{"subject", OPT_SUBJECT, 's',
"Distinguished Name (DN) of subject to use in the requested cert template"},
{OPT_MORE_STR, 0, 0,
- "For kur, default is the subject DN of the reference cert (see -oldcert);"},
+ "For kur, default is subject of -csr arg or else of reference cert (see -oldcert)"},
{OPT_MORE_STR, 0, 0,
"this default is used for ir and cr only if no Subject Alt Names are set"},
{"issuer", OPT_ISSUER, 's',
{"days", OPT_DAYS, 'n',
"Requested validity time of the new certificate in number of days"},
{"reqexts", OPT_REQEXTS, 's',
- "Name of config file section defining certificate request extensions"},
+ "Name of config file section defining certificate request extensions."},
+ {OPT_MORE_STR, 0, 0,
+ "Augments or replaces any extensions contained CSR given with -csr"},
{"sans", OPT_SANS, 's',
"Subject Alt Names (IPADDR/DNS/URI) to add as (critical) cert req extension"},
{"san_nodefault", OPT_SAN_NODEFAULT, '-',
{OPT_MORE_STR, 0, 0,
"-1 = NONE, 0 = RAVERIFIED, 1 = SIGNATURE (default), 2 = KEYENC"},
{"csr", OPT_CSR, 's',
- "PKCS#10 CSR file in PEM or DER format to use in p10cr for legacy support"},
+ "PKCS#10 CSR file in PEM or DER format to convert or to use in p10cr"},
{"out_trusted", OPT_OUT_TRUSTED, 's',
"Certificates to trust when verifying newly enrolled certificates"},
{"implicit_confirm", OPT_IMPLICIT_CONFIRM, '-',
"Optional certs to verify chain building for own CMP signer cert"},
{"key", OPT_KEY, 's', "CMP signer private key, not used when -secret given"},
{"keypass", OPT_KEYPASS, 's',
- "Client private key (and cert and old cert file) pass phrase source"},
+ "Client private key (and cert and old cert) pass phrase source"},
{"digest", OPT_DIGEST, 's',
"Digest to use in message protection and POPO signatures. Default \"sha256\""},
{"mac", OPT_MAC, 's',
{"tls_key", OPT_TLS_KEY, 's',
"Private key for the client's TLS certificate"},
{"tls_keypass", OPT_TLS_KEYPASS, 's',
- "Pass phrase source for the client's private TLS key (and TLS cert file)"},
+ "Pass phrase source for the client's private TLS key (and TLS cert)"},
{"tls_extra", OPT_TLS_EXTRA, 's',
"Extra certificates to provide to TLS server during TLS handshake"},
{"tls_trusted", OPT_TLS_TRUSTED, 's',
{"srv_key", OPT_SRV_KEY, 's',
"Private key used by the server for signing messages"},
{"srv_keypass", OPT_SRV_KEYPASS, 's',
- "Server private key (and cert) file pass phrase source"},
+ "Server private key (and cert) pass phrase source"},
{"srv_trusted", OPT_SRV_TRUSTED, 's',
"Trusted certificates for client authentication"},
*/
static int setup_request_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
{
- if (opt_subject == NULL && opt_oldcert == NULL && opt_cert == NULL
+ if (opt_subject == NULL
+ && opt_csr == NULL && opt_oldcert == NULL && opt_cert == NULL
&& opt_cmd != CMP_RR && opt_cmd != CMP_GENM)
- CMP_warn("no -subject given, neither -oldcert nor -cert available as default");
+ CMP_warn("no -subject given; no -csr or -oldcert or -cert available for fallback");
if (!set_name(opt_subject, OSSL_CMP_CTX_set1_subjectName, ctx, "subject")
|| !set_name(opt_issuer, OSSL_CMP_CTX_set1_issuer, ctx, "issuer"))
return 0;
(void)OSSL_CMP_CTX_set_option(ctx, OSSL_CMP_OPT_POPO_METHOD, opt_popo);
if (opt_csr != NULL) {
- if (opt_cmd != CMP_P10CR) {
- CMP_warn("-csr option is ignored for command other than p10cr");
+ if (opt_cmd == CMP_GENM) {
+ CMP_warn("-csr option is ignored for genm command");
} else {
- X509_REQ *csr =
- load_csr_autofmt(opt_csr, "PKCS#10 CSR for p10cr");
