diff options
| author | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2022-02-17 19:40:29 +0100 |
|---|---|---|
| committer | Dr. David von Oheimb <dev@ddvo.net> | 2022-03-12 09:05:02 +0100 |
| commit | c8c923454b52d64234c941553d81143918e502ea (patch) | |
| tree | c88f3b2886692c5b720f80f06b5b63f8b5e6c711 /crypto/cmp | |
| parent | 2cb52118ddd1d82d7b6028372238eaa2467bbd48 (diff) | |
OSSL_CMP_CTX_setup_CRM(): Fix handling of defaults from CSR and refcert
Also update and complete related documentation.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/17726)
Diffstat (limited to 'crypto/cmp')
| -rw-r--r-- | crypto/cmp/cmp_msg.c | 17 |
1 files changed, 10 insertions, 7 deletions
diff --git a/crypto/cmp/cmp_msg.c b/crypto/cmp/cmp_msg.c index 0497155e09..0b2dc987eb 100644 --- a/crypto/cmp/cmp_msg.c +++ b/crypto/cmp/cmp_msg.c @@ -260,7 +260,7 @@ static const X509_NAME *determine_subj(OSSL_CMP_CTX *ctx, if (ctx->subjectName != NULL) return IS_NULL_DN(ctx->subjectName) ? NULL : ctx->subjectName; - if (ref_subj != NULL && (for_KUR || !HAS_SAN(ctx))) + if (ref_subj != NULL && (ctx->p10CSR != NULL || for_KUR || !HAS_SAN(ctx))) /* * For KUR, copy subject from the reference. * For IR or CR, do the same only if there is no subjectAltName. @@ -289,6 +289,8 @@ OSSL_CRMF_MSG *OSSL_CMP_CTX_setup_CRM(OSSL_CMP_CTX *ctx, int for_KUR, int rid) if (rkey == NULL && ctx->p10CSR != NULL) rkey = X509_REQ_get0_pubkey(ctx->p10CSR); + if (rkey == NULL && refcert != NULL) + rkey = X509_get0_pubkey(refcert); if (rkey == NULL) rkey = ctx->pkey; /* default is independent of ctx->oldCert */ if (rkey == NULL) { @@ -327,12 +329,15 @@ OSSL_CRMF_MSG *OSSL_CMP_CTX_setup_CRM(OSSL_CMP_CTX *ctx, int for_KUR, int rid) } /* extensions */ - if (refcert != NULL && !ctx->SubjectAltName_nodefault) - default_sans = X509V3_get_d2i(X509_get0_extensions(refcert), - NID_subject_alt_name, NULL, NULL); if (ctx->p10CSR != NULL && (exts = X509_REQ_get_extensions(ctx->p10CSR)) == NULL) goto err; + if (!ctx->SubjectAltName_nodefault && !HAS_SAN(ctx) && refcert != NULL + && (default_sans = X509V3_get_d2i(X509_get0_extensions(refcert), + NID_subject_alt_name, NULL, NULL)) + != NULL + && !add1_extension(&exts, NID_subject_alt_name, crit, default_sans)) + goto err; if (ctx->reqExtensions != NULL /* augment/override existing ones */ && !add_extensions(&exts, ctx->reqExtensions)) goto err; @@ -340,9 +345,6 @@ OSSL_CRMF_MSG *OSSL_CMP_CTX_setup_CRM(OSSL_CMP_CTX *ctx, int for_KUR, int rid) && !add1_extension(&exts, NID_subject_alt_name, crit, ctx->subjectAltNames)) goto err; - if (!HAS_SAN(ctx) && default_sans != NULL - && !add1_extension(&exts, NID_subject_alt_name, crit, default_sans)) - goto err; if (ctx->policies != NULL && !add1_extension(&exts, NID_certificate_policies, ctx->setPoliciesCritical, ctx->policies)) @@ -566,6 +568,7 @@ OSSL_CMP_MSG *ossl_cmp_rr_new(OSSL_CMP_CTX *ctx) if (!sk_OSSL_CMP_REVDETAILS_push(msg->body->value.rr, rd)) goto err; rd = NULL; + /* Revocation Passphrase according to section 5.3.19.9 could be set here */ if (!ossl_cmp_msg_protect(ctx, msg)) goto err; |