mirror of https://github.com/openssl/openssl
Rename OSSL_CMP_CTX_set1_clCert() to OSSL_CMP_CTX_set1_cert()
Also update documentation and example code in openssl-cmp.pod.in Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> (Merged from https://github.com/openssl/openssl/pull/11470)
This commit is contained in:
parent
143be4748e
commit
63f1883dca
13
apps/cmp.c
13
apps/cmp.c
|
@ -1535,7 +1535,8 @@ static OSSL_CMP_SRV_CTX *setup_srv_ctx(ENGINE *e)
|
|||
if (opt_srv_cert != NULL) {
|
||||
X509 *srv_cert = load_cert_pwd(opt_srv_cert, opt_srv_keypass,
|
||||
"certificate of the server");
|
||||
if (srv_cert == NULL || !OSSL_CMP_CTX_set1_clCert(ctx, srv_cert)) {
|
||||
|
||||
if (srv_cert == NULL || !OSSL_CMP_CTX_set1_cert(ctx, srv_cert)) {
|
||||
X509_free(srv_cert);
|
||||
goto err;
|
||||
}
|
||||
|
@ -1939,7 +1940,7 @@ static int setup_protection_ctx(OSSL_CMP_CTX *ctx, ENGINE *e)
|
|||
}
|
||||
|
||||
if (opt_cert != NULL) {
|
||||
X509 *clcert;
|
||||
X509 *cert;
|
||||
STACK_OF(X509) *certs = NULL;
|
||||
int ok;
|
||||
|
||||
|
@ -1948,14 +1949,14 @@ static int setup_protection_ctx(OSSL_CMP_CTX *ctx, ENGINE *e)
|
|||
/* opt_keypass is needed if opt_cert is an encrypted PKCS#12 file */
|
||||
goto err;
|
||||
|
||||
clcert = sk_X509_delete(certs, 0);
|
||||
if (clcert == NULL) {
|
||||
cert = sk_X509_delete(certs, 0);
|
||||
if (cert == NULL) {
|
||||
CMP_err("no client certificate found");
|
||||
sk_X509_pop_free(certs, X509_free);
|
||||
goto err;
|
||||
}
|
||||
ok = OSSL_CMP_CTX_set1_clCert(ctx, clcert);
|
||||
X509_free(clcert);
|
||||
ok = OSSL_CMP_CTX_set1_cert(ctx, cert);
|
||||
X509_free(cert);
|
||||
|
||||
if (ok) {
|
||||
/* add any remaining certs to the list of untrusted certs */
|
||||
|
|
|
@ -164,7 +164,7 @@ void OSSL_CMP_CTX_free(OSSL_CMP_CTX *ctx)
|
|||
X509_STORE_free(ctx->trusted);
|
||||
sk_X509_pop_free(ctx->untrusted_certs, X509_free);
|
||||
|
||||
X509_free(ctx->clCert);
|
||||
X509_free(ctx->cert);
|
||||
EVP_PKEY_free(ctx->pkey);
|
||||
ASN1_OCTET_STRING_free(ctx->referenceValue);
|
||||
if (ctx->secretValue != NULL)
|
||||
|
@ -676,12 +676,12 @@ int OSSL_CMP_CTX_push1_subjectAltName(OSSL_CMP_CTX *ctx,
|
|||
* Set our own client certificate, used for example in KUR and when
|
||||
* doing the IR with existing certificate.
|
||||
*/
|
||||
DEFINE_OSSL_CMP_CTX_set1_up_ref(clCert, X509)
|
||||
DEFINE_OSSL_CMP_CTX_set1_up_ref(cert, X509)
|
||||
|
||||
/*
|
||||
* Set the old certificate that we are updating in KUR
|
||||
* or the certificate to be revoked in RR, respectively.
|
||||
* Also used as reference cert (defaulting to clCert) for deriving subject DN
|
||||
* Also used as reference cert (defaulting to cert) for deriving subject DN
|
||||
* and SANs. Its issuer is used as default recipient in the CMP message header.
