From 6b58f498b3f5d8e4c9197c3c5228fb450e33aaaf Mon Sep 17 00:00:00 2001
From: "Dr. David von Oheimb" <David.von.Oheimb@siemens.com>
Date: Fri, 27 Jan 2023 21:17:50 +0100
Subject: OSSL_CMP_certConf_cb(): fix regression on checking newly enrolled
 cert

Also add corresponding tests and to this end update credentials

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/20160)
---
 apps/cmp.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'apps/cmp.c')

diff --git a/apps/cmp.c b/apps/cmp.c
index 00e8be63d1..f31358e741 100644
--- a/apps/cmp.c
+++ b/apps/cmp.c
@@ -1274,7 +1274,9 @@ static SSL_CTX *setup_ssl_ctx(OSSL_CMP_CTX *ctx, const char *host,
                 /* disable any cert status/revocation checking etc. */
                 X509_VERIFY_PARAM_clear_flags(tls_vpm,
                                               ~(X509_V_FLAG_USE_CHECK_TIME
-                                                | X509_V_FLAG_NO_CHECK_TIME));
+                                                | X509_V_FLAG_NO_CHECK_TIME
+                                                | X509_V_FLAG_PARTIAL_CHAIN
+                                                | X509_V_FLAG_POLICY_CHECK));
             }
             CMP_debug("trying to build cert chain for own TLS cert");
             if (SSL_CTX_build_cert_chain(ssl_ctx,
-- 
cgit v1.2.3