mirror of https://github.com/openssl/openssl
apps/cmp: improve -reqin option to read fallback public key from first request message file given
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> (Merged from https://github.com/openssl/openssl/pull/21660)
This commit is contained in:
parent
bcd3707dba
commit
d6d9277b2e
50
apps/cmp.c
50
apps/cmp.c
|
@ -1558,6 +1558,48 @@ static int setup_protection_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
|
|||
return 1;
|
||||
}
|
||||
|
||||
static int set_fallback_pubkey(OSSL_CMP_CTX *ctx)
|
||||
{
|
||||
char *file = opt_reqin, *end = file, bak;
|
||||
OSSL_CMP_MSG *req;
|
||||
const X509_PUBKEY *pubkey;
|
||||
EVP_PKEY *pkey;
|
||||
EVP_PKEY *pkey1;
|
||||
int res = 0;
|
||||
|
||||
/* temporarily separate first file name in opt_reqin */
|
||||
while (*end != ',' && !isspace(_UC(*end)) && *end != '\0')
|
||||
end++;
|
||||
bak = *end;
|
||||
*end = '\0';
|
||||
req = OSSL_CMP_MSG_read(file, app_get0_libctx(), app_get0_propq());
|
||||
*end = bak;
|
||||
|
||||
if (req == NULL) {
|
||||
CMP_err1("failed to load ir/cr/kur file '%s' attempting to get fallback public key",
|
||||
file);
|
||||
return 0;
|
||||
}
|
||||
if ((pubkey = OSSL_CMP_MSG_get0_certreq_publickey(req)) == NULL
|
||||
|| (pkey = X509_PUBKEY_get0(pubkey)) == NULL) {
|
||||
CMP_err1("failed to get fallback public key from ir/cr/kur file '%s'",
|
||||
file);
|
||||
goto err;
|
||||
}
|
||||
pkey1 = EVP_PKEY_dup(pkey);
|
||||
if (pkey == NULL || !OSSL_CMP_CTX_set0_newPkey(ctx, 0 /* priv */, pkey1)) {
|
||||
EVP_PKEY_free(pkey1);
|
||||
CMP_err1("failed to get fallback public key obtained from ir/cr/kur file '%s'",
|
||||
file);
|
||||
goto err;
|
||||
}
|
||||
res = 1;
|
||||
|
||||
err:
|
||||
OSSL_CMP_MSG_free(req);
|
||||
return res;
|
||||
}
|
||||
|
||||
/*
|
||||
* Set up IR/CR/P10CR/KUR/CertConf/RR/GENM specific parts of the OSSL_CMP_CTX
|
||||
* based on options from CLI and/or config file.
|
||||
|
@ -1577,9 +1619,9 @@ static int setup_request_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
|
|||
if (!set_name(opt_issuer, OSSL_CMP_CTX_set1_issuer, ctx, "issuer"))
|
||||
return 0;
|
||||
if (opt_cmd == CMP_IR || opt_cmd == CMP_CR || opt_cmd == CMP_KUR) {
|
||||
if (opt_newkey == NULL
|
||||
if (opt_reqin == NULL && opt_newkey == NULL
|
||||
&& opt_key == NULL && opt_csr == NULL && opt_oldcert == NULL) {
|
||||
CMP_err("missing -newkey (or -key) to be certified and no -csr, -oldcert, or -cert given for fallback public key");
|
||||
CMP_err("missing -newkey (or -key) to be certified and no -csr, -oldcert, -cert, or -reqin option given, which could provide fallback public key");
|
||||
return 0;
|
||||
}
|
||||
if (opt_newkey == NULL
|
||||
|
@ -1738,6 +1780,10 @@ static int setup_request_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
|
|||
EVP_PKEY_free(pkey);
|
||||
return 0;
|
||||
}
|
||||
} else if (opt_reqin != NULL
|
||||
&& opt_key == NULL && opt_csr == NULL && opt_oldcert == NULL) {
|
||||
if (!set_fallback_pubkey(ctx))
|
||||
return 0;
|
||||
}
|
||||
|
||||
if (opt_days > 0
|
||||
|
|
|
@ -999,9 +999,13 @@ of CMP request messages. Thus, all options required for doing this
|
|||
(such as B<-cmd> and all options providing the required parameters)
|
||||
need to be given also when the B<-reqin> option is present.
|
||||
|
||||
Hint: In case the B<-reqin> option is given for a certificate request,
|
||||
there are situations where the client has access to
|
||||
the public key to be certified (e.g., via the B<-newkey> or B<-csr> options) but
|
||||
If the B<-reqin> option is given for a certificate request
|
||||
and no B<-newkey>, B<-key>, B<-oldcert>, or B<-csr> option is given,
|
||||
a fallback public key is taken from the request message file
|
||||
(if it is included in the certificate template).
|
||||
|
||||
Hint: In case the B<-reqin> option is given for a certificate request, there are
|
||||
situations where the client has access to the public key to be certified but
|
||||
not to the private key that by default will be needed for proof of possession.
|
||||
In this case the POPO is not actually needed (because the internally produced
|
||||
certificate request message will not be sent), and its generation
|
||||
|
|
|
@ -116,3 +116,6 @@ expected,description, -section,val, -cmd,val,val2, -cacertsout,val,val2, -infoty
|
|||
0,rspin too few files - no server, -section,, -cmd,ir,,BLANK,,,-rspin,_RESULT_DIR/ip.der,,BLANK,,BLANK, -server,""""
|
||||
1,reqout_only ir - no server, -section,, -cmd,ir,,-reqout_only,_RESULT_DIR/ir2.der,,BLANK,,BLANK, -server,""""
|
||||
0,reqout_only non-existing directory and file, -section,, -cmd,ir,,-reqout_only,idontexist/idontexist,,BLANK,,BLANK, -server,""""
|
||||
0,reqin ir - no newkey, -section,, -cmd,ir,,-reqin,_RESULT_DIR/ir2.der,,-newkey,"""",-newkey,"""",-key,"""",-cert,"""",-secret,_PBM_SECRET
|
||||
1,reqin ir and rspout - no newkey but -popo -1, -section,, -cmd,ir,,-reqin,_RESULT_DIR/ir2.der,,-rspout,_RESULT_DIR/ip2.der,-newkey,"""",--key,"""",-cert,"""",-secret,_PBM_SECRET,-popo,-1
|
||||
1,reqin ip and rspin - no newkey but -popo -1, -section,, -cmd,ir,,-reqin,_RESULT_DIR/ir2.der,,-rspin,_RESULT_DIR/ip2.der,,-newkey,"""",-key,"""",-cert,"""",-secret,_PBM_SECRET,-popo,-1, -server,"""",-disable_confirm
|
||||
|
|
Can't render this file because it has a wrong number of fields in line 2.
|
Loading…
Reference in New Issue