+ X509_REQ *csr = load_csr_autofmt(opt_csr, "PKCS#10 CSR for p10cr");
if (csr == NULL)
return 0;
}
if (opt_oldcert != NULL) {
- X509 *oldcert = load_cert_pwd(opt_oldcert, opt_keypass,
- "certificate to be updated/revoked");
- /* opt_keypass is needed if opt_oldcert is an encrypted PKCS#12 file */
+ if (opt_cmd == CMP_GENM) {
+ CMP_warn("-oldcert option is ignored for genm command");
+ } else {
+ X509 *oldcert = load_cert_pwd(opt_oldcert, opt_keypass,
+ "certificate to be updated/revoked");
+ /* opt_keypass needed if opt_oldcert is an encrypted PKCS#12 file */
- if (oldcert == NULL)
- return 0;
- if (!OSSL_CMP_CTX_set1_oldCert(ctx, oldcert)) {
+ if (oldcert == NULL)
+ return 0;
+ if (!OSSL_CMP_CTX_set1_oldCert(ctx, oldcert)) {
+ X509_free(oldcert);
+ goto oom;
+ }
X509_free(oldcert);
- goto oom;
}
- X509_free(oldcert);
}
cleanse(opt_keypass);
if (opt_revreason > CRL_REASON_NONE)
if (opt_cmd == CMP_KUR) {
char *ref_cert = opt_oldcert != NULL ? opt_oldcert : opt_cert;
- if (ref_cert == NULL) {
- CMP_err("missing -oldcert option for certificate to be updated");
+ if (ref_cert == NULL && opt_csr == NULL) {
+ CMP_err("missing -oldcert or -csr option for certificate to be updated");
goto err;
}
if (opt_subject != NULL)
- CMP_warn2("-subject '%s' given, which overrides the subject of '%s' in KUR",
- opt_subject, ref_cert);
+ CMP_warn2("given -subject '%s' overrides the subject of '%s' for KUR",
+ opt_subject, ref_cert != NULL ? ref_cert : opt_csr);
}
- if (opt_cmd == CMP_RR && opt_oldcert == NULL) {
- CMP_err("missing certificate to be revoked");
- goto err;
+ if (opt_cmd == CMP_RR) {
+ if (opt_oldcert == NULL && opt_csr == NULL) {
+ CMP_err("missing certificate to be revoked and no fallback -csr given");
+ goto err;
+ }
+ if (opt_oldcert != NULL && opt_csr != NULL)
+ CMP_warn("Ignoring -csr since certificate to be revoked is given");
}
if (opt_cmd == CMP_P10CR && opt_csr == NULL) {
CMP_err("missing PKCS#10 CSR for p10cr");
ret = 1;
break;
case CMP_RR:
- if (OSSL_CMP_exec_RR_ses(cmp_ctx) != NULL)
- ret = 1;
+ ret = OSSL_CMP_exec_RR_ses(cmp_ctx);
break;
case CMP_GENM:
{
{
mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
- if (ctx == NULL || rr == NULL || issuer == NULL || serial == NULL) {
+ if (ctx == NULL || rr == NULL) {
ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
return NULL;
}
return NULL;
}
+ /* Allow any RR derived from CSR, which may include subject and serial */
+ if (issuer == NULL || serial == NULL)
+ return OSSL_CMP_PKISI_dup(ctx->statusOut);
+
/* accept revocation only for the certificate we sent in ir/cr/kur */
if (X509_NAME_cmp(issuer, X509_get_issuer_name(ctx->certOut)) != 0
|| ASN1_INTEGER_cmp(serial,
return result;
}
-X509 *OSSL_CMP_exec_RR_ses(OSSL_CMP_CTX *ctx)
+int OSSL_CMP_exec_RR_ses(OSSL_CMP_CTX *ctx)
{
OSSL_CMP_MSG *rr = NULL;
OSSL_CMP_MSG *rp = NULL;
OSSL_CMP_REVREPCONTENT *rrep = NULL;
OSSL_CMP_PKISI *si = NULL;
char buf[OSSL_CMP_PKISI_BUFLEN];
- X509 *result = NULL;
+ int ret = 0;
if (ctx == NULL) {
ERR_raise(ERR_LIB_CMP, CMP_R_INVALID_ARGS);
return 0;
}
- if (ctx->oldCert == NULL) {
+ if (ctx->oldCert == NULL && ctx->p10CSR == NULL) {
ERR_raise(ERR_LIB_CMP, CMP_R_MISSING_REFERENCE_CERT);
return 0;
}
switch (ossl_cmp_pkisi_get_status(si)) {
case OSSL_CMP_PKISTATUS_accepted:
ossl_cmp_info(ctx, "revocation accepted (PKIStatus=accepted)");
- result = ctx->oldCert;
+ ret = 1;
break;
case OSSL_CMP_PKISTATUS_grantedWithMods:
ossl_cmp_info(ctx, "revocation accepted (PKIStatus=grantedWithMods)");
- result = ctx->oldCert;
+ ret = 1;
break;
case OSSL_CMP_PKISTATUS_rejection:
