From 1693135564d00e34ca9f41ff785b5d60e3500415 Mon Sep 17 00:00:00 2001 From: "Dr. David von Oheimb" Date: Wed, 20 May 2020 15:10:05 +0200 Subject: [PATCH 1/1] Allow subject of CMP -oldcert as sender unless protection cert is given Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/11998) --- crypto/cmp/cmp_hdr.c | 9 +++++---- doc/man1/openssl-cmp.pod.in | 5 +++-- doc/man3/OSSL_CMP_CTX_new.pod | 3 ++- 3 files changed, 10 insertions(+), 7 deletions(-) diff --git a/crypto/cmp/cmp_hdr.c b/crypto/cmp/cmp_hdr.c index 7f2506ba9e..38b3bce3f5 100644 --- a/crypto/cmp/cmp_hdr.c +++ b/crypto/cmp/cmp_hdr.c @@ -300,11 +300,12 @@ int ossl_cmp_hdr_init(OSSL_CMP_CTX *ctx, OSSL_CMP_PKIHEADER *hdr) return 0; /* - * The sender name is copied from the subject of the client cert, if any, - * or else from the subject name provided for certification requests. + * If neither protection cert nor oldCert nor subject are given, + * sender name is not known to the client and thus set to NULL-DN */ - sender = ctx->cert != NULL ? - X509_get_subject_name(ctx->cert) : ctx->subjectName; + sender = ctx->cert != NULL ? X509_get_subject_name(ctx->cert) : + ctx->oldCert != NULL ? X509_get_subject_name(ctx->oldCert) : + ctx->subjectName; if (!ossl_cmp_hdr_set1_sender(hdr, sender)) return 0; diff --git a/doc/man1/openssl-cmp.pod.in b/doc/man1/openssl-cmp.pod.in index aac322b528..0615fffa4e 100644 --- a/doc/man1/openssl-cmp.pod.in +++ b/doc/man1/openssl-cmp.pod.in @@ -393,8 +393,9 @@ It must be given for RR, while for KUR it defaults to B<-cert>. The reference certificate determined in this way, if any, is also used for deriving default subject DN and Subject Alternative Names for IR, CR, and KUR. -Its issuer, if any, is used as default recipient in the CMP message header -if neither B<-srvcert>, B<-recipient>, nor B<-issuer> is available. +Its subject is used as sender in CMP message headers if B<-cert> is not given. +Its issuer is used as default recipient in CMP message headers +if neither B<-recipient>, B<-srvcert>, nor B<-issuer> is given. =item B<-revreason> I diff --git a/doc/man3/OSSL_CMP_CTX_new.pod b/doc/man3/OSSL_CMP_CTX_new.pod index f8fee277e2..e9ca5f18a8 100644 --- a/doc/man3/OSSL_CMP_CTX_new.pod +++ b/doc/man3/OSSL_CMP_CTX_new.pod @@ -520,7 +520,8 @@ Key Update Requests (KUR) or to be revoked in Revocation Requests (RR). It must be given for RR, else it defaults to the protection B. The B determined in this way, if any, is also used for deriving default subject DN and Subject Alternative Names for IR, CR, and KUR. -Its issuer, if any, is used as default recipient in the CMP message header. +Its subject is used as sender in CMP message headers if no protection cert is given. +Its issuer is used as default recipient in CMP message headers. OSSL_CMP_CTX_set1_p10CSR() sets the PKCS#10 CSR to be used in P10CR. -- 2.34.1