root
/
openssl
mirror of https://github.com/openssl/openssl.git
1
0
Fork 0
Code Issues Actions 7 Packages Projects Releases Wiki Activity

apps/cmp.c: Improve initialization of ext_ctx structure w.r.t. CSR 

Also improve doc how the -reqexts option affects the CSR given with the -csr option.

Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/14181)
This commit is contained in:
Dr. David von Oheimb 2021-02-14 20:25:42 +01:00 committed by Dmitry Belyavskiy
parent d44a8a16c8
commit b51bed05c2
2 changed files with 30 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

54
apps/cmp.c
View File

@ -1601,6 +1601,10 @@ static int setup_protection_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
*/ */
static int setup_request_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine) static int setup_request_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
{ {
X509_REQ *csr = NULL;
X509_EXTENSIONS *exts = NULL;
X509V3_CTX ext_ctx;
if (opt_subject == NULL if (opt_subject == NULL
&& opt_csr == NULL && opt_oldcert == NULL && opt_cert == NULL && opt_csr == NULL && opt_oldcert == NULL && opt_cert == NULL
&& opt_cmd != CMP_RR && opt_cmd != CMP_GENM) && opt_cmd != CMP_RR && opt_cmd != CMP_GENM)
@ -1648,30 +1652,41 @@ static int setup_request_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
return 0; return 0;
} }
if (opt_csr != NULL) {
if (opt_cmd == CMP_GENM) {
CMP_warn("-csr option is ignored for genm command");
} else {
csr = load_csr_autofmt(opt_csr, "PKCS#10 CSR for p10cr");
if (csr == NULL)
return 0;
if (!OSSL_CMP_CTX_set1_p10CSR(ctx, csr)) {
X509_REQ_free(csr);
goto oom;
}
}
}
if (opt_reqexts != NULL || opt_policies != NULL) { if (opt_reqexts != NULL || opt_policies != NULL) {
X509V3_CTX ext_ctx; if ((exts = sk_X509_EXTENSION_new_null()) == NULL)
X509_EXTENSIONS *exts = sk_X509_EXTENSION_new_null(); goto exts_err;
X509V3_set_ctx(&ext_ctx, NULL, NULL, csr, NULL, X509V3_CTX_REPLACE);
if (exts == NULL)
return 0;
X509V3_set_ctx(&ext_ctx, NULL, NULL, NULL, NULL, 0);
X509V3_set_nconf(&ext_ctx, conf); X509V3_set_nconf(&ext_ctx, conf);
if (opt_reqexts != NULL if (opt_reqexts != NULL
&& !X509V3_EXT_add_nconf_sk(conf, &ext_ctx, opt_reqexts, &exts)) { && !X509V3_EXT_add_nconf_sk(conf, &ext_ctx, opt_reqexts, &exts)) {
CMP_err1("cannot load certificate request extension section '%s'", CMP_err1("cannot load certificate request extension section '%s'",
opt_reqexts); opt_reqexts);
sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free); goto exts_err;
return 0;
} }
if (opt_policies != NULL if (opt_policies != NULL
&& !X509V3_EXT_add_nconf_sk(conf, &ext_ctx, opt_policies, &exts)) { && !X509V3_EXT_add_nconf_sk(conf, &ext_ctx, opt_policies, &exts)) {
CMP_err1("cannot load policy cert request extension section '%s'", CMP_err1("cannot load policy cert request extension section '%s'",
opt_policies); opt_policies);
sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free); goto exts_err;
return 0;
} }
OSSL_CMP_CTX_set0_reqExtensions(ctx, exts); OSSL_CMP_CTX_set0_reqExtensions(ctx, exts);
exts = NULL;
} }
X509_REQ_free(csr);
csr = NULL;
if (OSSL_CMP_CTX_reqExtensions_have_SAN(ctx) && opt_sans != NULL) { if (OSSL_CMP_CTX_reqExtensions_have_SAN(ctx) && opt_sans != NULL) {
CMP_err("cannot have Subject Alternative Names both via -reqexts and via -sans"); CMP_err("cannot have Subject Alternative Names both via -reqexts and via -sans");
return 0; return 0;
@ -1720,22 +1735,6 @@ static int setup_request_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
if (opt_popo >= OSSL_CRMF_POPO_NONE) if (opt_popo >= OSSL_CRMF_POPO_NONE)
(void)OSSL_CMP_CTX_set_option(ctx, OSSL_CMP_OPT_POPO_METHOD, opt_popo); (void)OSSL_CMP_CTX_set_option(ctx, OSSL_CMP_OPT_POPO_METHOD, opt_popo);
if (opt_csr != NULL) {
if (opt_cmd == CMP_GENM) {
CMP_warn("-csr option is ignored for genm command");
} else {
X509_REQ *csr = load_csr_autofmt(opt_csr, "PKCS#10 CSR for p10cr");
if (csr == NULL)
return 0;
if (!OSSL_CMP_CTX_set1_p10CSR(ctx, csr)) {
X509_REQ_free(csr);
goto oom;
}
X509_REQ_free(csr);
}
}
if (opt_oldcert != NULL) { if (opt_oldcert != NULL) {
if (opt_cmd == CMP_GENM) { if (opt_cmd == CMP_GENM) {
CMP_warn("-oldcert option is ignored for genm command"); CMP_warn("-oldcert option is ignored for genm command");
@ -1762,6 +1761,9 @@ static int setup_request_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
oom: oom:
CMP_err("out of memory"); CMP_err("out of memory");
exts_err:
sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free);
X509_REQ_free(csr);
return 0; return 0;
} }

2
doc/man1/openssl-cmp.pod.in
View File

@ -298,6 +298,8 @@ validity period starts from the current time (as seen by the host).
=item B<-reqexts> I<name> =item B<-reqexts> I<name>
Name of section in OpenSSL config file defining certificate request extensions. Name of section in OpenSSL config file defining certificate request extensions.
If the B<-csr> option is present, these extensions augment the extensions
contained the given PKCS#10 CSR, overriding any extensions with same OIDs.
=item B<-sans> I<spec> =item B<-sans> I<spec>