ERR_raise(ERR_LIB_CMP, CMP_R_REQUEST_REJECTED_BY_SERVER);
goto err;
case OSSL_CMP_PKISTATUS_revocationWarning:
ossl_cmp_info(ctx, "revocation accepted (PKIStatus=revocationWarning)");
- result = ctx->oldCert;
+ ret = 1;
break;
case OSSL_CMP_PKISTATUS_revocationNotification:
/* interpretation as warning or error depends on CA */
ossl_cmp_warn(ctx,
"revocation accepted (PKIStatus=revocationNotification)");
- result = ctx->oldCert;
+ ret = 1;
break;
case OSSL_CMP_PKISTATUS_waiting:
case OSSL_CMP_PKISTATUS_keyUpdateWarning:
goto err;
}
- /* check any present CertId in optional revCerts field */
- if (rrep->revCerts != NULL) {
+ /* check any pretent CertId in optional revCerts field */
+ if (sk_OSSL_CRMF_CERTID_num(rrep->revCerts) >= 1) {
OSSL_CRMF_CERTID *cid;
OSSL_CRMF_CERTTEMPLATE *tmpl =
sk_OSSL_CMP_REVDETAILS_value(rr->body->value.rr, rsid)->certDetails;
if (sk_OSSL_CRMF_CERTID_num(rrep->revCerts) != num_RevDetails) {
ERR_raise(ERR_LIB_CMP, CMP_R_WRONG_RP_COMPONENT_COUNT);
- result = NULL;
+ ret = 0;
goto err;
}
if ((cid = ossl_cmp_revrepcontent_get_CertId(rrep, rsid)) == NULL) {
- result = NULL;
+ ret = 0;
goto err;
}
if (X509_NAME_cmp(issuer, OSSL_CRMF_CERTID_get0_issuer(cid)) != 0) {
#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
ERR_raise(ERR_LIB_CMP, CMP_R_WRONG_CERTID_IN_RP);
- result = NULL;
+ ret = 0;
goto err;
#endif
}
OSSL_CRMF_CERTID_get0_serialNumber(cid)) != 0) {
#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
ERR_raise(ERR_LIB_CMP, CMP_R_WRONG_SERIAL_IN_RP);
- result = NULL;
+ ret = 0;
goto err;
#endif
}
/* check number of any optionally present crls */
if (rrep->crls != NULL && sk_X509_CRL_num(rrep->crls) != num_RevDetails) {
ERR_raise(ERR_LIB_CMP, CMP_R_WRONG_RP_COMPONENT_COUNT);
- result = NULL;
+ ret = 0;
goto err;
}
err:
- if (result == NULL
+ if (ret == 0
&& OSSL_CMP_CTX_snprint_PKIStatus(ctx, buf, sizeof(buf)) != NULL)
ERR_add_error_data(1, buf);
end:
OSSL_CMP_MSG_free(rr);
OSSL_CMP_MSG_free(rp);
- return result;
+ return ret;
}
STACK_OF(OSSL_CMP_ITAV) *OSSL_CMP_exec_GENM_ses(OSSL_CMP_CTX *ctx)
return res;
}
+/* Add extension list to the referenced extension stack, which may be NULL */
+static int add_extensions(STACK_OF(X509_EXTENSION) **target,
+ const STACK_OF(X509_EXTENSION) *exts)
+{
+ int i;
+
+ if (target == NULL)
+ return 0;
+
+ for (i = 0; i < sk_X509_EXTENSION_num(exts); i++) {
+ X509_EXTENSION *ext = sk_X509_EXTENSION_value(exts, i);
+ ASN1_OBJECT *obj = X509_EXTENSION_get_object(ext);
+ int idx = X509v3_get_ext_by_OBJ(*target, obj, -1);
+
+ /* Does extension exist in target? */
+ if (idx != -1) {
+ /* Delete all extensions of same type */
+ do {
+ X509_EXTENSION_free(sk_X509_EXTENSION_delete(*target, idx));
+ idx = X509v3_get_ext_by_OBJ(*target, obj, -1);
+ } while (idx != -1);
+ }
+ if (!X509v3_add_ext(target, ext, -1))
+ return 0;
+ }
+ return 1;
+}
+
/* Add a CRL revocation reason code to extension stack, which may be NULL */
static int add_crl_reason_extension(X509_EXTENSIONS **pexts, int reason_code)
{
(sk_GENERAL_NAME_num((ctx)->subjectAltNames) > 0 \
|| OSSL_CMP_CTX_reqExtensions_have_SAN(ctx) == 1)
-static const X509_NAME *determine_subj(OSSL_CMP_CTX *ctx, X509 *refcert,
+static const X509_NAME *determine_subj(OSSL_CMP_CTX *ctx,
+ const X509_NAME *ref_subj,
int for_KUR)
{
if (ctx->subjectName != NULL)
return ctx->subjectName;
- if (refcert != NULL && (for_KUR || !HAS_SAN(ctx)))
+ if (ref_subj != NULL && (for_KUR || !HAS_SAN(ctx)))
/*
- * For KUR, copy subjectName from reference certificate.
