static char *opt_expect_sender = NULL;
static int opt_ignore_keyusage = 0;
static int opt_unprotected_errors = 0;
+static int opt_ta_in_ip_extracerts = 0;
static int opt_no_cache_extracerts = 0;
static char *opt_srvcertout = NULL;
static char *opt_extracertsout = NULL;
OPT_EXPECT_SENDER,
OPT_IGNORE_KEYUSAGE,
OPT_UNPROTECTED_ERRORS,
+ OPT_TA_IN_IP_EXTRACERTS,
OPT_NO_CACHE_EXTRACERTS,
OPT_SRVCERTOUT,
OPT_EXTRACERTSOUT,
"certificate responses (ip/cp/kup), revocation responses (rp), and PKIConf" },
{ OPT_MORE_STR, 0, 0,
"WARNING: This setting leads to behavior allowing violation of RFC 9810" },
+ { "ta_in_ip_extracerts", OPT_TA_IN_IP_EXTRACERTS, '-',
+ "Permit using self-issued certificates from the extraCerts in an IP message" },
+ { OPT_MORE_STR, 0, 0,
+ "as trust anchors under conditions defined by 3GPP TS 33.310" },
+ { OPT_MORE_STR, 0, 0,
+ "WARNING: This setting leads to behavior allowing violation of RFC 9810" },
{ "no_cache_extracerts", OPT_NO_CACHE_EXTRACERTS, '-',
"Do not keep certificates received in the extraCerts CMP message field" },
{ "srvcertout", OPT_SRVCERTOUT, 's',
{ &opt_trusted }, { &opt_untrusted }, { &opt_srvcert },
{ &opt_expect_sender },
{ (char **)&opt_ignore_keyusage }, { (char **)&opt_unprotected_errors },
+ { (char **)&opt_ta_in_ip_extracerts },
{ (char **)&opt_no_cache_extracerts },
{ &opt_srvcertout }, { &opt_extracertsout }, { &opt_cacertsout },
{ &opt_oldwithold }, { &opt_newwithnew }, { &opt_newwithold }, { &opt_oldwithnew },
if (opt_unprotected_errors)
(void)OSSL_CMP_CTX_set_option(ctx, OSSL_CMP_OPT_UNPROTECTED_ERRORS, 1);
+ if (opt_ta_in_ip_extracerts) {
+ (void)OSSL_CMP_CTX_set_option(ctx, OSSL_CMP_OPT_PERMIT_TA_IN_EXTRACERTS_FOR_IR, 1);
+ CMP_warn("permitting non-authenticated trust anchors in IP extracerts according to 3GPP TS 33.310");
+ }
if (opt_out_trusted != NULL) { /* for use in OSSL_CMP_certConf_cb() */
X509_VERIFY_PARAM *out_vpm = NULL;
case OPT_UNPROTECTED_ERRORS:
opt_unprotected_errors = 1;
break;
+ case OPT_TA_IN_IP_EXTRACERTS:
+ opt_ta_in_ip_extracerts = 1;
+ break;
case OPT_NO_CACHE_EXTRACERTS:
opt_no_cache_extracerts = 1;
break;
[B<-expect_sender> I<name>]
[B<-ignore_keyusage>]
[B<-unprotected_errors>]
+[B<-ta_in_ip_extracerts>]
[B<-no_cache_extracerts>]
[B<-srvcertout> I<filename>]
[B<-extracertsout> I<filename>]
=back
+=item B<-ta_in_ip_extracerts>
+
+This is a quirk option added to support 3GPP TS 33.310.
+B<WARNING:> This leads to behavior violating RFCs 4210 and 9810.
+
+It allows using self-issued certificates from the extraCerts in an IP message
+as non-authenticated trust anchors when validating the CMP message protection certificate
+in this and any subsequent responses from the server in the same transaction,
+but only if these extraCerts can also be used as trust anchors for validating
+the newly enrolled certificate received in the IP message.
+
+Note that using this option is dangerous as the to-be-trusted certificates
+obtained this way have not been authenticated (at least not at CMP level).
+Taking them over as initial trust anchors
+implements a form of trust-on-first-use (TOFU).
+
=item B<-no_cache_extracerts>
Do not cache certificates in the extraCerts field of CMP messages received.
B<-centralkeygen>, B<-newkeyout>, B<-rsp_key> and
B<-rsp_keypass> were added in OpenSSL 3.5.
+The B<-ta_in_ip_extracerts> quirk option was added in OpenSSL 4.0.
+
The B<-engine> option was removed in OpenSSL 4.0.
=head1 COPYRIGHT
projects / thirdparty / openssl.git / commitdiff
