mirror of https://github.com/openssl/openssl
fix sending error when no root CA cert update available
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24169)
This commit is contained in:
parent
6594baf645
commit
fc9649f61a
|
@ -401,9 +401,22 @@ static OSSL_CMP_ITAV *process_genm_itav(mock_srv_ctx *ctx, int req_nid,
|
|||
rsp = OSSL_CMP_ITAV_new_caCerts(ctx->caPubsOut);
|
||||
break;
|
||||
case NID_id_it_rootCaCert:
|
||||
rsp = OSSL_CMP_ITAV_new_rootCaKeyUpdate(ctx->newWithNew,
|
||||
ctx->newWithOld,
|
||||
ctx->oldWithNew);
|
||||
{
|
||||
X509 *rootcacert = NULL;
|
||||
|
||||
if (!OSSL_CMP_ITAV_get0_rootCaCert(req, &rootcacert))
|
||||
return NULL;
|
||||
|
||||
if (rootcacert != NULL
|
||||
&& X509_NAME_cmp(X509_get_subject_name(rootcacert),
|
||||
X509_get_subject_name(ctx->newWithNew)) != 0)
|
||||
/* The subjects do not match */
|
||||
rsp = OSSL_CMP_ITAV_new_rootCaKeyUpdate(NULL, NULL, NULL);
|
||||
else
|
||||
rsp = OSSL_CMP_ITAV_new_rootCaKeyUpdate(ctx->newWithNew,
|
||||
ctx->newWithOld,
|
||||
ctx->oldWithNew);
|
||||
}
|
||||
break;
|
||||
default:
|
||||
rsp = OSSL_CMP_ITAV_dup(req);
|
||||
|
|
|
@ -287,23 +287,30 @@ OSSL_CMP_ITAV *OSSL_CMP_ITAV_new_rootCaKeyUpdate(const X509 *newWithNew,
|
|||
const X509 *oldWithNew)
|
||||
{
|
||||
OSSL_CMP_ITAV *itav;
|
||||
OSSL_CMP_ROOTCAKEYUPDATE *upd = OSSL_CMP_ROOTCAKEYUPDATE_new();
|
||||
OSSL_CMP_ROOTCAKEYUPDATE *upd = NULL;
|
||||
|
||||
if (newWithNew != NULL) {
|
||||
upd = OSSL_CMP_ROOTCAKEYUPDATE_new();
|
||||
if (upd == NULL)
|
||||
return NULL;
|
||||
|
||||
if ((upd->newWithNew = X509_dup(newWithNew)) == NULL)
|
||||
goto err;
|
||||
if (newWithOld != NULL
|
||||
&& (upd->newWithOld = X509_dup(newWithOld)) == NULL)
|
||||
goto err;
|
||||
if (oldWithNew != NULL
|
||||
&& (upd->oldWithNew = X509_dup(oldWithNew)) == NULL)
|
||||
goto err;
|
||||
}
|
||||
|
||||
if (upd == NULL)
|
||||
return NULL;
|
||||
if (newWithNew != NULL && (upd->newWithNew = X509_dup(newWithNew)) == NULL)
|
||||
goto err;
|
||||
if (newWithOld != NULL && (upd->newWithOld = X509_dup(newWithOld)) == NULL)
|
||||
goto err;
|
||||
if (oldWithNew != NULL && (upd->oldWithNew = X509_dup(oldWithNew)) == NULL)
|
||||
goto err;
|
||||
if ((itav = OSSL_CMP_ITAV_new()) == NULL)
|
||||
goto err;
|
||||
itav->infoType = OBJ_nid2obj(NID_id_it_rootCaKeyUpdate);
|
||||
itav->infoValue.rootCaKeyUpdate = upd;
|
||||
return itav;
|
||||
|
||||
err:
|
||||
err:
|
||||
OSSL_CMP_ROOTCAKEYUPDATE_free(upd);
|
||||
return NULL;
|
||||
}
|
||||
|
@ -324,11 +331,11 @@ int OSSL_CMP_ITAV_get0_rootCaKeyUpdate(const OSSL_CMP_ITAV *itav,
|
|||
return 0;
|
||||
}
|
||||
upd = itav->infoValue.rootCaKeyUpdate;
|
||||
*newWithNew = upd->newWithNew;
|
||||
*newWithNew = upd != NULL ? upd->newWithNew : NULL;
|
||||
if (newWithOld != NULL)
|
||||
*newWithOld = upd->newWithOld;
|
||||
*newWithOld = upd != NULL ? upd->newWithOld : NULL;
|
||||
if (oldWithNew != NULL)
|
||||
*oldWithNew = upd->oldWithNew;
|
||||
*oldWithNew = upd != NULL ? upd->oldWithNew : NULL;
|
||||
return 1;
|
||||
}
|
||||
|
||||
|
|
|
@ -307,9 +307,11 @@ int OSSL_CMP_get1_rootCaKeyUpdate(OSSL_CMP_CTX *ctx,
|
|||
if (!OSSL_CMP_ITAV_get0_rootCaKeyUpdate(itav, newWithNew,
|
||||