+ * For KUR, copy subject from the reference.
* For IR or CR, do the same only if there is no subjectAltName.
*/
- return X509_get_subject_name(refcert);
+ return ref_subj;
return NULL;
}
/* refcert defaults to current client cert */
EVP_PKEY *rkey = OSSL_CMP_CTX_get0_newPkey(ctx, 0);
STACK_OF(GENERAL_NAME) *default_sans = NULL;
- const X509_NAME *subject = determine_subj(ctx, refcert, for_KUR);
+ const X509_NAME *ref_subj =
+ ctx->p10CSR != NULL ? X509_REQ_get_subject_name(ctx->p10CSR) :
+ refcert != NULL ? X509_get_subject_name(refcert) : NULL;
+ const X509_NAME *subject = determine_subj(ctx, ref_subj, for_KUR);
const X509_NAME *issuer = ctx->issuer != NULL || refcert == NULL
? ctx->issuer : X509_get_issuer_name(refcert);
int crit = ctx->setSubjectAltNameCritical || subject == NULL;
/* RFC5280: subjectAltName MUST be critical if subject is null */
X509_EXTENSIONS *exts = NULL;
+ if (rkey == NULL && ctx->p10CSR != NULL)
+ rkey = X509_REQ_get0_pubkey(ctx->p10CSR);
if (rkey == NULL)
rkey = ctx->pkey; /* default is independent of ctx->oldCert */
if (rkey == NULL) {
return NULL;
#endif
}
- if (for_KUR && refcert == NULL) {
+ if (for_KUR && refcert == NULL && ctx->p10CSR == NULL) {
ERR_raise(ERR_LIB_CMP, CMP_R_MISSING_REFERENCE_CERT);
return NULL;
}
if (refcert != NULL && !ctx->SubjectAltName_nodefault)
default_sans = X509V3_get_d2i(X509_get0_extensions(refcert),
NID_subject_alt_name, NULL, NULL);
- /* exts are copied from ctx to allow reuse */
- if (ctx->reqExtensions != NULL) {
- exts = sk_X509_EXTENSION_deep_copy(ctx->reqExtensions,
- X509_EXTENSION_dup,
- X509_EXTENSION_free);
- if (exts == NULL)
- goto err;
- }
+ if (ctx->p10CSR != NULL
+ && (exts = X509_REQ_get_extensions(ctx->p10CSR)) == NULL)
+ goto err;
+ if (ctx->reqExtensions != NULL /* augment/override existing ones */
+ && !add_extensions(&exts, ctx->reqExtensions))
+ goto err;
if (sk_GENERAL_NAME_num(ctx->subjectAltNames) > 0
&& !add1_extension(&exts, NID_subject_alt_name,
crit, ctx->subjectAltNames))
/* end fill certTemplate, now set any controls */
/* for KUR, set OldCertId according to D.6 */
- if (for_KUR) {
+ if (for_KUR && refcert != NULL) {
OSSL_CRMF_CERTID *cid =
OSSL_CRMF_CERTID_gen(X509_get_issuer_name(refcert),
X509_get0_serialNumber(refcert));
{
OSSL_CMP_MSG *msg = NULL;
OSSL_CMP_REVDETAILS *rd;
+ int ret;
- if (!ossl_assert(ctx != NULL && ctx->oldCert != NULL))
+ if (!ossl_assert(ctx != NULL && (ctx->oldCert != NULL
+ || ctx->p10CSR != NULL)))
return NULL;
if ((rd = OSSL_CMP_REVDETAILS_new()) == NULL)
goto err;
/* Fill the template from the contents of the certificate to be revoked */
- if (!OSSL_CRMF_CERTTEMPLATE_fill(rd->certDetails,
- NULL /* pubkey would be redundant */,
- NULL /* subject would be redundant */,
- X509_get_issuer_name(ctx->oldCert),
- X509_get0_serialNumber(ctx->oldCert)))
+ ret = ctx->oldCert != NULL
+ ? OSSL_CRMF_CERTTEMPLATE_fill(rd->certDetails,
+ NULL /* pubkey would be redundant */,
+ NULL /* subject would be redundant */,
+ X509_get_issuer_name(ctx->oldCert),
+ X509_get0_serialNumber(ctx->oldCert))
+ : OSSL_CRMF_CERTTEMPLATE_fill(rd->certDetails,
+ X509_REQ_get0_pubkey(ctx->p10CSR),
+ X509_REQ_get_subject_name(ctx->p10CSR),
+ NULL, NULL);
+ if (!ret)
goto err;
/* revocation reason code is optional */
OSSL_CRMF_CERTID *cid_copy = NULL;
