+ if (!set_name(opt_subject, OSSL_CMP_CTX_set1_subjectName, ctx, "subject")
+ || !set_name(opt_issuer, OSSL_CMP_CTX_set1_issuer, ctx, "issuer"))
+ return 0;
+ } else {
+ const char *msg = "option is ignored for commands other than 'ir', 'cr', and 'kur'";
+
+ if (opt_subject != NULL) {
+ if (opt_ref == NULL && opt_cert == NULL) {
+ /* use subject as default sender unless oldcert subject is used */
+ if (!set_name(opt_subject, OSSL_CMP_CTX_set1_subjectName, ctx, "subject"))
+ return 0;
+ } else {
+ CMP_warn1("-subject %s since -ref or -cert is given", msg);
+ }
+ }
+ if (opt_issuer != NULL)
+ CMP_warn1("-issuer %s", msg);
+ if (opt_reqexts != NULL)
+ CMP_warn1("-reqexts %s", msg);
+ if (opt_san_nodefault)
+ CMP_warn1("-san_nodefault %s", msg);
+ if (opt_sans != NULL)
+ CMP_warn1("-sans %s", msg);
+ if (opt_policies != NULL)
+ CMP_warn1("-policies %s", msg);
+ if (opt_policy_oids != NULL)
+ CMP_warn1("-policy_oids %s", msg);
+ }
+ if (opt_cmd == CMP_KUR) {
+ char *ref_cert = opt_oldcert != NULL ? opt_oldcert : opt_cert;
+
+ if (ref_cert == NULL && opt_csr == NULL) {
+ CMP_err("missing -oldcert for certificate to be updated and no -csr given");
+ return 0;
+ }
+ if (opt_subject != NULL)
+ CMP_warn2("given -subject '%s' overrides the subject of '%s' for KUR",
+ opt_subject, ref_cert != NULL ? ref_cert : opt_csr);
+ }
+ if (opt_cmd == CMP_RR) {
+ if (opt_oldcert == NULL && opt_csr == NULL) {
+ CMP_err("missing -oldcert for certificate to be revoked and no -csr given");
+ return 0;
+ }
+ if (opt_oldcert != NULL && opt_csr != NULL)
+ CMP_warn("ignoring -csr since certificate to be revoked is given");
+ }
+ if (opt_cmd == CMP_P10CR && opt_csr == NULL) {
+ CMP_err("missing PKCS#10 CSR for p10cr");
+ return 0;
+ }
+
+ if (opt_recipient == NULL && opt_srvcert == NULL && opt_issuer == NULL
+ && opt_oldcert == NULL && opt_cert == NULL)
+ CMP_warn("missing -recipient, -srvcert, -issuer, -oldcert or -cert; recipient will be set to \"NULL-DN\"");
+
+ if (opt_cmd == CMP_P10CR || opt_cmd == CMP_RR) {
+ const char *msg = "option is ignored for 'p10cr' and 'rr' commands";
+
+ if (opt_newkeypass != NULL)
+ CMP_warn1("-newkeytype %s", msg);
+ if (opt_newkey != NULL)
+ CMP_warn1("-newkey %s", msg);
+ if (opt_days != 0)
+ CMP_warn1("-days %s", msg);
+ if (opt_popo != OSSL_CRMF_POPO_NONE - 1)
+ CMP_warn1("-popo %s", msg);
+ } else if (opt_newkey != NULL) {
+ const char *file = opt_newkey;
+ const int format = opt_keyform;
+ const char *pass = opt_newkeypass;
+ const char *desc = "new private key for cert to be enrolled";
+ EVP_PKEY *pkey;
+ int priv = 1;
+ BIO *bio_bak = bio_err;
+
+ bio_err = NULL; /* suppress diagnostics on first try loading key */
+ pkey = load_key_pwd(file, format, pass, engine, desc);
+ bio_err = bio_bak;
+ if (pkey == NULL) {
+ ERR_clear_error();
+ desc = opt_csr == NULL
+ ? "fallback public key for cert to be enrolled"
+ : "public key for checking cert resulting from p10cr";
+ pkey = load_pubkey(file, format, 0, pass, engine, desc);
+ priv = 0;
+ }
+ cleanse(opt_newkeypass);
+ if (pkey == NULL || !OSSL_CMP_CTX_set0_newPkey(ctx, priv, pkey)) {
+ EVP_PKEY_free(pkey);
+ return 0;
+ }
+ }