diff options
Diffstat (limited to 'doc/internal')
-rw-r--r-- | doc/internal/man3/ossl_cmp_msg_check_update.pod | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/doc/internal/man3/ossl_cmp_msg_check_update.pod b/doc/internal/man3/ossl_cmp_msg_check_update.pod index c058e90ffb..4e7a9224af 100644 --- a/doc/internal/man3/ossl_cmp_msg_check_update.pod +++ b/doc/internal/man3/ossl_cmp_msg_check_update.pod @@ -27,6 +27,9 @@ The B<msg> is checked for the following: =over 4 +=item its sender is of appropriate type (currently only B<X509_NAME>) + and matches any expected sender or srvCert subject given in B<ctx>, + =item its protection is present and valid (or a callback function B<cb> is present and indicates that a missing or invalid protection is acceptable), @@ -61,6 +64,13 @@ If all checks pass then ossl_cmp_msg_check_update() records in B<ctx> the senderNonce of the received message as the new recipNonce and learns the transaction ID if none is currently present in B<ctx>. +Moreover, according to RFC 4210 section 5.3.2, if the message protection is +PBM-based then any certificates in the caPubs field are added to the list of +trusted certificates (if set via L<OSSL_CMP_CTX_set0_trustedStore(3)>). +This way these certs are available for validating subsequent messages in the +same context and could apply to any Polling Response (pollRep), error, or PKI +Confirmation (PKIConf) messages following in the same or future transactions. + =head1 RETURN VALUES ossl_cmp_msg_check_update() returns 1 on success, -1 on error. |