OSSL_CMP_MSG *msg = NULL;
- if (!ossl_assert(ctx != NULL && si != NULL && cid != NULL))
+ if (!ossl_assert(ctx != NULL && si != NULL))
return NULL;
if ((msg = ossl_cmp_msg_create(ctx, OSSL_CMP_PKIBODY_RP)) == NULL)
if ((rep->revCerts = sk_OSSL_CRMF_CERTID_new_null()) == NULL)
goto err;
- if ((cid_copy = OSSL_CRMF_CERTID_dup(cid)) == NULL)
- goto err;
- if (!sk_OSSL_CRMF_CERTID_push(rep->revCerts, cid_copy)) {
- OSSL_CRMF_CERTID_free(cid_copy);
- goto err;
+ if (cid != NULL) {
+ if ((cid_copy = OSSL_CRMF_CERTID_dup(cid)) == NULL)
+ goto err;
+ if (!sk_OSSL_CRMF_CERTID_push(rep->revCerts, cid_copy)) {
+ OSSL_CRMF_CERTID_free(cid_copy);
+ goto err;
+ }
}
if (!unprot_err
{
OSSL_CMP_MSG *msg = NULL;
OSSL_CMP_REVDETAILS *details;
- OSSL_CRMF_CERTID *certId;
+ OSSL_CRMF_CERTID *certId = NULL;
OSSL_CRMF_CERTTEMPLATE *tmpl;
const X509_NAME *issuer;
ASN1_INTEGER *serial;
tmpl = details->certDetails;
issuer = OSSL_CRMF_CERTTEMPLATE_get0_issuer(tmpl);
serial = OSSL_CRMF_CERTTEMPLATE_get0_serialNumber(tmpl);
- /* here issuer and serial may safely be NULL */
- if ((certId = OSSL_CRMF_CERTID_gen(issuer, serial)) == NULL)
+ if (issuer != NULL && serial != NULL
+ && (certId = OSSL_CRMF_CERTID_gen(issuer, serial)) == NULL)
return NULL;
if ((si = srv_ctx->process_rr(srv_ctx, req, issuer, serial)) == NULL)
goto err;
[B<-policy_oids_critical>]
[B<-popo> I<number>]
[B<-csr> I<filename>]
-[B<-out_trusted> I<filenames>]
+[B<-out_trusted> I<filenames>|I<uris>]
[B<-implicit_confirm>]
[B<-disable_confirm>]
[B<-certout> I<filename>]
Certificate enrollment and revocation options:
-[B<-oldcert> I<filename>]
+[B<-oldcert> I<filename>|I<uri>]
[B<-revreason> I<number>]
Message transfer options:
Server authentication options:
-[B<-trusted> I<filenames>]
+[B<-trusted> I<filenames>|I<uris>]
[B<-untrusted> I<sources>]
-[B<-srvcert> I<filename>]
+[B<-srvcert> I<filename>|I<uri>]
[B<-recipient> I<name>]
[B<-expect_sender> I<name>]
[B<-ignore_keyusage>]
[B<-ref> I<value>]
[B<-secret> I<arg>]
-[B<-cert> I<filename>]
-[B<-own_trusted> I<filenames>]
-[B<-key> I<filename>]
+[B<-cert> I<filename>|I<uri>]
+[B<-own_trusted> I<filenames>|I<uris>]
+[B<-key> I<filename>|I<uri>]
[B<-keypass> I<arg>]
[B<-digest> I<name>]
[B<-mac> I<name>]
TLS connection options:
[B<-tls_used>]
-[B<-tls_cert> I<filename>]
+[B<-tls_cert> I<filename>|I<uri>]
[B<-tls_key> I<filename>|I<uri>]
[B<-tls_keypass> I<arg>]
-[B<-tls_extra> I<filenames>]
-[B<-tls_trusted> I<filenames>]
+[B<-tls_extra> I<filenames>|I<uris>]
+[B<-tls_trusted> I<filenames>|I<uris>]
[B<-tls_host> I<name>]
Client-side debugging options:
[B<-max_msgs> I<number>]
[B<-srv_ref> I<value>]
[B<-srv_secret> I<arg>]
-[B<-srv_cert> I<filename>]
-[B<-srv_key> I<filename>]
+[B<-srv_cert> I<filename>|I<uri>]
+[B<-srv_key> I<filename>|I<uri>]
[B<-srv_keypass> I<arg>]
-[B<-srv_trusted> I<filenames>]
-[B<-srv_untrusted> I<filenames>]
-[B<-rsp_cert> I<filename>]
-[B<-rsp_extracerts> I<filenames>]
-[B<-rsp_capubs> I<filenames>]
+[B<-srv_trusted> I<filenames>|I<uris>]
+[B<-srv_untrusted> I<filenames>|I<uris>]
+[B<-rsp_cert> I<filename>|I<uri>]
+[B<-rsp_extracerts> I<filenames>|I<uris>]
+[B<-rsp_capubs> I<filenames>|I<uris>]
[B<-poll_count> I<number>]
[B<-check_after> I<number>]
[B<-grant_implicitconf>]
initialized to the PKI hierarchy.
