diff options
author | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2022-02-17 19:40:29 +0100 |
---|---|---|
committer | Dr. David von Oheimb <dev@ddvo.net> | 2022-03-12 09:06:58 +0100 |
commit | 8dee8ba5a73da8f9bc5f1c918a1984a2a3421ff9 (patch) | |
tree | 03cdbf090905ba7c5e498e99ea9c0585a323e290 /crypto/cmp/cmp_msg.c | |
parent | f967cdbfb9e1e67cde7f947b950355a232d230fe (diff) |
OSSL_CMP_CTX_setup_CRM(): Fix handling of defaults from CSR and refcert
Also update and complete related documentation.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17726)
(cherry picked from commit c8c923454b52d64234c941553d81143918e502ea)
Diffstat (limited to 'crypto/cmp/cmp_msg.c')
-rw-r--r-- | crypto/cmp/cmp_msg.c | 17 |
1 files changed, 10 insertions, 7 deletions
diff --git a/crypto/cmp/cmp_msg.c b/crypto/cmp/cmp_msg.c index 84a272fe2b..57fb39e0bb 100644 --- a/crypto/cmp/cmp_msg.c +++ b/crypto/cmp/cmp_msg.c @@ -260,7 +260,7 @@ static const X509_NAME *determine_subj(OSSL_CMP_CTX *ctx, if (ctx->subjectName != NULL) return IS_NULL_DN(ctx->subjectName) ? NULL : ctx->subjectName; - if (ref_subj != NULL && (for_KUR || !HAS_SAN(ctx))) + if (ref_subj != NULL && (ctx->p10CSR != NULL || for_KUR || !HAS_SAN(ctx))) /* * For KUR, copy subject from the reference. * For IR or CR, do the same only if there is no subjectAltName. @@ -289,6 +289,8 @@ OSSL_CRMF_MSG *OSSL_CMP_CTX_setup_CRM(OSSL_CMP_CTX *ctx, int for_KUR, int rid) if (rkey == NULL && ctx->p10CSR != NULL) rkey = X509_REQ_get0_pubkey(ctx->p10CSR); + if (rkey == NULL && refcert != NULL) + rkey = X509_get0_pubkey(refcert); if (rkey == NULL) rkey = ctx->pkey; /* default is independent of ctx->oldCert */ if (rkey == NULL) { @@ -327,12 +329,15 @@ OSSL_CRMF_MSG *OSSL_CMP_CTX_setup_CRM(OSSL_CMP_CTX *ctx, int for_KUR, int rid) } /* extensions */ - if (refcert != NULL && !ctx->SubjectAltName_nodefault) - default_sans = X509V3_get_d2i(X509_get0_extensions(refcert), - NID_subject_alt_name, NULL, NULL); if (ctx->p10CSR != NULL && (exts = X509_REQ_get_extensions(ctx->p10CSR)) == NULL) goto err; + if (!ctx->SubjectAltName_nodefault && !HAS_SAN(ctx) && refcert != NULL + && (default_sans = X509V3_get_d2i(X509_get0_extensions(refcert), + NID_subject_alt_name, NULL, NULL)) + != NULL + && !add1_extension(&exts, NID_subject_alt_name, crit, default_sans)) + goto err; if (ctx->reqExtensions != NULL /* augment/override existing ones */ && !add_extensions(&exts, ctx->reqExtensions)) goto err; @@ -340,9 +345,6 @@ OSSL_CRMF_MSG *OSSL_CMP_CTX_setup_CRM(OSSL_CMP_CTX *ctx, int for_KUR, int rid) && !add1_extension(&exts, NID_subject_alt_name, crit, ctx->subjectAltNames)) goto err; - if (!HAS_SAN(ctx) && default_sans != NULL - && !add1_extension(&exts, NID_subject_alt_name, crit, default_sans)) - goto err; if (ctx->policies != NULL && !add1_extension(&exts, NID_certificate_policies, ctx->setPoliciesCritical, ctx->policies)) @@ -566,6 +568,7 @@ OSSL_CMP_MSG *ossl_cmp_rr_new(OSSL_CMP_CTX *ctx) if (!sk_OSSL_CMP_REVDETAILS_push(msg->body->value.rr, rd)) goto err; rd = NULL; + /* Revocation Passphrase according to section 5.3.19.9 could be set here */ if (!ossl_cmp_msg_protect(ctx, msg)) goto err; |