switch (ossl_cmp_hdr_get_protection_nid(msg->header)) {
/* 5.1.3.1. Shared Secret Information */
case NID_id_PasswordBasedMAC:
+ if (ctx->secretValue == NULL) {
+ ossl_cmp_warn(ctx, "no secret available for verifying PBM-based CMP message protection");
+ return 1;
+ }
if (verify_PBMAC(ctx, msg)) {
/*
* RFC 4210, 5.3.2: 'Note that if the PKI Message Protection is
default:
scrt = ctx->srvCert;
if (scrt == NULL) {
+ if (ctx->trusted == NULL) {
+ ossl_cmp_warn(ctx, "no trust store nor pinned server cert available for verifying signature-based CMP message protection");
+ return 1;
+ }
if (check_msg_find_cert(ctx, msg))
return 1;
} else { /* use pinned sender cert */
Section(s) to use within config file defining CMP options.
An empty string C<""> means no specific section.
Default is C<cmp>.
+
Multiple section names may be given, separated by commas and/or whitespace
(where in the latter case the whole argument must be enclosed in "...").
Contents of sections named later may override contents of sections named before.
protection certificate is not pinned but may be any certificate
for which a chain to one of the given trusted certificates can be constructed.
+If no B<-trusted>, B<-srvcert>, and B<-secret> option is given
+then protected response messages from the server are not authenticated.
+
Multiple filenames may be given, separated by commas and/or whitespace
(where in the latter case the whole argument must be enclosed in "...").
Each source may contain multiple certificates.
=item B<-reqin> I<filenames>
Take sequence of CMP requests from file(s).
+
Multiple filenames may be given, separated by commas and/or whitespace
(where in the latter case the whole argument must be enclosed in "...").
As many files are read as needed for a complete transaction.
=item B<-reqout> I<filenames>
Save sequence of CMP requests to file(s).
+
Multiple filenames may be given, separated by commas and/or whitespace.
As many files are written as needed to store the complete transaction.
=item B<-rspin> I<filenames>
Process sequence of CMP responses provided in file(s), skipping server.
+
Multiple filenames may be given, separated by commas and/or whitespace.
As many files are read as needed for the complete transaction.
=item B<-rspout> I<filenames>
Save sequence of CMP responses to file(s).
+
Multiple filenames may be given, separated by commas and/or whitespace.
As many files are written as needed to store the complete transaction.