|
||||
*/
|
||||
DEFINE_OSSL_CMP_CTX_set1_up_ref(oldCert, X509)
|
||||
|
|
|
@ -303,8 +303,8 @@ int ossl_cmp_hdr_init(OSSL_CMP_CTX *ctx, OSSL_CMP_PKIHEADER *hdr)
|
|||
* The sender name is copied from the subject of the client cert, if any,
|
||||
* or else from the subject name provided for certification requests.
|
||||
*/
|
||||
sender = ctx->clCert != NULL ?
|
||||
X509_get_subject_name(ctx->clCert) : ctx->subjectName;
|
||||
sender = ctx->cert != NULL ?
|
||||
X509_get_subject_name(ctx->cert) : ctx->subjectName;
|
||||
if (!ossl_cmp_hdr_set1_sender(hdr, sender))
|
||||
return 0;
|
||||
|
||||
|
@ -321,8 +321,8 @@ int ossl_cmp_hdr_init(OSSL_CMP_CTX *ctx, OSSL_CMP_PKIHEADER *hdr)
|
|||
rcp = ctx->issuer;
|
||||
} else if (ctx->oldCert != NULL) {
|
||||
rcp = X509_get_issuer_name(ctx->oldCert);
|
||||
} else if (ctx->clCert != NULL) {
|
||||
rcp = X509_get_issuer_name(ctx->clCert);
|
||||
} else if (ctx->cert != NULL) {
|
||||
rcp = X509_get_issuer_name(ctx->cert);
|
||||
}
|
||||
if (!ossl_cmp_hdr_set1_recipient(hdr, rcp))
|
||||
return 0;
|
||||
|
|
|
@ -68,8 +68,8 @@ struct ossl_cmp_ctx_st {
|
|||
|
||||
/* client authentication */
|
||||
int unprotectedSend; /* send unprotected PKI messages */
|
||||
X509 *clCert; /* client cert used to identify and sign for MSG_SIG_ALG */
|
||||
EVP_PKEY *pkey; /* the key pair corresponding to clCert */
|
||||
X509 *cert; /* protection cert used to identify and sign for MSG_SIG_ALG */
|
||||
EVP_PKEY *pkey; /* the key pair corresponding to cert */
|
||||
ASN1_OCTET_STRING *referenceValue; /* optional user name for MSG_MAC_ALG */
|
||||
ASN1_OCTET_STRING *secretValue; /* password/shared secret for MSG_MAC_ALG */
|
||||
/* PBMParameters for MSG_MAC_ALG */
|
||||
|
|
|
@ -218,7 +218,7 @@ static const X509_NAME *determine_subj(OSSL_CMP_CTX *ctx, X509 *refcert,
|
|||
static OSSL_CRMF_MSG *crm_new(OSSL_CMP_CTX *ctx, int bodytype, int rid)
|
||||
{
|
||||
OSSL_CRMF_MSG *crm = NULL;
|
||||
X509 *refcert = ctx->oldCert != NULL ? ctx->oldCert : ctx->clCert;
|
||||
X509 *refcert = ctx->oldCert != NULL ? ctx->oldCert : ctx->cert;
|
||||
/* refcert defaults to current client cert */
|
||||
EVP_PKEY *rkey = OSSL_CMP_CTX_get0_newPkey(ctx, 0);
|
||||
STACK_OF(GENERAL_NAME) *default_sans = NULL;
|
||||
|
|
|
@ -145,14 +145,14 @@ int ossl_cmp_msg_add_extraCerts(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg)
|
|||
&& (msg->extraCerts = sk_X509_new_null()) == NULL)
|
||||
return 0;
|
||||
|
||||
if (ctx->clCert != NULL && ctx->pkey != NULL) {
|
||||
if (ctx->cert != NULL && ctx->pkey != NULL) {
|
||||
/* make sure that our own cert is included in the first position */
|
||||
if (!ossl_cmp_sk_X509_add1_cert(msg->extraCerts, ctx->clCert, 1, 1))
|
||||
if (!ossl_cmp_sk_X509_add1_cert(msg->extraCerts, ctx->cert, 1, 1))
