From: Dr. David von Oheimb <dev@ddvo.net>
Date: Fri, 7 Feb 2025 09:50:02 +0000 (+0100)
Subject: OSSL_CMP_get1_rootCaKeyUpdate(): warn if genp contains oldWithNew certificate but... 
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=92b45f0fb647f5578616ecb4777ee042ae485cef;p=thirdparty%2Fopenssl.git

OSSL_CMP_get1_rootCaKeyUpdate(): warn if genp contains oldWithNew certificate but not oldWithOld

Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Tue Mar 24 17:06:56 2026
(Merged from https://github.com/openssl/openssl/pull/29074)
---

diff --git a/crypto/cmp/cmp_genm.c b/crypto/cmp/cmp_genm.c
index 1c7ed9757d7..86bad3a7445 100644
--- a/crypto/cmp/cmp_genm.c
+++ b/crypto/cmp/cmp_genm.c
@@ -336,11 +336,14 @@ int OSSL_CMP_get1_rootCaKeyUpdate(OSSL_CMP_CTX *ctx,
         ERR_raise(ERR_LIB_CMP, CMP_R_INVALID_ROOTCAKEYUPDATE);
         goto end;
     }
-    if (oldWithOld != NULL && my_oldWithNew != NULL
-        && !verify_ss_cert_trans(ctx, *newWithNew, my_oldWithNew,
-            oldWithOld_copy, "oldWithOld")) {
-        ERR_raise(ERR_LIB_CMP, CMP_R_INVALID_ROOTCAKEYUPDATE);
-        goto end;
+    if (my_oldWithNew != NULL) {
+        if (oldWithOld == NULL) {
+            ossl_cmp_log(WARN, ctx, "oldWithNew certificate received in genp for verifying oldWithOld, but oldWithOld was not provided");
+        } else if (!verify_ss_cert_trans(ctx, *newWithNew, my_oldWithNew,
+                       oldWithOld_copy, "oldWithOld")) {
+            ERR_raise(ERR_LIB_CMP, CMP_R_INVALID_ROOTCAKEYUPDATE);
+            goto end;
+        }
     }
 
     if (!X509_up_ref(*newWithNew))