mirror of https://github.com/openssl/openssl
apps/cmp: improve -reqin option to read fallback public key from first request message file given
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> (Merged from https://github.com/openssl/openssl/pull/21660)
This commit is contained in:
parent
bcd3707dba
commit
d6d9277b2e
50
apps/cmp.c
50
apps/cmp.c
|
@ -1558,6 +1558,48 @@ static int setup_protection_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
|
||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static int set_fallback_pubkey(OSSL_CMP_CTX *ctx)
|
||||||
|
{
|
||||||
|
char *file = opt_reqin, *end = file, bak;
|
||||||
|
OSSL_CMP_MSG *req;
|
||||||
|
const X509_PUBKEY *pubkey;
|
||||||
|
EVP_PKEY *pkey;
|
||||||
|
EVP_PKEY *pkey1;
|
||||||
|
int res = 0;
|
||||||
|
|
||||||
|
/* temporarily separate first file name in opt_reqin */
|
||||||
|
while (*end != ',' && !isspace(_UC(*end)) && *end != '\0')
|
||||||
|
end++;
|
||||||
|
bak = *end;
|
||||||
|
*end = '\0';
|
||||||
|
req = OSSL_CMP_MSG_read(file, app_get0_libctx(), app_get0_propq());
|
||||||
|
*end = bak;
|
||||||
|
|
||||||
|
if (req == NULL) {
|
||||||
|
CMP_err1("failed to load ir/cr/kur file '%s' attempting to get fallback public key",
|
||||||
|
file);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
if ((pubkey = OSSL_CMP_MSG_get0_certreq_publickey(req)) == NULL
|
||||||
|
|| (pkey = X509_PUBKEY_get0(pubkey)) == NULL) {
|
||||||
|
CMP_err1("failed to get fallback public key from ir/cr/kur file '%s'",
|
||||||
|
file);
|
||||||
|
goto err;
|
||||||
|
}
|
||||||
|
pkey1 = EVP_PKEY_dup(pkey);
|
||||||
|
if (pkey == NULL || !OSSL_CMP_CTX_set0_newPkey(ctx, 0 /* priv */, pkey1)) {
|
||||||
|
EVP_PKEY_free(pkey1);
|
||||||
|
CMP_err1("failed to get fallback public key obtained from ir/cr/kur file '%s'",
|
||||||
|
file);
|
||||||
|
goto err;
|
||||||
|
}
|
||||||
|
res = 1;
|
||||||
|
|
||||||
|
err:
|
||||||
|
OSSL_CMP_MSG_free(req);
|
||||||
|
return res;
|
||||||
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Set up IR/CR/P10CR/KUR/CertConf/RR/GENM specific parts of the OSSL_CMP_CTX
|
* Set up IR/CR/P10CR/KUR/CertConf/RR/GENM specific parts of the OSSL_CMP_CTX
|
||||||
* based on options from CLI and/or config file.
|
* based on options from CLI and/or config file.
|
||||||
|
@ -1577,9 +1619,9 @@ static int setup_request_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
|
||||||
if (!set_name(opt_issuer, OSSL_CMP_CTX_set1_issuer, ctx, "issuer"))
|
if (!set_name(opt_issuer, OSSL_CMP_CTX_set1_issuer, ctx, "issuer"))
|
||||||
return 0;
|
return 0;
|
||||||
if (opt_cmd == CMP_IR || opt_cmd == CMP_CR || opt_cmd == CMP_KUR) {
|
if (opt_cmd == CMP_IR || opt_cmd == CMP_CR || opt_cmd == CMP_KUR) {
|
||||||
if (opt_newkey == NULL
|
if (opt_reqin == NULL && opt_newkey == NULL
|
||||||
&& opt_key == NULL && opt_csr == NULL && opt_oldcert == NULL) {
|
&& opt_key == NULL && opt_csr == NULL && opt_oldcert == NULL) {
|
||||||
CMP_err("missing -newkey (or -key) to be certified and no -csr, -oldcert, or -cert given for fallback public key");
|
CMP_err("missing -newkey (or -key) to be certified and no -csr, -oldcert, -cert, or -reqin option given, which could provide fallback public key");
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
if (opt_newkey == NULL
|
if (opt_newkey == NULL
|
||||||
|
@ -1738,6 +1780,10 @@ static int setup_request_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
|
||||||
EVP_PKEY_free(pkey);
|
EVP_PKEY_free(pkey);
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
} else if (opt_reqin != NULL
|
||||||
|
&& opt_key == NULL && opt_csr == NULL && opt_oldcert == NULL) {
|
||||||
|
if (!set_fallback_pubkey(ctx))
|
||||||
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (opt_days > 0
|
if (opt_days > 0
|
||||||
|
|
|
@ -999,9 +999,13 @@ of CMP request messages. Thus, all options required for doing this
|
||||||
(such as B<-cmd> and all options providing the required parameters)
|
(such as B<-cmd> and all options providing the required parameters)
|
||||||
need to be given also when the B<-reqin> option is present.
