From: Dr. David von Oheimb <David.von.Oheimb@siemens.com>
Date: Fri, 13 Nov 2020 20:45:46 +0000 (+0100)
Subject: ossl_cmp_certreq_new(): Fix POPO key mismatch in case newPkey is just public key
X-Git-Tag: openssl-3.0.0-alpha9~32
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f87ead980187ba39c66eb6ed5825603ea343b73f;p=thirdparty%2Fopenssl.git

ossl_cmp_certreq_new(): Fix POPO key mismatch in case newPkey is just public key

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13409)
---

diff --git a/crypto/cmp/cmp_msg.c b/crypto/cmp/cmp_msg.c
index 1a4a8731687..45cda58879b 100644
--- a/crypto/cmp/cmp_msg.c
+++ b/crypto/cmp/cmp_msg.c
@@ -334,7 +334,12 @@ OSSL_CMP_MSG *ossl_cmp_certreq_new(OSSL_CMP_CTX *ctx, int type,
     if (type != OSSL_CMP_PKIBODY_P10CR) {
         EVP_PKEY *privkey = OSSL_CMP_CTX_get0_newPkey(ctx, 1);
 
-        if (privkey == NULL)
+        /*
+         * privkey is NULL in case ctx->newPkey does not include a private key.
+         * We then may try to use ctx->pkey as fallback/default, but only
+         * if ctx-> newPkey does not include a (non-matching) public key:
+         */
+        if (privkey == NULL && OSSL_CMP_CTX_get0_newPkey(ctx, 0) == NULL)
             privkey = ctx->pkey; /* default is independent of ctx->oldCert */
         if (ctx->popoMethod == OSSL_CRMF_POPO_SIGNATURE && privkey == NULL) {
             ERR_raise(ERR_LIB_CMP, CMP_R_MISSING_PRIVATE_KEY);