B<p10cr> requests issuing an additional certificate similarly to B<cr>
-but uses PKCS#10 CSR format.
+but using PKCS#10 CSR format.
B<kur> requests a (key) update for an existing, given certificate.
X509 Distinguished Name (DN) of subject to use in the requested certificate
template.
-For KUR, it defaults to the subject DN of the reference certificate
-(see B<-oldcert>).
+For KUR, it defaults to the subject DN of any given CSR
+or of the reference certificate (see B<-oldcert>) if provided.
This default is used for IR and CR only if no SANs are set.
-The subject DN is also used as fallback sender of outgoing CMP messages
+The provided subject DN is also used as fallback sender of outgoing CMP messages
if no B<-cert> and no B<-oldcert> are given.
The argument must be formatted as I</type0=value0/type1=value1/type2=...>.
=item B<-csr> I<filename>
-PKCS#10 CSR in PEM or DER format to use in legacy P10CR messages.
+PKCS#10 CSR in PEM or DER format containing a certificate request.
+When used with a with B<-cmd> I<p10cr> used directly in a legacy P10CR message.
+When used with B<-cmd> I<ir>, I<cr>, or I<kur>, it is tranformed into the
+respective regular CMP request.
+It may also be used with B<-cmd> I<rr> to specifiy the certificate to be revoked
+via the included subject and public key.
-=item B<-out_trusted> I<filenames>
+=item B<-out_trusted> I<filenames>|I<uris>
Trusted certificate(s) to use for verifying the newly enrolled certificate.
-Multiple filenames may be given, separated by commas and/or whitespace
+Multiple sources may be given, separated by commas and/or whitespace
(where in the latter case the whole argument must be enclosed in "...").
Each source may contain multiple certificates.
=over 4
-=item B<-oldcert> I<filename>
+=item B<-oldcert> I<filename>|I<uri>]
The certificate to be updated (i.e., renewed or re-keyed) in Key Update Request
(KUR) messages or to be revoked in Revocation Request (RR) messages.
-It must be given for RR, while for KUR it defaults to B<-cert>.
+For RR the certificate to be revoked can also be specified using B<-csr>.
+For KUR certificate to be updated defaults to B<-cert>, and the resulting certificate is called
+I<reference certificate>.
-The reference certificate determined in this way, if any, is also used for
+The reference certificate, if any, is also used for
deriving default subject DN and Subject Alternative Names and the
-default issuer entry in the requested certificate template of IR/CR/KUR.
+default issuer entry in the requested certificate template of a IR/CR/KUR.
Its subject is used as sender of outgoing messages if B<-cert> is not given.
Its issuer is used as default recipient in CMP message headers
if neither B<-recipient>, B<-srvcert>, nor B<-issuer> is given.
=over 4
-=item B<-trusted> I<filenames>
+=item B<-trusted> I<filenames>|I<uris>
When verifying signature-based protection of CMP response messages,
these are the CA certificate(s) to trust while checking certificate chains
If no B<-trusted>, B<-srvcert>, and B<-secret> option is given
then protected response messages from the server are not authenticated.
-Multiple filenames may be given, separated by commas and/or whitespace
+Multiple sources may be given, separated by commas and/or whitespace
(where in the latter case the whole argument must be enclosed in "...").
Each source may contain multiple certificates.
when verifying the CMP server certificate (checking signature-based
CMP message protection) and when verifying newly enrolled certificates.
-Multiple filenames may be given, separated by commas and/or whitespace.
+Multiple sources may be given, separated by commas and/or whitespace.
Each file may contain multiple certificates.