&my_newWithOld, &my_oldWithNew))
|
||||
goto end;
|
||||
|
||||
if (*newWithNew == NULL) /* no root CA cert update available */
|
||||
/* no root CA cert update available */
|
||||
if (*newWithNew == NULL) {
|
||||
res = 1;
|
||||
goto end;
|
||||
}
|
||||
if ((oldWithOld_copy = X509_dup(oldWithOld)) == NULL && oldWithOld != NULL)
|
||||
goto end;
|
||||
if (!verify_ss_cert_trans(ctx, oldWithOld_copy, my_newWithOld,
|
||||
|
|
|
@ -49,6 +49,8 @@ the internal pointer to the certificate contained in the infoValue field.
|
|||
OSSL_CMP_ITAV_new_rootCaKeyUpdate() creates a new B<OSSL_CMP_ITAV> structure
|
||||
of type B<rootCaKeyUpdate> that includes an RootCaKeyUpdateContent structure
|
||||
with the optional I<newWithNew>, I<newWithOld>, and I<oldWithNew> certificates.
|
||||
An RootCaKeyUpdateContent structure is included only if I<newWithNew>
|
||||
is not NULL.
|
||||
|
||||
OSSL_CMP_ITAV_get0_rootCaKeyUpdate() requires that I<itav> has infoType
|
||||
B<rootCaKeyUpdate>.
|
||||
|
@ -59,7 +61,8 @@ If I<newWithOld> is not NULL, it assigns to I<*newWithOld> the internal pointer
|
|||
to the certificate contained in the newWithOld infoValue sub-field of I<itav>.
|
||||
If I<oldWithNew> is not NULL, it assigns to I<*oldWithNew> the internal pointer
|
||||
to the certificate contained in the oldWithNew infoValue sub-field of I<itav>.
|
||||
Each of these pointers will be NULL if the respective sub-field is not set.
|
||||
Each of these pointers will be set to NULL if no root CA certificate update
|
||||
is present or the respective sub-field is not included.
|
||||
|
||||
=head1 NOTES
|
||||
|
||||
|
|
|
@ -77,7 +77,7 @@ expected,description, -section,val, -cmd,val,val2, -cacertsout,val,val2, -infoty
|
|||
0,genm rootCaCert oldwithold empty file , -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,, -oldwithold, empty.txt , -newwithnew, _RESULT_DIR/test.newwithnew.pem
|
||||
0,genm rootCaCert oldwithold random file , -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,, -oldwithold, random.bin , -newwithnew, _RESULT_DIR/test.newwithnew.pem
|
||||
0,genm rootCaCert oldwithold nonexistent , -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,, -oldwithold, idontexist , -newwithnew, _RESULT_DIR/test.newwithnew.pem
|
||||
0,genm rootCaCert oldwithold wrong , -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,, -oldwithold, signer.crt , -newwithnew, _RESULT_DIR/test.newwithnew.pem
|
||||
1,genm rootCaCert oldwithold different , -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,, -oldwithold, signer.crt , -newwithnew, _RESULT_DIR/test.newwithnew.pem
|
||||
0,genm rootCaCert missing newwithnew , -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,, -oldwithold, oldWithOld.pem, BLANK ,,
|
||||
0,genm rootCaCert newwithnew missing arg , -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,, -oldwithold, oldWithOld.pem, -newwithnew,,
|
||||
1,genm rootCaCert with oldwithnew , -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,, -oldwithold, oldWithOld.pem, -newwithnew, _RESULT_DIR/test.newwithnew1.pem, -oldwithnew, _RESULT_DIR/test.oldwithnew1.pem
|
||||
|
|
Can't render this file because it has a wrong number of fields in line 2.
|
Loading…
Reference in New Issue