|
||||
return 0;
|
||||
/* if we have untrusted certs, try to add intermediate certs */
|
||||
if (ctx->untrusted_certs != NULL) {
|
||||
STACK_OF(X509) *chain =
|
||||
ossl_cmp_build_cert_chain(ctx->untrusted_certs, ctx->clCert);
|
||||
ossl_cmp_build_cert_chain(ctx->untrusted_certs, ctx->cert);
|
||||
int res = ossl_cmp_sk_X509_add1_certs(msg->extraCerts, chain,
|
||||
1 /* no self-issued */,
|
||||
1 /* no duplicates */, 0);
|
||||
|
@ -244,7 +244,7 @@ int ossl_cmp_msg_protect(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg)
|
|||
&& !ossl_cmp_hdr_set1_senderKID(msg->header,
|
||||
ctx->referenceValue))
|
||||
goto err;
|
||||
} else if (ctx->clCert != NULL && ctx->pkey != NULL) {
|
||||
} else if (ctx->cert != NULL && ctx->pkey != NULL) {
|
||||
/*
|
||||
* use MSG_SIG_ALG according to 5.1.3.3 if client Certificate and
|
||||
* private key is given
|
||||
|
@ -254,7 +254,7 @@ int ossl_cmp_msg_protect(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg)
|
|||
ASN1_OBJECT *alg = NULL;
|
||||
|
||||
/* make sure that key and certificate match */
|
||||
if (!X509_check_private_key(ctx->clCert, ctx->pkey)) {
|
||||
if (!X509_check_private_key(ctx->cert, ctx->pkey)) {
|
||||
CMPerr(0, CMP_R_CERT_AND_KEY_DO_NOT_MATCH);
|
||||
goto err;
|
||||
}
|
||||
|
@ -280,7 +280,7 @@ int ossl_cmp_msg_protect(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg)
|
|||
* set senderKID to keyIdentifier of the used certificate according
|
||||
* to section 5.1.1
|
||||
*/
|
||||
subjKeyIDStr = X509_get0_subject_key_id(ctx->clCert);
|
||||
subjKeyIDStr = X509_get0_subject_key_id(ctx->cert);
|
||||
if (subjKeyIDStr == NULL)
|
||||
subjKeyIDStr = ctx->referenceValue; /* fallback */
|
||||
if (subjKeyIDStr != NULL
|
||||
|
@ -295,7 +295,7 @@ int ossl_cmp_msg_protect(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg)
|
|||
goto err;
|
||||
|
||||
/*
|
||||
* If present, add ctx->clCert followed by its chain as far as possible.
|
||||
* If present, add ctx->cert followed by its chain as far as possible.
|
||||
* Finally add any additional certificates from ctx->extraCertsOut;
|
||||
* even if not needed to validate the protection
|
||||
* the option to do this might be handy for certain use cases.
|
||||
|
|
|
@ -17,7 +17,7 @@ ossl_cmp_msg_add_extraCerts
|
|||
|
||||
ossl_cmp_msg_protect() (re-)protects the given message B<msg> using an algorithm
|
||||
depending on the available context information given in the B<ctx>.
|
||||
If there is a secretValue it selects PBMAC, else if there is a clCert
|
||||
If there is a secretValue it selects PBMAC, else if there is a protection cert
|
||||
it selects Signature and uses B<ossl_cmp_msg_add_extraCerts()>.
|
||||
It also sets the protectionAlg field in the message header accordingly.