-=item B<-srvcert> I<filename>
+=item B<-srvcert> I<filename>|I<uri>]
The specific CMP server certificate to expect and directly trust (even if it is
expired) when verifying signature-based protection of CMP response messages.
For more information about the format of B<arg> see
L<openssl-passphrase-options(1)>.
-=item B<-cert> I<filename>
+=item B<-cert> I<filename>|I<uri>]
The client's current CMP signer certificate.
Requires the corresponding key to be given with B<-key>.
because they typically constitute the chain of the client certificate, which
is included in the extraCerts field in signature-protected request messages.
-=item B<-own_trusted> I<filenames>
+=item B<-own_trusted> I<filenames>|I<uris>
If this list of certificates is provided then the chain built for
the client-side CMP signer certificate given with the B<-cert> option
is verified using the given certificates as trust anchors.
-Multiple filenames may be given, separated by commas and/or whitespace
+Multiple sources may be given, separated by commas and/or whitespace
(where in the latter case the whole argument must be enclosed in "...").
Each source may contain multiple certificates.
B<-verify_hostname>, B<-verify_ip>, and B<-verify_email>
have no effect on the certificate verification enabled via this option.
-=item B<-key> I<filename>
+=item B<-key> I<filename>|I<uri>]
The corresponding private key file for the client's current certificate given in
the B<-cert> option.
Certificates to append in the extraCerts field when sending messages.
They can be used as the default CMP signer certificate chain to include.
-Multiple filenames or URLs may be given, separated by commas and/or whitespace
+Multiple sources may be given, separated by commas and/or whitespace
(where in the latter case the whole argument must be enclosed in "...").
Each source may contain multiple certificates.
Enable using TLS (even when other TLS_related options are not set)
when connecting to CMP server.
-=item B<-tls_cert> I<filename>
+=item B<-tls_cert> I<filename>|I<uri>]
Client's TLS certificate.
-If the file includes further certs they are used (along with B<-untrusted>
+If the source includes further certs they are used (along with B<-untrusted>
certs) for constructing the client cert chain provided to the TLS server.
=item B<-tls_key> I<filename>|I<uri>
For more information about the format of B<arg> see
L<openssl-passphrase-options(1)>.
-=item B<-tls_extra> I<filenames>
+=item B<-tls_extra> I<filenames>|I<uris>
Extra certificates to provide to TLS server during TLS handshake
-=item B<-tls_trusted> I<filenames>
+=item B<-tls_trusted> I<filenames>|I<uris>
Trusted certificate(s) to use for verifying the TLS server certificate.
This implies hostname validation.
-Multiple filenames may be given, separated by commas and/or whitespace
+Multiple sources may be given, separated by commas and/or whitespace
(where in the latter case the whole argument must be enclosed in "...").
Each source may contain multiple certificates.
Password source for server authentication with a pre-shared key (secret).
-=item B<-srv_cert> I<filename>
+=item B<-srv_cert> I<filename>|I<uri>]
Certificate of the server.
-=item B<-srv_key> I<filename>
+=item B<-srv_key> I<filename>|I<uri>]
Private key used by the server for signing messages.
Server private key (and cert) file pass phrase source.
-=item B<-srv_trusted> I<filenames>
+=item B<-srv_trusted> I<filenames>|I<uris>
Trusted certificates for client authentication.
B<-verify_hostname>, B<-verify_ip>, and B<-verify_email>
have no effect on the certificate verification enabled via this option.
-=item B<-srv_untrusted> I<filenames>
+=item B<-srv_untrusted> I<filenames>|I<uris>
Intermediate CA certs that may be useful when verifying client certificates.
-=item B<-rsp_cert> I<filename>
+=item B<-rsp_cert> I<filename>|I<uri>]
Certificate to be returned as mock enrollment result.
-=item B<-rsp_extracerts> I<filenames>
+=item B<-rsp_extracerts> I<filenames>|I<uris>
Extra certificates to be included in mock certification responses.
-=item B<-rsp_capubs> I<filenames>
+=item B<-rsp_capubs> I<filenames>|I<uris>
CA certificates to be included in mock Initialization Response (IP) message.
#define OSSL_CMP_KUR
int OSSL_CMP_try_certreq(OSSL_CMP_CTX *ctx, int req_type,
const OSSL_CRMF_MSG *crm, int *checkAfter);
- X509 *OSSL_CMP_exec_RR_ses(OSSL_CMP_CTX *ctx);
+ int OSSL_CMP_exec_RR_ses(OSSL_CMP_CTX *ctx);
STACK_OF(OSSL_CMP_ITAV) *OSSL_CMP_exec_GENM_ses(OSSL_CMP_CTX *ctx);
=head1 DESCRIPTION
and the output parameter I<checkAfter> has been used to
assign the received value unless I<checkAfter> is NULL.
