOUT, OPT_OLDWITHOLD, OPT_NEWWITHNEW, OPT_NEWWITHOLD, OPT_OLDWITHNEW, @@ -408,6 +409,8 @@ const OPTIONS cmp_options[] = { "certificate responses (ip/cp/kup), revocation responses (rp), and PKIConf"}, {OPT_MORE_STR, 0, 0, "WARNING: This setting leads to behavior allowing violation of RFC 4210"}, + {"no_cache_extracerts", OPT_NO_CACHE_EXTRACERTS, '-', + "Do not keep certificates received in the extraCerts CMP message field"}, { "srvcertout", OPT_SRVCERTOUT, 's', "File to save the server cert used and validated for CMP response protection"}, {"extracertsout", OPT_EXTRACERTSOUT, 's', @@ -612,6 +615,7 @@ static varref cmp_vars[] = { /* must be in same order as enumerated above! */ {&opt_trusted}, {&opt_untrusted}, {&opt_srvcert}, {&opt_expect_sender}, {(char **)&opt_ignore_keyusage}, {(char **)&opt_unprotected_errors}, + {(char **)&opt_no_cache_extracerts}, {&opt_srvcertout}, {&opt_extracertsout}, {&opt_cacertsout}, {&opt_oldwithold}, {&opt_newwithnew}, {&opt_newwithold}, {&opt_oldwithnew}, @@ -2638,6 +2642,9 @@ static int get_opts(int argc, char **argv) case OPT_UNPROTECTED_ERRORS: opt_unprotected_errors = 1; break; + case OPT_NO_CACHE_EXTRACERTS: + opt_no_cache_extracerts = 1; + break; case OPT_SRVCERTOUT: opt_srvcertout = opt_str(); break; @@ -3243,6 +3250,9 @@ int cmp_main(int argc, char **argv) if (opt_ignore_keyusage) (void)OSSL_CMP_CTX_set_option(cmp_ctx, OSSL_CMP_OPT_IGNORE_KEYUSAGE, 1); + if (opt_no_cache_extracerts) + (void)OSSL_CMP_CTX_set_option(cmp_ctx, OSSL_CMP_OPT_NO_CACHE_EXTRACERTS, + 1); if (opt_use_mock_srv #if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_HTTP) |