|
||||
|
||||
|
|
|
@ -28,7 +28,7 @@ OSSL_CMP_CTX_set0_trustedStore,
|
|||
OSSL_CMP_CTX_get0_trustedStore,
|
||||
OSSL_CMP_CTX_set1_untrusted_certs,
|
||||
OSSL_CMP_CTX_get0_untrusted_certs,
|
||||
OSSL_CMP_CTX_set1_clCert,
|
||||
OSSL_CMP_CTX_set1_cert,
|
||||
OSSL_CMP_CTX_set1_pkey,
|
||||
OSSL_CMP_CTX_set1_referenceValue,
|
||||
OSSL_CMP_CTX_set1_secretValue,
|
||||
|
@ -102,7 +102,7 @@ OSSL_CMP_CTX_set1_senderNonce
|
|||
STACK_OF(X509) *OSSL_CMP_CTX_get0_untrusted_certs(const OSSL_CMP_CTX *ctx);
|
||||
|
||||
/* client authentication: */
|
||||
int OSSL_CMP_CTX_set1_clCert(OSSL_CMP_CTX *ctx, X509 *cert);
|
||||
int OSSL_CMP_CTX_set1_cert(OSSL_CMP_CTX *ctx, X509 *cert);
|
||||
int OSSL_CMP_CTX_set1_pkey(OSSL_CMP_CTX *ctx, EVP_PKEY *pkey);
|
||||
int OSSL_CMP_CTX_set1_referenceValue(OSSL_CMP_CTX *ctx,
|
||||
const unsigned char *ref, int len);
|
||||
|
@ -411,18 +411,18 @@ The reference counts of those certificates handled successfully are increased.
|
|||
OSSL_CMP_CTX_get0_untrusted_certs(OSSL_CMP_CTX *ctx) returns a pointer to the
|
||||
list of untrusted certs, which may be empty if unset.
|
||||
|
||||
OSSL_CMP_CTX_set1_clCert() sets the client certificate in the given B<ctx>.
|
||||
The public key of this B<clCert> must correspond to
|
||||
OSSL_CMP_CTX_set1_cert() sets the certificate used for CMP message protection.
|
||||
The public key of this B<cert> must correspond to
|
||||
the private key set via B<OSSL_CMP_CTX_set1_pkey()>.
|
||||
When using signature-based protection of CMP request messages
|
||||
this "protection certificate" will be included first in the extraCerts field.
|
||||
The subject of this B<clCert> will be used as the "sender" field
|
||||
The subject of this B<cert> will be used as the "sender" field
|
||||
of outgoing CMP messages, with the fallback being
|
||||
the B<subjectName> set via B<OSSL_CMP_CTX_set1_subjectName()>.
|
||||
The B<cert> argument may be NULL to clear the entry.
|
||||
|
||||
OSSL_CMP_CTX_set1_pkey() sets the private key corresponding to
|
||||
the client certificate B<clCert> set via B<OSSL_CMP_CTX_set1_clCert()>.
|
||||
OSSL_CMP_CTX_set1_pkey() sets the private key corresponding to the
|
||||
protecting certificate B<cert> set via B<OSSL_CMP_CTX_set1_cert()>.
|
||||
This key is used create signature-based protection (protectionAlg = MSG_SIG_ALG)
|
||||
of outgoing messages
|
||||
unless a PBM secret has been set via B<OSSL_CMP_CTX_set1_secretValue()>.
|
||||
|
@ -438,11 +438,11 @@ PBM-based protection takes precedence over signature-based protection.
|
|||
OSSL_CMP_CTX_set1_referenceValue() sets the given referenceValue B<ref> with
|
||||
length B<len> in the given B<ctx> or clears it if the B<ref> argument is NULL.
|
||||
According to RFC 4210 section 5.1.1, if no value for the "sender" field in
|
||||
CMP message headers can be determined (i.e., no B<clCert> and no B<subjectName>
|
||||
is given) then the "sender" field will contain the NULL-DN
|
||||
CMP message headers can be determined (i.e., no protecting certificate B<cert>
|
||||
and no B<subjectName> is given) then the "sender" field will contain the NULL-DN
|
||||
and the senderKID field of the CMP message header must be set.