-OSSL_CMP_exec_RR_ses() returns the
-pointer to the revoked certificate on success, NULL on error.
-This pointer will be freed implicitly by OSSL_CMP_CTX_free().
+OSSL_CMP_exec_RR_ses() returns 1 on success, 0 on error.
OSSL_CMP_exec_GENM_ses() returns a
pointer to the received B<ITAV> sequence on success, NULL on error.
OSSL_CMP_exec_certreq(ctx, OSSL_CMP_KUR, NULL)
int OSSL_CMP_try_certreq(OSSL_CMP_CTX *ctx, int req_type,
const OSSL_CRMF_MSG *crm, int *checkAfter);
-X509 *OSSL_CMP_exec_RR_ses(OSSL_CMP_CTX *ctx);
+int OSSL_CMP_exec_RR_ses(OSSL_CMP_CTX *ctx);
STACK_OF(OSSL_CMP_ITAV) *OSSL_CMP_exec_GENM_ses(OSSL_CMP_CTX *ctx);
# ifdef __cplusplus
static int execute_exec_RR_ses_test(CMP_SES_TEST_FIXTURE *fixture)
{
return TEST_int_eq(fixture->expected,
- OSSL_CMP_exec_RR_ses(fixture->cmp_ctx) == client_cert);
+ OSSL_CMP_exec_RR_ses(fixture->cmp_ctx) == 1);
}
static int execute_exec_GENM_ses_test(CMP_SES_TEST_FIXTURE *fixture)
0, --- get certificate for revocation ----, -section,, -cmd,cr,,BLANK,,,BLANK,,,BLANK,,BLANK,
0,revreason AACompromise, -section,, -cmd,rr,,BLANK,,,BLANK,,, -oldcert,_RESULT_DIR/test.cert.pem, -revreason,10
0, --- get certificate for revocation ----, -section,, -cmd,cr,,BLANK,,,BLANK,,,BLANK,,BLANK,
+0, --- use csr for revocation ----, -section,, -cmd,rr,,BLANK,,,BLANK,,,BLANK,,BLANK, -revreason,0, -csr,csr.pem
+0, --- get certificate for revocation ----, -section,, -cmd,cr,,BLANK,,,BLANK,,,BLANK,,BLANK,
1,without oldcert, -section,, -cmd,rr,,BLANK,,,BLANK,,,BLANK,,BLANK,
-1,oldcert is directory, -section,, -cmd,rr,,BLANK,,,BLANK,,, -oldcert,dir/,BLANK,
+1,oldcert is directory, -section,, -cmd,rr,,BLANK,,,BLANK,,, -oldcert,dir/,BLANK,cmp
1,oldcert file nonexistent, -section,, -cmd,rr,,BLANK,,,BLANK,,, -oldcert,idontexist,BLANK,
1,empty oldcert file, -section,, -cmd,rr,,BLANK,,,BLANK,,, -oldcert,empty.txt,BLANK,
1,oldcert and key do not match, -section,, -cmd,rr,,BLANK,,,BLANK,,, -oldcert,trusted.crt, -revreason,0
1,oldcert empty file, -section,, -cmd,ir, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -certout,_RESULT_DIR/test.certout_oldcert4.pem,, -out_trusted,root.crt,, -oldcert,empty.txt,BLANK,,,
1,oldcert random contents, -section,, -cmd,ir, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -certout,_RESULT_DIR/test.certout_oldcert5.pem,, -out_trusted,root.crt,, -oldcert,random.bin,BLANK,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
-0,csr ignored for ir, -section,, -cmd,ir, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -certout,_RESULT_DIR/test.certout_csr_ignored.pem,, -out_trusted,root.crt,,BLANK,, -csr,idontexist,,
+0,csr used in ir, -section,, -cmd,ir, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -certout,_RESULT_DIR/test.certout_csr_ignored.pem,, -out_trusted,root.crt,,BLANK,, -csr,csr.pem,,
0,p10cr csr, -section,, -cmd,p10cr, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -certout,_RESULT_DIR/test.certout_p10cr.pem,, -out_trusted,root.crt,,BLANK,, -csr,csr.pem,,
1,p10cr csr missing, -section,, -cmd,p10cr, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -certout,_RESULT_DIR/test.certout_p10cr1.pem,, -out_trusted,root.crt,,BLANK,,BLANK,,,
1,p10cr csr missing arg, -section,, -cmd,p10cr, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -certout,_RESULT_DIR/test.certout_p10cr1.pem,, -out_trusted,root.crt,,BLANK,, -csr,,,