switch (opt_cmd) {
case CMP_IR:
newcert = OSSL_CMP_exec_IR_ses(cmp_ctx);
- if (newcert == NULL)
- goto err;
+ if (newcert != NULL)
+ ret = 1;
break;
case CMP_KUR:
newcert = OSSL_CMP_exec_KUR_ses(cmp_ctx);
- if (newcert == NULL)
- goto err;
+ if (newcert != NULL)
+ ret = 1;
break;
case CMP_CR:
newcert = OSSL_CMP_exec_CR_ses(cmp_ctx);
- if (newcert == NULL)
- goto err;
+ if (newcert != NULL)
+ ret = 1;
break;
case CMP_P10CR:
newcert = OSSL_CMP_exec_P10CR_ses(cmp_ctx);
- if (newcert == NULL)
- goto err;
+ if (newcert != NULL)
+ ret = 1;
break;
case CMP_RR:
- if (OSSL_CMP_exec_RR_ses(cmp_ctx) == NULL)
- goto err;
+ if (OSSL_CMP_exec_RR_ses(cmp_ctx) != NULL)
+ ret = 1;
break;
case CMP_GENM:
{
OSSL_CMP_CTX_push0_genm_ITAV(cmp_ctx, itav);
}
- if ((itavs = OSSL_CMP_exec_GENM_ses(cmp_ctx)) == NULL)
- goto err;
- print_itavs(itavs);
- sk_OSSL_CMP_ITAV_pop_free(itavs, OSSL_CMP_ITAV_free);
+ if ((itavs = OSSL_CMP_exec_GENM_ses(cmp_ctx)) != NULL) {
+ print_itavs(itavs);
+ sk_OSSL_CMP_ITAV_pop_free(itavs, OSSL_CMP_ITAV_free);
+ ret = 1;
+ }
break;
}
default:
}
{
- /* print PKIStatusInfo (this is in case there has been no error) */
+ /* print PKIStatusInfo */
int status = OSSL_CMP_CTX_get_status(cmp_ctx);
char *buf = app_malloc(OSSL_CMP_PKISI_BUFLEN, "PKIStatusInfo buf");
const char *string =
OPENSSL_free(buf);
}
- if (save_free_certs(cmp_ctx, OSSL_CMP_CTX_get1_caPubs(cmp_ctx),
- opt_cacertsout, "CA") < 0)
- goto err;
if (save_free_certs(cmp_ctx, OSSL_CMP_CTX_get1_extraCertsIn(cmp_ctx),
opt_extracertsout, "extra") < 0)
+ ret = 0;
+ if (!ret)
+ goto err;
+ ret = 0;
+ if (save_free_certs(cmp_ctx, OSSL_CMP_CTX_get1_caPubs(cmp_ctx),
+ opt_cacertsout, "CA") < 0)
goto err;
if (newcert != NULL) {
STACK_OF(X509) *certs = sk_X509_new_null();
*/
ossl_cmp_log1(INFO, ctx, "received %s", ossl_cmp_bodytype_to_string(bt));
+ /* copy received extraCerts to ctx->extraCertsIn so they can be retrieved */
+ if (bt != OSSL_CMP_PKIBODY_POLLREP && bt != OSSL_CMP_PKIBODY_PKICONF
+ && !ossl_cmp_ctx_set1_extraCertsIn(ctx, (*rep)->extraCerts))
+ return 0;
+
if (!ossl_cmp_msg_check_update(ctx, *rep, unprotected_exception,
expected_type))
return 0;
/*-
* Callback fn validating that the new certificate can be verified, using
* ctx->certConf_cb_arg, which has been initialized using opt_out_trusted, and
- * ctx->untrusted, which at this point already contains ctx->extraCertsIn.
+ * ctx->untrusted, which at this point already contains msg->extraCerts.
* Returns 0 on acceptance, else a bit field reflecting PKIFailureInfo.
* Quoting from RFC 4210 section 5.1. Overall PKI Message:
* The extraCerts field can contain certificates that may be useful to
&& !ossl_cmp_ctx_set1_caPubs(ctx, crepmsg->caPubs))
return 0;
- /* copy received extraCerts to ctx->extraCertsIn so they can be retrieved */
- if (!ossl_cmp_ctx_set1_extraCertsIn(ctx, (*resp)->extraCerts))
- return 0;
-
subj = X509_NAME_oneline(X509_get_subject_name(cert), NULL, 0);
if (rkey != NULL
/* X509_check_private_key() also works if rkey is just public key */
fail_info = 1 << OSSL_CMP_PKIFAILUREINFO_incorrectData;
txt = "public key in new certificate does not match our enrollment key";
/*-
- * not callling (void)ossl_cmp_exchange_error(ctx,
- * OSSL_CMP_PKISTATUS_rejection, fail_info, txt)
+ * not calling (void)ossl_cmp_exchange_error(ctx,
+ * OSSL_CMP_PKISTATUS_rejection, fail_info, txt)
* not throwing CMP_R_CERTIFICATE_NOT_ACCEPTED with txt
* not returning 0
* since we better leave this for the certConf_cb to decide
=item B<-extracertsout> I<filename>
-The file where to save any extra certificates received in the extraCerts field
-of response messages.
+The file where to save all certificates contained in the extraCerts field
+of the last received response message (except for pollRep and PKIConf).
=item B<-cacertsout> I<filename>
-The file where to save any CA certificates received in the caPubs field of
-Initialization Response (IP) messages.
+The file where to save any CA certificates contained in the caPubs field of
+the last received certificate response (i.e., IP, CP, or KUP) message.
=back
X.509 certificates computed by OSSL_CMP_certConf_cb() (if this function has
been called) on the last received certificate response message IP/CP/KUP.
-OSSL_CMP_CTX_get1_caPubs() returns a pointer to a duplicate of the stack of
+OSSL_CMP_CTX_get1_caPubs() returns a pointer to a duplicate of the list of
X.509 certificates received in the caPubs field of last received certificate
response message IP/CP/KUP.
-OSSL_CMP_CTX_get1_extraCertsIn() returns a pointer to a duplicate of the stack
-of X.509 certificates received in the last received nonempty extraCerts field.
-Returns an empty stack if no extraCerts have been received in the current
-transaction.
+OSSL_CMP_CTX_get1_extraCertsIn() returns a pointer to a duplicate of the list
+of X.509 certificates contained in the extraCerts field of the last received
+response message (except for pollRep and PKIConf), or
+an empty stack if no extraCerts have been received in the current transaction.
OSSL_CMP_CTX_set1_transactionID() sets the given transaction ID in the given
OSSL_CMP_CTX structure.