apps/cmp: extend documentation and diagnostics for using -reqin in special situations

Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> (Merged from https://github.com/openssl/openssl/pull/21660)
2023-08-04 11:47:17 +02:00 · 2023-08-04 11:47:17 +02:00 · 904ee65290
parent 2fbe23bbbe
commit 904ee65290
2 changed files with 23 additions and 5 deletions
--- a/apps/cmp.c
+++ b/apps/cmp.c
@ -1586,13 +1586,15 @@ static int setup_request_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
            && opt_popo != OSSL_CRMF_POPO_NONE
            && opt_popo != OSSL_CRMF_POPO_RAVERIFIED) {
            if (opt_csr != NULL) {
-                CMP_err1("no -newkey option given with private key for POPO, -csr option only provides public key%s",
+                CMP_err1("no -newkey option given with private key for POPO, -csr option provides just public key%s",
-                        opt_key == NULL ? "" :
+                         opt_key == NULL ? "" :
-                        ", and -key option superseded by -csr");
+                         ", and -key option superseded by -csr");
                if (opt_reqin != NULL)
                    CMP_info("since -reqin is used, may use -popo -1 or -popo 0 to disable the needless generation of a POPO");
                return 0;
            }
            if (opt_key == NULL) {
-                CMP_err("missing -newkey (or -key) option for POPO");
+                CMP_err("missing -newkey (or -key) option for key to be certified and for POPO");
                return 0;
            }
        }
@ -1696,7 +1698,7 @@ static int setup_request_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
    if (opt_recipient == NULL && opt_srvcert == NULL && opt_issuer == NULL
            && opt_oldcert == NULL && opt_cert == NULL)
-        CMP_warn("missing -recipient, -srvcert, -issuer, -oldcert or -cert; recipient will be set to \"NULL-DN\"");
+        CMP_warn("missing -recipient, -srvcert, -issuer, -oldcert or -cert; recipient for any requests not covered by -reqin will be set to \"NULL-DN\"");
    if (opt_cmd == CMP_P10CR || opt_cmd == CMP_RR || opt_cmd == CMP_GENM) {
        const char *msg = "option is ignored for 'p10cr', 'rr', and 'genm' commands";
--- a/doc/man1/openssl-cmp.pod.in
+++ b/doc/man1/openssl-cmp.pod.in
@ -988,9 +988,25 @@ Default is one invocation.
 Take the sequence of CMP requests to send to the server from the given file(s)
 rather than from the sequence of requests produced internally.
 This option is useful for supporting offline scenarios where the certificate
 request (or any other CMP request) is produced beforehand and sent out later.
 This option is ignored if the B<-rspin> option is given
 because in the latter case no requests are actually sent.
 Note that in any case the client produces internally its sequence
 of CMP request messages. Thus, all options required for doing this
 (such as B<-cmd> and all options providing the required parameters)
 need to be given also when the B<-reqin> option is present.
 Hint: In case the B<-reqin> option is given for a certificate request,
 there are situations where the client has access to
 the public key to be certified (e.g., via the B<-newkey> or B<-csr> options) but
 not to the private key that by default will be needed for proof of possession.
 In this case the POPO is not actually needed (because the internally produced
 certificate request message will not be sent), and its generation
 can be disabled using the options B<-popo> I<-1> or B<-popo> I<0>.
 Multiple filenames may be given, separated by commas and/or whitespace
 (where in the latter case the whole argument must be enclosed in "...").