|
||||
When signature-based protection is used the senderKID will be set to
|
||||
the subjectKeyIdentifier of the <clCert> as far as present.
|
||||
the subjectKeyIdentifier of the protecting B<cert> as far as present.
|
||||
If not present or when PBM-based protection is used
|
||||
the B<ref> value is taken as the fallback value for the senderKID.
|
||||
|
||||
|
@ -451,7 +451,7 @@ PKIHeader of a request message, i.e. the X509 name of the (CA) server.
|
|||
Setting is overruled by subject of B<srvCert> if set.
|
||||
If neither B<srvCert> nor recipient are set, the recipient of the PKI message is
|
||||
determined in the following order: issuer, issuer of old cert (oldCert),
|
||||
issuer of client cert (B<clCert>), else NULL-DN.
|
||||
issuer of protecting certificate (B<cert>), else NULL-DN.
|
||||
When a response is received, its sender must match the recipient of the request.
|
||||
|
||||
OSSL_CMP_CTX_push0_geninfo_ITAV() adds B<itav> to the stack in the B<ctx> to be
|
||||
|
@ -481,7 +481,7 @@ the CertTemplate structure when requesting a new cert. For Key Update Requests
|
|||
see B<OSSL_CMP_CTX_set1_oldCert()>. This default is used for Initialization
|
||||
Requests (IR) and Certification Requests (CR) only if no SANs are set.
|
||||
The B<subjectName> is also used as the "sender" field for outgoing CMP messages
|
||||
if no B<clCert> has been set (e.g., in case requests are protected using PBM).
|
||||
if no B<cert> has been set (e.g., in case requests are protected using PBM).
|
||||
|
||||
OSSL_CMP_CTX_push1_subjectAltName() adds the given X509 name to the list of
|
||||
alternate names on the certificate template request. This cannot be used if
|
||||
|
@ -507,7 +507,7 @@ to the X509_EXTENSIONS of the requested certificate template.
|
|||
|
||||
OSSL_CMP_CTX_set1_oldCert() sets the old certificate to be updated in
|
||||
Key Update Requests (KUR) or to be revoked in Revocation Requests (RR).
|
||||
It must be given for RR, else it defaults to B<clCert>.
|
||||
It must be given for RR, else it defaults to the protecting B<cert>.
|
||||
The B<reference certificate> determined in this way, if any, is also used for
|
||||
deriving default subject DN and Subject Alternative Names for IR, CR, and KUR.
|
||||
Its issuer, if any, is used as default recipient in the CMP message header.
|
||||
|
@ -608,53 +608,57 @@ All other functions return 1 on success, 0 on error.
|
|||
|
||||
=head1 EXAMPLES
|
||||
|
||||
The following code does an Initialization Request:
|
||||
The following code omits error handling.
|
||||
|
||||
cmp_ctx = OSSL_CMP_CTX_new();
|
||||
OSSL_CMP_CTX_set1_server(cmp_ctx, address);
|
||||
OSSL_CMP_CTX_set1_referenceValue(cmp_ctx, ref, ref_len);
|
||||
OSSL_CMP_CTX_set1_secretValue(cmp_ctx, sec, sec_len);
|
||||
OSSL_CMP_CTX_set0_newPkey(cmp_ctx, new_pkey, 1);
|
||||
OSSL_CMP_CTX_set1_caCert(cmp_ctx, ca_cert);
|
||||
|
||||
initialClCert = OSSL_CMP_exec_IR_ses(cmp_ctx);
|
||||
|
||||
The following code does an Initialization Request using an
|
||||
external identity certificate (RFC 4210, Appendix E.7):
|
||||
|
||||
cmp_ctx = OSSL_CMP_CTX_new();
|
||||
OSSL_CMP_CTX_set1_server(cmp_ctx, sname);
|
||||
OSSL_CMP_CTX_set1_clCert(cmp_ctx, cl_cert);
|
||||
OSSL_CMP_CTX_set1_pkey(cmp_ctx, pkey);
|
||||
OSSL_CMP_CTX_set0_newPkey(cmp_ctx, new_pkey, 1);
|
||||
OSSL_CMP_CTX_set1_caCert(cmp_ctx, ca_cert);
|
||||
|
||||
initialClCert = OSSL_CMP_exec_IR_ses(cmp_ctx);
|
||||
|
||||
Here externalCert is an X509 certificate granted to the EE by another CA
|
||||
which is trusted by the current CA the code will connect to.
