diff options
author | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2023-01-27 21:17:50 +0100 |
---|---|---|
committer | Dr. David von Oheimb <dev@ddvo.net> | 2023-02-13 11:56:10 +0100 |
commit | 6b58f498b3f5d8e4c9197c3c5228fb450e33aaaf (patch) | |
tree | 481acfef6b930c147e060be157656eaee95edf0a /crypto/cmp/cmp_client.c | |
parent | 1472127d9d6bc4866ab26b503e0d5937b40dca37 (diff) |
OSSL_CMP_certConf_cb(): fix regression on checking newly enrolled cert
Also add corresponding tests and to this end update credentials
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/20160)
Diffstat (limited to 'crypto/cmp/cmp_client.c')
-rw-r--r-- | crypto/cmp/cmp_client.c | 38 |
1 files changed, 33 insertions, 5 deletions
diff --git a/crypto/cmp/cmp_client.c b/crypto/cmp/cmp_client.c index 78daeb5cbf..7395c65647 100644 --- a/crypto/cmp/cmp_client.c +++ b/crypto/cmp/cmp_client.c @@ -493,18 +493,46 @@ int OSSL_CMP_certConf_cb(OSSL_CMP_CTX *ctx, X509 *cert, int fail_info, if (fail_info != 0) /* accept any error flagged by CMP core library */ return fail_info; - ossl_cmp_debug(ctx, "trying to build chain for newly enrolled cert"); - chain = X509_build_chain(cert, ctx->untrusted, out_trusted /* maybe NULL */, - 0, ctx->libctx, ctx->propq); + if (out_trusted == NULL) { + ossl_cmp_debug(ctx, "trying to build chain for newly enrolled cert"); + chain = X509_build_chain(cert, ctx->untrusted, out_trusted, + 0, ctx->libctx, ctx->propq); + } else { + X509_STORE_CTX *csc = X509_STORE_CTX_new_ex(ctx->libctx, ctx->propq); + + ossl_cmp_debug(ctx, "validating newly enrolled cert"); + if (csc == NULL) + goto err; + if (!X509_STORE_CTX_init(csc, out_trusted, cert, ctx->untrusted)) + goto err; + /* disable any cert status/revocation checking etc. */ + X509_VERIFY_PARAM_clear_flags(X509_STORE_CTX_get0_param(csc), + ~(X509_V_FLAG_USE_CHECK_TIME + | X509_V_FLAG_NO_CHECK_TIME + | X509_V_FLAG_PARTIAL_CHAIN + | X509_V_FLAG_POLICY_CHECK)); + if (X509_verify_cert(csc) <= 0) + goto err; + + if (!ossl_x509_add_certs_new(&chain, X509_STORE_CTX_get0_chain(csc), + X509_ADD_FLAG_UP_REF | X509_ADD_FLAG_NO_DUP + | X509_ADD_FLAG_NO_SS)) { + sk_X509_free(chain); + chain = NULL; + } + err: + X509_STORE_CTX_free(csc); + } + if (sk_X509_num(chain) > 0) X509_free(sk_X509_shift(chain)); /* remove leaf (EE) cert */ if (out_trusted != NULL) { if (chain == NULL) { - ossl_cmp_err(ctx, "failed building chain for newly enrolled cert"); + ossl_cmp_err(ctx, "failed to validate newly enrolled cert"); fail_info = 1 << OSSL_CMP_PKIFAILUREINFO_incorrectData; } else { ossl_cmp_debug(ctx, - "succeeded building proper chain for newly enrolled cert"); + "success validating newly enrolled cert"); } } else if (chain == NULL) { ossl_cmp_warn(ctx, "could not build approximate chain for newly enrolled cert, resorting to received extraCerts"); |