diff options
author | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2021-05-06 18:49:54 +0200 |
---|---|---|
committer | Pauli <pauli@openssl.org> | 2023-09-21 11:15:49 +1000 |
commit | 080bd08fd32608b4f2edfa4b1e87e199b08a8835 (patch) | |
tree | e16cc0f6e1b2ef89c5037e9cece514f69581ead8 /doc | |
parent | 0988de278c2f861e47d63cd284992befa686e4a8 (diff) |
cmp_vfy.c: Use verification callback if cert_acceptable() finds expired cert
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21656)
Diffstat (limited to 'doc')
-rw-r--r-- | doc/man3/OSSL_CMP_validate_msg.pod | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/doc/man3/OSSL_CMP_validate_msg.pod b/doc/man3/OSSL_CMP_validate_msg.pod index 9fe7f4385f..7dbe3f74ca 100644 --- a/doc/man3/OSSL_CMP_validate_msg.pod +++ b/doc/man3/OSSL_CMP_validate_msg.pod @@ -30,10 +30,12 @@ is preferably the one provided by a call to L<OSSL_CMP_CTX_set1_srvCert(3)>. If no such sender cert has been pinned then candidate sender certificates are taken from the list of certificates received in the I<msg> extraCerts, then any certificates provided before via L<OSSL_CMP_CTX_set1_untrusted(3)>, and -then all trusted certificates provided via L<OSSL_CMP_CTX_set0_trusted(3)>, -where a candidate is acceptable only if has not expired, its subject DN matches +then all trusted certificates provided via L<OSSL_CMP_CTX_set0_trusted(3)>. +A candidate certificate is acceptable only if it is currently valid +(or the trust store contains a verification callback that overrides the verdict +that the certificate is expired or not yet valid), its subject DN matches the I<msg> sender DN (as far as present), and its subject key identifier -is present and matches the senderKID (as far as the latter present). +is present and matches the senderKID (as far as the latter is present). Each acceptable cert is tried in the given order to see if the message signature check succeeds and the cert and its path can be verified using any trust store set via L<OSSL_CMP_CTX_set0_trusted(3)>. |