|
||||
|
||||
|
||||
The following code does a Key Update Request:
|
||||
|
||||
cmp_ctx = OSSL_CMP_CTX_new();
|
||||
OSSL_CMP_CTX_set1_server(cmp_ctx, url);
|
||||
OSSL_CMP_CTX_set1_pkey(cmp_ctx, pkey);
|
||||
OSSL_CMP_CTX_set0_newPkey(cmp_ctx, new_pkey, 1);
|
||||
OSSL_CMP_CTX_set1_clCert(cmp_ctx, cl_cert);
|
||||
OSSL_CMP_CTX_set1_caCert(cmp_ctx, ca_cert);
|
||||
|
||||
updatedClCert = OSSL_CMP_exec_KUR_ses(cmp_ctx);
|
||||
|
||||
The following code (which omits error handling) sends a General Message
|
||||
including, as an example, the id-it-signKeyPairTypes OID and prints info on
|
||||
the General Response contents.
|
||||
Set up a CMP client context for sending requests and verifying responses:
|
||||
|
||||
cmp_ctx = OSSL_CMP_CTX_new();
|
||||
OSSL_CMP_CTX_set1_server(cmp_ctx, sname);
|
||||
OSSL_CMP_CTX_set1_server(cmp_ctx, name_or_address);
|
||||
OSSL_CMP_CTX_set1_serverPort(cmp_ctx, port_string);
|
||||
OSSL_CMP_CTX_set1_serverPath(cmp_ctx, path_or_alias);
|
||||
OSSL_CMP_CTX_set0_trustedStore(cmp_ctx, ts);
|
||||
|
||||
Set up client credentials for password-based protection (PBM):
|
||||
|
||||
OSSL_CMP_CTX_set1_referenceValue(cmp_ctx, ref, ref_len);
|
||||
OSSL_CMP_CTX_set1_secretValue(cmp_ctx, sec, sec_len);
|
||||
|
||||
Set up the details for certificate requests:
|
||||
|
||||
OSSL_CMP_CTX_set1_subjectName(cmp_ctx, name);
|
||||
OSSL_CMP_CTX_set0_newPkey(cmp_ctx, 1, initialKey);
|
||||
|
||||
Perform an Initialization Request transaction:
|
||||
|
||||
initialCert = OSSL_CMP_exec_IR_ses(cmp_ctx);
|
||||
|
||||
Reset the transaction state of the CMP context and the credentials:
|
||||
|
||||
OSSL_CMP_CTX_reinit(cmp_ctx);
|
||||
OSSL_CMP_CTX_set1_referenceValue(cmp_ctx, NULL, 0);
|
||||
OSSL_CMP_CTX_set1_secretValue(cmp_ctx, NULL, 0);
|
||||
|
||||
Perform a Certification Request transaction, making use of the new credentials:
|
||||
|
||||
OSSL_CMP_CTX_set1_cert(cmp_ctx, initialCert);
|
||||
OSSL_CMP_CTX_set1_pkey(cmp_ctx, initialKey);
|
||||
OSSL_CMP_CTX_set0_newPkey(cmp_ctx, 1, curentKey);
|
||||
currentCert = OSSL_CMP_exec_CR_ses(cmp_ctx);
|
||||
|
||||
Perform a Key Update Request, signed using the cert (and key) to be updated:
|
