Strengthen chain building for CMP

* Add -own_trusted option to CMP app * Add OSSL_CMP_CTX_build_cert_chain() * Add optional trust store arg to ossl_cmp_build_cert_chain() * Extend the tests in cmp_protect_test.c and the documentation accordingly Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12791)
author: Dr. David von Oheimb <David.von.Oheimb@siemens.com> 2020-09-04 15:24:14 +0200
committer: Dr. David von Oheimb <David.von.Oheimb@siemens.com> 2020-09-05 18:11:12 +0200
commit: 15076c26d794dbbdc5413a72e7feded0c9a2ba07 (patch)
tree: 19ed48870fcc21002b9053e3e9d3f8ca5d584be7 /include
parent: 39082af2fa6549c3d92c917ea5a423bca57c7b42 (diff)
2 files changed, 5 insertions, 2 deletions
diff --git a/include/openssl/cmp.h b/include/openssl/cmp.h
index d12d48ba4f..edab120364 100644
--- a/include/openssl/cmp.h
+++ b/include/openssl/cmp.h
@@ -295,6 +295,8 @@ int OSSL_CMP_CTX_set1_untrusted_certs(OSSL_CMP_CTX *ctx, STACK_OF(X509) *certs);
 STACK_OF(X509) *OSSL_CMP_CTX_get0_untrusted_certs(const OSSL_CMP_CTX *ctx);
 /* client authentication: */
 int OSSL_CMP_CTX_set1_cert(OSSL_CMP_CTX *ctx, X509 *cert);
+int OSSL_CMP_CTX_build_cert_chain(OSSL_CMP_CTX *ctx, X509_STORE *own_trusted,
+                                  STACK_OF(X509) *candidates);
 int OSSL_CMP_CTX_set1_pkey(OSSL_CMP_CTX *ctx, EVP_PKEY *pkey);
 int OSSL_CMP_CTX_set1_referenceValue(OSSL_CMP_CTX *ctx,
                                      const unsigned char *ref, int len);
@@ -322,6 +324,8 @@ int OSSL_CMP_CTX_push0_genm_ITAV(OSSL_CMP_CTX *ctx, OSSL_CMP_ITAV *itav);
 /* certificate confirmation: */
 typedef int (*OSSL_CMP_certConf_cb_t) (OSSL_CMP_CTX *ctx, X509 *cert,
                                        int fail_info, const char **txt);
+int OSSL_CMP_certConf_cb(OSSL_CMP_CTX *ctx, X509 *cert, int fail_info,
+                         const char **text);
 int OSSL_CMP_CTX_set_certConf_cb(OSSL_CMP_CTX *ctx, OSSL_CMP_certConf_cb_t cb);
 int OSSL_CMP_CTX_set_certConf_cb_arg(OSSL_CMP_CTX *ctx, void *arg);
 void *OSSL_CMP_CTX_get_certConf_cb_arg(const OSSL_CMP_CTX *ctx);
@@ -437,8 +441,6 @@ X509 *OSSL_CMP_exec_certreq(OSSL_CMP_CTX *ctx, int req_type,
     OSSL_CMP_exec_certreq(ctx, OSSL_CMP_KUR, NULL)
 int OSSL_CMP_try_certreq(OSSL_CMP_CTX *ctx, int req_type,
                          const OSSL_CRMF_MSG *crm, int *checkAfter);
-int OSSL_CMP_certConf_cb(OSSL_CMP_CTX *ctx, X509 *cert, int fail_info,
-                         const char **text);
 X509 *OSSL_CMP_exec_RR_ses(OSSL_CMP_CTX *ctx);
 STACK_OF(OSSL_CMP_ITAV) *OSSL_CMP_exec_GENM_ses(OSSL_CMP_CTX *ctx);
 
diff --git a/include/openssl/cmperr.h b/include/openssl/cmperr.h
index 2ae82974a9..190e1a96bd 100644
--- a/include/openssl/cmperr.h
+++ b/include/openssl/cmperr.h
@@ -66,6 +66,7 @@ int ERR_load_CMP_strings(void);
 #  define CMP_R_ERROR_UNEXPECTED_CERTCONF                  160
 #  define CMP_R_ERROR_VALIDATING_PROTECTION                140
 #  define CMP_R_ERROR_VALIDATING_SIGNATURE                 171
+#  define CMP_R_FAILED_BUILDING_OWN_CHAIN                  164
 #  define CMP_R_FAILED_EXTRACTING_PUBKEY                   141
 #  define CMP_R_FAILURE_OBTAINING_RANDOM                   110
 #  define CMP_R_FAIL_INFO_OUT_OF_RANGE                     129
author	Dr. David von Oheimb <David.von.Oheimb@siemens.com>	2020-09-04 15:24:14 +0200
committer	Dr. David von Oheimb <David.von.Oheimb@siemens.com>	2020-09-05 18:11:12 +0200
commit	15076c26d794dbbdc5413a72e7feded0c9a2ba07 (patch)
tree	19ed48870fcc21002b9053e3e9d3f8ca5d584be7 /include
parent	39082af2fa6549c3d92c917ea5a423bca57c7b42 (diff)