Allow subject of CMP -oldcert as sender unless protection cert is given

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11998)

diff --git a/crypto/cmp/cmp_hdr.c b/crypto/cmp/cmp_hdr.c
index 7f2506ba9e96cd76d9e5414bd407517cfb16377b..38b3bce3f5ddccc791f4580dc86fa37c8ae22073 100644 (file)
--- a/crypto/cmp/cmp_hdr.c
+++ b/crypto/cmp/cmp_hdr.c
@@ -300,11 +300,12 @@ int ossl_cmp_hdr_init(OSSL_CMP_CTX *ctx, OSSL_CMP_PKIHEADER *hdr)
         return 0;
 
     /*
         return 0;
 
     /*

-     * The sender name is copied from the subject of the client cert, if any,
-     * or else from the subject name provided for certification requests.
+     * If neither protection cert nor oldCert nor subject are given,
+     * sender name is not known to the client and thus set to NULL-DN

      */
      */

-    sender = ctx->cert != NULL ?
-        X509_get_subject_name(ctx->cert) : ctx->subjectName;
+    sender = ctx->cert != NULL ? X509_get_subject_name(ctx->cert) :
+        ctx->oldCert != NULL ? X509_get_subject_name(ctx->oldCert) :
+        ctx->subjectName;

     if (!ossl_cmp_hdr_set1_sender(hdr, sender))
         return 0;
 
     if (!ossl_cmp_hdr_set1_sender(hdr, sender))
         return 0;
 

diff --git a/doc/man1/openssl-cmp.pod.in b/doc/man1/openssl-cmp.pod.in
index aac322b5283047109dc0176d71552a83aad395b5..0615fffa4eb68044d7b64df32970d203c7c0e9cf 100644 (file)
--- a/doc/man1/openssl-cmp.pod.in
+++ b/doc/man1/openssl-cmp.pod.in
@@ -393,8 +393,9 @@ It must be given for RR, while for KUR it defaults to B<-cert>.
 
 The reference certificate determined in this way, if any, is also used for
 deriving default subject DN and Subject Alternative Names for IR, CR, and KUR.
 
 The reference certificate determined in this way, if any, is also used for
 deriving default subject DN and Subject Alternative Names for IR, CR, and KUR.

-Its issuer, if any, is used as default recipient in the CMP message header
-if neither B<-srvcert>, B<-recipient>, nor B<-issuer> is available.
+Its subject is used as sender in CMP message headers if B<-cert> is not given.
+Its issuer is used as default recipient in CMP message headers
+if neither B<-recipient>, B<-srvcert>, nor B<-issuer> is given.

 
 =item B<-revreason> I<number>
 
 
 =item B<-revreason> I<number>
 

diff --git a/doc/man3/OSSL_CMP_CTX_new.pod b/doc/man3/OSSL_CMP_CTX_new.pod
index f8fee277e26b917a5b0409f9a09ffdf7cb051f54..e9ca5f18a8b6d7ca57f28b53e2b444d41753a5d2 100644 (file)
--- a/doc/man3/OSSL_CMP_CTX_new.pod
+++ b/doc/man3/OSSL_CMP_CTX_new.pod
@@ -520,7 +520,8 @@ Key Update Requests (KUR) or to be revoked in Revocation Requests (RR).
 It must be given for RR, else it defaults to the protection B<cert>.
 The B<reference certificate> determined in this way, if any, is also used for
 deriving default subject DN and Subject Alternative Names for IR, CR, and KUR.
 It must be given for RR, else it defaults to the protection B<cert>.
 The B<reference certificate> determined in this way, if any, is also used for
 deriving default subject DN and Subject Alternative Names for IR, CR, and KUR.

-Its issuer, if any, is used as default recipient in the CMP message header.
+Its subject is used as sender in CMP message headers if no protection cert is given.
+Its issuer is used as default recipient in CMP message headers.

 
 OSSL_CMP_CTX_set1_p10CSR() sets the PKCS#10 CSR to be used in P10CR.
 
 
 OSSL_CMP_CTX_set1_p10CSR() sets the PKCS#10 CSR to be used in P10CR.