summaryrefslogtreecommitdiffstats
path: root/crypto/cmp/cmp_ctx.c
diff options
context:
space:
mode:
authorDr. David von Oheimb <David.von.Oheimb@siemens.com>2020-08-28 12:11:31 +0200
committerDr. David von Oheimb <David.von.Oheimb@siemens.com>2020-09-10 07:07:55 +0200
commita0745e2be6635ffdf286ba5bc3bd867c8d4152a9 (patch)
tree00d93474fb208fba1ce021a5a82d1effb933535b /crypto/cmp/cmp_ctx.c
parent474853c39a2b631f9f401df32834043500081b7c (diff)
Clean up CMP chain building for CMP signer, TLS client, and newly enrolled certs
* Use strenghtened cert chain building, verifying chain using optional trust store while making sure that no certificate status (e.g., CRL) checks are done * Use OSSL_CMP_certConf_cb() by default and move its doc to OSSL_CMP_CTX_new.pod * Simplify certificate and cert store loading in apps/cmp.c Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/12741)
Diffstat (limited to 'crypto/cmp/cmp_ctx.c')
-rw-r--r--crypto/cmp/cmp_ctx.c13
1 files changed, 5 insertions, 8 deletions
diff --git a/crypto/cmp/cmp_ctx.c b/crypto/cmp/cmp_ctx.c
index 5b61108f8b..6bbd3510c7 100644
--- a/crypto/cmp/cmp_ctx.c
+++ b/crypto/cmp/cmp_ctx.c
@@ -189,6 +189,7 @@ void OSSL_CMP_CTX_free(OSSL_CMP_CTX *ctx)
sk_X509_pop_free(ctx->untrusted, X509_free);
X509_free(ctx->cert);
+ sk_X509_pop_free(ctx->chain, X509_free);
EVP_PKEY_free(ctx->pkey);
ASN1_OCTET_STRING_free(ctx->referenceValue);
if (ctx->secretValue != NULL)
@@ -489,11 +490,7 @@ int ossl_cmp_ctx_set1_newChain(OSSL_CMP_CTX *ctx, STACK_OF(X509) *newChain)
return (ctx->newChain = X509_chain_up_ref(newChain)) != NULL;
}
-/*
- * Returns the stack of certificates received in a response message.
- * The stack is duplicated so the caller must handle freeing it!
- * Returns pointer to created stack on success, NULL on error
- */
+/* Returns the stack of extraCerts received in CertRepMessage, NULL on error */
STACK_OF(X509) *OSSL_CMP_CTX_get1_extraCertsIn(const OSSL_CMP_CTX *ctx)
{
if (ctx == NULL) {
@@ -523,7 +520,7 @@ int ossl_cmp_ctx_set1_extraCertsIn(OSSL_CMP_CTX *ctx,
}
/*
- * Duplicate and set the given stack as the new stack of X509
+ * Copies any given stack as the new stack of X509
* certificates to send out in the extraCerts field.
*/
int OSSL_CMP_CTX_set1_extraCertsOut(OSSL_CMP_CTX *ctx,
@@ -596,7 +593,7 @@ STACK_OF(X509) *OSSL_CMP_CTX_get1_caPubs(const OSSL_CMP_CTX *ctx)
}
/*
- * Duplicate and copy the given stack of certificates to the given
+ * Copies any given stack of certificates to the given
* OSSL_CMP_CTX structure so that they may be retrieved later.
*/
int ossl_cmp_ctx_set1_caPubs(OSSL_CMP_CTX *ctx, STACK_OF(X509) *caPubs)
@@ -766,7 +763,7 @@ int OSSL_CMP_CTX_build_cert_chain(OSSL_CMP_CTX *ctx, X509_STORE *own_trusted,
return 0;
}
ossl_cmp_debug(ctx, "success building chain for own CMP signer cert");
- sk_X509_pop_free(chain, X509_free); /* TODO(3.0) replace this by 'ctx->chain = chain;' when ctx->chain is available */
+ ctx->chain = chain;
return 1;
}