|
need to be given also when the B<-reqin> option is present.
|
||||||
|
|
||||||
Hint: In case the B<-reqin> option is given for a certificate request,
|
If the B<-reqin> option is given for a certificate request
|
||||||
there are situations where the client has access to
|
and no B<-newkey>, B<-key>, B<-oldcert>, or B<-csr> option is given,
|
||||||
the public key to be certified (e.g., via the B<-newkey> or B<-csr> options) but
|
a fallback public key is taken from the request message file
|
||||||
|
(if it is included in the certificate template).
|
||||||
|
|
||||||
|
Hint: In case the B<-reqin> option is given for a certificate request, there are
|
||||||
|
situations where the client has access to the public key to be certified but
|
||||||
not to the private key that by default will be needed for proof of possession.
|
not to the private key that by default will be needed for proof of possession.
|
||||||
In this case the POPO is not actually needed (because the internally produced
|
In this case the POPO is not actually needed (because the internally produced
|
||||||
certificate request message will not be sent), and its generation
|
certificate request message will not be sent), and its generation
|
||||||
|
|
|
@ -116,3 +116,6 @@ expected,description, -section,val, -cmd,val,val2, -cacertsout,val,val2, -infoty
|
||||||
0,rspin too few files - no server, -section,, -cmd,ir,,BLANK,,,-rspin,_RESULT_DIR/ip.der,,BLANK,,BLANK, -server,""""
|
0,rspin too few files - no server, -section,, -cmd,ir,,BLANK,,,-rspin,_RESULT_DIR/ip.der,,BLANK,,BLANK, -server,""""
|
||||||
1,reqout_only ir - no server, -section,, -cmd,ir,,-reqout_only,_RESULT_DIR/ir2.der,,BLANK,,BLANK, -server,""""
|
1,reqout_only ir - no server, -section,, -cmd,ir,,-reqout_only,_RESULT_DIR/ir2.der,,BLANK,,BLANK, -server,""""
|
||||||
0,reqout_only non-existing directory and file, -section,, -cmd,ir,,-reqout_only,idontexist/idontexist,,BLANK,,BLANK, -server,""""
|
0,reqout_only non-existing directory and file, -section,, -cmd,ir,,-reqout_only,idontexist/idontexist,,BLANK,,BLANK, -server,""""
|
||||||
|
0,reqin ir - no newkey, -section,, -cmd,ir,,-reqin,_RESULT_DIR/ir2.der,,-newkey,"""",-newkey,"""",-key,"""",-cert,"""",-secret,_PBM_SECRET
|
||||||
|
1,reqin ir and rspout - no newkey but -popo -1, -section,, -cmd,ir,,-reqin,_RESULT_DIR/ir2.der,,-rspout,_RESULT_DIR/ip2.der,-newkey,"""",--key,"""",-cert,"""",-secret,_PBM_SECRET,-popo,-1
|
||||||
|
1,reqin ip and rspin - no newkey but -popo -1, -section,, -cmd,ir,,-reqin,_RESULT_DIR/ir2.der,,-rspin,_RESULT_DIR/ip2.der,,-newkey,"""",-key,"""",-cert,"""",-secret,_PBM_SECRET,-popo,-1, -server,"""",-disable_confirm
|
||||||
|
|
Can't render this file because it has a wrong number of fields in line 2.
|
Loading…
Reference in New Issue