||||
|
||||
OSSL_CMP_CTX_reinit(cmp_ctx);
|
||||
OSSL_CMP_CTX_set1_cert(cmp_ctx, currentCert);
|
||||
OSSL_CMP_CTX_set1_pkey(cmp_ctx, currentKey);
|
||||
OSSL_CMP_CTX_set0_newPkey(cmp_ctx, 1, updatedKey);
|
||||
currentCert = OSSL_CMP_exec_KUR_ses(cmp_ctx);
|
||||
currentKey = updatedKey;
|
||||
|
||||
Perform a General Message transaction including, as an example,
|
||||
the id-it-signKeyPairTypes OID and prints info on the General Response contents:
|
||||
|
||||
OSSL_CMP_CTX_reinit(cmp_ctx);
|
||||
|
||||
ASN1_OBJECT *type = OBJ_txt2obj("1.3.6.1.5.5.7.4.2", 1);
|
||||
OSSL_CMP_ITAV *itav = OSSL_CMP_ITAV_new(type, NULL);
|
||||
OSSL_CMP_CTX_push0_genm_ITAV(cmp_ctx, itav);
|
||||
|
|
|
@ -294,7 +294,7 @@ X509_STORE *OSSL_CMP_CTX_get0_trustedStore(const OSSL_CMP_CTX *ctx);
|
|||
int OSSL_CMP_CTX_set1_untrusted_certs(OSSL_CMP_CTX *ctx, STACK_OF(X509) *certs);
|
||||
STACK_OF(X509) *OSSL_CMP_CTX_get0_untrusted_certs(const OSSL_CMP_CTX *ctx);
|
||||
/* client authentication: */
|
||||
int OSSL_CMP_CTX_set1_clCert(OSSL_CMP_CTX *ctx, X509 *cert);
|
||||
int OSSL_CMP_CTX_set1_cert(OSSL_CMP_CTX *ctx, X509 *cert);
|
||||
int OSSL_CMP_CTX_set1_pkey(OSSL_CMP_CTX *ctx, EVP_PKEY *pkey);
|
||||
int OSSL_CMP_CTX_set1_referenceValue(OSSL_CMP_CTX *ctx,
|
||||
const unsigned char *ref, int len);
|
||||
|
|
|
@ -67,7 +67,7 @@ static CMP_SES_TEST_FIXTURE *set_up(const char *const test_case_name)
|
|||
|| !ossl_cmp_mock_srv_set1_certOut(fixture->srv_ctx, client_cert)
|
||||
|| (srv_cmp_ctx =
|
||||
OSSL_CMP_SRV_CTX_get0_cmp_ctx(fixture->srv_ctx)) == NULL
|
||||
|| !OSSL_CMP_CTX_set1_clCert(srv_cmp_ctx, server_cert)
|
||||
|| !OSSL_CMP_CTX_set1_cert(srv_cmp_ctx, server_cert)
|
||||
|| !OSSL_CMP_CTX_set1_pkey(srv_cmp_ctx, server_key))
|
||||
goto err;
|
||||
if (!TEST_ptr(fixture->cmp_ctx = ctx = OSSL_CMP_CTX_new())
|
||||
|
|
|
@ -746,7 +746,7 @@ DEFINE_SET_GET_BASE_TEST(OSSL_CMP_CTX, set0, get0, 0, trustedStore,
|
|||
DEFAULT_STORE, X509_STORE_new_1(), X509_STORE_free)
|
||||
DEFINE_SET_GET_SK_X509_TEST(OSSL_CMP, CTX, 1, 0, untrusted_certs)
|
||||
|
||||
DEFINE_SET_TEST(OSSL_CMP, CTX, 1, 0, clCert, X509)
|
||||
DEFINE_SET_TEST(OSSL_CMP, CTX, 1, 0, cert, X509)
|
||||
