From: Dr. David von Oheimb Date: Sun, 14 Feb 2021 19:25:42 +0000 (+0100) Subject: apps/cmp.c: Improve initialization of ext_ctx structure w.r.t. CSR X-Git-Tag: openssl-3.0.0-alpha12~11 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b51bed05c2ab54a1933b5c18862e68cd4540278c;p=thirdparty%2Fopenssl.git apps/cmp.c: Improve initialization of ext_ctx structure w.r.t. CSR Also improve doc how the -reqexts option affects the CSR given with the -csr option. Reviewed-by: David von Oheimb Reviewed-by: Tomas Mraz Reviewed-by: Dmitry Belyavskiy (Merged from https://github.com/openssl/openssl/pull/14181) --- diff --git a/apps/cmp.c b/apps/cmp.c index 1dbd1f73399..887ec5d22ef 100644 --- a/apps/cmp.c +++ b/apps/cmp.c @@ -1601,6 +1601,10 @@ static int setup_protection_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine) */ static int setup_request_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine) { + X509_REQ *csr = NULL; + X509_EXTENSIONS *exts = NULL; + X509V3_CTX ext_ctx; + if (opt_subject == NULL && opt_csr == NULL && opt_oldcert == NULL && opt_cert == NULL && opt_cmd != CMP_RR && opt_cmd != CMP_GENM) @@ -1648,30 +1652,41 @@ static int setup_request_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine) return 0; } + if (opt_csr != NULL) { + if (opt_cmd == CMP_GENM) { + CMP_warn("-csr option is ignored for genm command"); + } else { + csr = load_csr_autofmt(opt_csr, "PKCS#10 CSR for p10cr"); + if (csr == NULL) + return 0; + if (!OSSL_CMP_CTX_set1_p10CSR(ctx, csr)) { + X509_REQ_free(csr); + goto oom; + } + } + } if (opt_reqexts != NULL || opt_policies != NULL) { - X509V3_CTX ext_ctx; - X509_EXTENSIONS *exts = sk_X509_EXTENSION_new_null(); - - if (exts == NULL) - return 0; - X509V3_set_ctx(&ext_ctx, NULL, NULL, NULL, NULL, 0); + if ((exts = sk_X509_EXTENSION_new_null()) == NULL) + goto exts_err; + X509V3_set_ctx(&ext_ctx, NULL, NULL, csr, NULL, X509V3_CTX_REPLACE); X509V3_set_nconf(&ext_ctx, conf); if (opt_reqexts != NULL && !X509V3_EXT_add_nconf_sk(conf, &ext_ctx, opt_reqexts, &exts)) { CMP_err1("cannot load certificate request extension section '%s'", opt_reqexts); - sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free); - return 0; + goto exts_err; } if (opt_policies != NULL && !X509V3_EXT_add_nconf_sk(conf, &ext_ctx, opt_policies, &exts)) { CMP_err1("cannot load policy cert request extension section '%s'", opt_policies); - sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free); - return 0; + goto exts_err; } OSSL_CMP_CTX_set0_reqExtensions(ctx, exts); + exts = NULL; } + X509_REQ_free(csr); + csr = NULL; if (OSSL_CMP_CTX_reqExtensions_have_SAN(ctx) && opt_sans != NULL) { CMP_err("cannot have Subject Alternative Names both via -reqexts and via -sans"); return 0; @@ -1720,22 +1735,6 @@ static int setup_request_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine) if (opt_popo >= OSSL_CRMF_POPO_NONE) (void)OSSL_CMP_CTX_set_option(ctx, OSSL_CMP_OPT_POPO_METHOD, opt_popo); - if (opt_csr != NULL) { - if (opt_cmd == CMP_GENM) { - CMP_warn("-csr option is ignored for genm command"); - } else { - X509_REQ *csr = load_csr_autofmt(opt_csr, "PKCS#10 CSR for p10cr"); - - if (csr == NULL) - return 0; - if (!OSSL_CMP_CTX_set1_p10CSR(ctx, csr)) { - X509_REQ_free(csr); - goto oom; - } - X509_REQ_free(csr); - } - } - if (opt_oldcert != NULL) { if (opt_cmd == CMP_GENM) { CMP_warn("-oldcert option is ignored for genm command"); @@ -1762,6 +1761,9 @@ static int setup_request_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine) oom: CMP_err("out of memory"); + exts_err: + sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free); + X509_REQ_free(csr); return 0; } diff --git a/doc/man1/openssl-cmp.pod.in b/doc/man1/openssl-cmp.pod.in index 3f2b742a369..9800de6465b 100644 --- a/doc/man1/openssl-cmp.pod.in +++ b/doc/man1/openssl-cmp.pod.in @@ -298,6 +298,8 @@ validity period starts from the current time (as seen by the host). =item B<-reqexts> I Name of section in OpenSSL config file defining certificate request extensions. +If the B<-csr> option is present, these extensions augment the extensions +contained the given PKCS#10 CSR, overriding any extensions with same OIDs. =item B<-sans> I