DEFINE_SET_TEST(OSSL_CMP, CTX, 1, 0, pkey, EVP_PKEY)
|
||||
|
||||
DEFINE_SET_TEST(OSSL_CMP, CTX, 1, 1, recipient, X509_NAME)
|
||||
|
@ -829,7 +829,7 @@ int setup_tests(void)
|
|||
ADD_TEST(test_CTX_set0_get0_trustedStore);
|
||||
ADD_TEST(test_CTX_set1_get0_untrusted_certs);
|
||||
/* client authentication: */
|
||||
ADD_TEST(test_CTX_set1_get0_clCert);
|
||||
ADD_TEST(test_CTX_set1_get0_cert);
|
||||
ADD_TEST(test_CTX_set1_get0_pkey);
|
||||
/* the following two also test ossl_cmp_asn1_octet_string_set1_bytes(): */
|
||||
ADD_TEST(test_CTX_set1_get1_referenceValue_str);
|
||||
|
|
|
@ -165,7 +165,7 @@ static int test_cmp_create_ir_protection_fails(void)
|
|||
if (!TEST_true(OSSL_CMP_CTX_set1_pkey(fixture->cmp_ctx, newkey))
|
||||
|| !TEST_true(SET_OPT_UNPROTECTED_SEND(fixture->cmp_ctx, 0))
|
||||
/* newkey used by default for signing does not match cert: */
|
||||
|| !TEST_true(OSSL_CMP_CTX_set1_clCert(fixture->cmp_ctx, cert))) {
|
||||
|| !TEST_true(OSSL_CMP_CTX_set1_cert(fixture->cmp_ctx, cert))) {
|
||||
tear_down(fixture);
|
||||
fixture = NULL;
|
||||
}
|
||||
|
|
|
@ -242,7 +242,7 @@ static int test_MSG_protect_with_certificate_and_key(void)
|
|||
OSSL_CMP_MSG_dup(ir_unprotected))
|
||||
|| !TEST_true(SET_OPT_UNPROTECTED_SEND(fixture->cmp_ctx, 0))
|
||||
|| !TEST_true(OSSL_CMP_CTX_set1_pkey(fixture->cmp_ctx, loadedkey))
|
||||
|| !TEST_true(OSSL_CMP_CTX_set1_clCert(fixture->cmp_ctx, cert))) {
|
||||
|| !TEST_true(OSSL_CMP_CTX_set1_cert(fixture->cmp_ctx, cert))) {
|
||||
tear_down(fixture);
|
||||
fixture = NULL;
|
||||
}
|
||||
|
|
|
@ -4771,7 +4771,7 @@ OSSL_CMP_CTX_set0_trustedStore ? 3_0_0 EXIST::FUNCTION:CMP
|
|||
OSSL_CMP_CTX_get0_trustedStore ? 3_0_0 EXIST::FUNCTION:CMP
|
||||
OSSL_CMP_CTX_set1_untrusted_certs ? 3_0_0 EXIST::FUNCTION:CMP
|
||||
OSSL_CMP_CTX_get0_untrusted_certs ? 3_0_0 EXIST::FUNCTION:CMP
|
||||
OSSL_CMP_CTX_set1_clCert ? 3_0_0 EXIST::FUNCTION:CMP
|
||||
OSSL_CMP_CTX_set1_cert ? 3_0_0 EXIST::FUNCTION:CMP
|
||||
OSSL_CMP_CTX_set1_pkey ? 3_0_0 EXIST::FUNCTION:CMP
|
||||
OSSL_CMP_CTX_set1_referenceValue ? 3_0_0 EXIST::FUNCTION:CMP
|
||||
OSSL_CMP_CTX_set1_secretValue ? 3_0_0 EXIST::FUNCTION:CMP
|
||||
|
|
Loading…
Reference in New Issue