From: Dr. David von Oheimb <dev@ddvo.net>
Date: Thu, 10 Jul 2025 15:37:11 +0000 (+0200)
Subject: apps/cmp.c: add -ta_in_ip_extracerts permitting non-authenticated trust anchors in... 
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e7d5206e892e14fd380e3f04401a47de7c759818;p=thirdparty%2Fopenssl.git

apps/cmp.c: add -ta_in_ip_extracerts permitting non-authenticated trust anchors in IP extracerts according to 3GPP TS 33.310

Fixes #27888

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28015)
---

diff --git a/apps/cmp.c b/apps/cmp.c
index 126e1412cb4..990112b64dd 100644
--- a/apps/cmp.c
+++ b/apps/cmp.c
@@ -87,6 +87,7 @@ static char *opt_srvcert = NULL;
 static char *opt_expect_sender = NULL;
 static int opt_ignore_keyusage = 0;
 static int opt_unprotected_errors = 0;
+static int opt_ta_in_ip_extracerts = 0;
 static int opt_no_cache_extracerts = 0;
 static char *opt_srvcertout = NULL;
 static char *opt_extracertsout = NULL;
@@ -281,6 +282,7 @@ typedef enum OPTION_choice {
     OPT_EXPECT_SENDER,
     OPT_IGNORE_KEYUSAGE,
     OPT_UNPROTECTED_ERRORS,
+    OPT_TA_IN_IP_EXTRACERTS,
     OPT_NO_CACHE_EXTRACERTS,
     OPT_SRVCERTOUT,
     OPT_EXTRACERTSOUT,
@@ -509,6 +511,12 @@ const OPTIONS cmp_options[] = {
         "certificate responses (ip/cp/kup), revocation responses (rp), and PKIConf" },
     { OPT_MORE_STR, 0, 0,
         "WARNING: This setting leads to behavior allowing violation of RFC 9810" },
+    { "ta_in_ip_extracerts", OPT_TA_IN_IP_EXTRACERTS, '-',
+        "Permit using self-issued certificates from the extraCerts in an IP message" },
+    { OPT_MORE_STR, 0, 0,
+        "as trust anchors under conditions defined by 3GPP TS 33.310" },
+    { OPT_MORE_STR, 0, 0,
+        "WARNING: This setting leads to behavior allowing violation of RFC 9810" },
     { "no_cache_extracerts", OPT_NO_CACHE_EXTRACERTS, '-',
         "Do not keep certificates received in the extraCerts CMP message field" },
     { "srvcertout", OPT_SRVCERTOUT, 's',
@@ -727,6 +735,7 @@ static varref cmp_vars[] = { /* must be in same order as enumerated above! */
     { &opt_trusted }, { &opt_untrusted }, { &opt_srvcert },
     { &opt_expect_sender },
     { (char **)&opt_ignore_keyusage }, { (char **)&opt_unprotected_errors },
+    { (char **)&opt_ta_in_ip_extracerts },
     { (char **)&opt_no_cache_extracerts },
     { &opt_srvcertout }, { &opt_extracertsout }, { &opt_cacertsout },
     { &opt_oldwithold }, { &opt_newwithnew }, { &opt_newwithold }, { &opt_oldwithnew },
@@ -1391,6 +1400,10 @@ static int setup_verification_ctx(OSSL_CMP_CTX *ctx)
 
     if (opt_unprotected_errors)
         (void)OSSL_CMP_CTX_set_option(ctx, OSSL_CMP_OPT_UNPROTECTED_ERRORS, 1);
+    if (opt_ta_in_ip_extracerts) {
+        (void)OSSL_CMP_CTX_set_option(ctx, OSSL_CMP_OPT_PERMIT_TA_IN_EXTRACERTS_FOR_IR, 1);
+        CMP_warn("permitting non-authenticated trust anchors in IP extracerts according to 3GPP TS 33.310");
+    }
 
     if (opt_out_trusted != NULL) { /* for use in OSSL_CMP_certConf_cb() */
         X509_VERIFY_PARAM *out_vpm = NULL;
@@ -2963,6 +2976,9 @@ static int get_opts(int argc, char **argv)
         case OPT_UNPROTECTED_ERRORS:
             opt_unprotected_errors = 1;
             break;
+        case OPT_TA_IN_IP_EXTRACERTS:
+            opt_ta_in_ip_extracerts = 1;
+            break;
         case OPT_NO_CACHE_EXTRACERTS:
             opt_no_cache_extracerts = 1;
             break;
diff --git a/doc/man1/openssl-cmp.pod.in b/doc/man1/openssl-cmp.pod.in
index 696df2febda..b12ca950ab2 100644
--- a/doc/man1/openssl-cmp.pod.in
+++ b/doc/man1/openssl-cmp.pod.in
@@ -70,6 +70,7 @@ Server authentication options:
 [B<-expect_sender> I<name>]
 [B<-ignore_keyusage>]
 [B<-unprotected_errors>]
+[B<-ta_in_ip_extracerts>]
 [B<-no_cache_extracerts>]
 [B<-srvcertout> I<filename>]
 [B<-extracertsout> I<filename>]
@@ -715,6 +716,22 @@ with a signature key."
 
 =back
 
+=item B<-ta_in_ip_extracerts>
+
+This is a quirk option added to support 3GPP TS 33.310.
+B<WARNING:> This leads to behavior violating RFCs 4210 and 9810.
+
+It allows using self-issued certificates from the extraCerts in an IP message
+as non-authenticated trust anchors when validating the CMP message protection certificate
+in this and any subsequent responses from the server in the same transaction,
+but only if these extraCerts can also be used as trust anchors for validating
+the newly enrolled certificate received in the IP message.
+
+Note that using this option is dangerous as the to-be-trusted certificates
+obtained this way have not been authenticated (at least not at CMP level).
+Taking them over as initial trust anchors
+implements a form of trust-on-first-use (TOFU).
+
 =item B<-no_cache_extracerts>
 
 Do not cache certificates in the extraCerts field of CMP messages received.
@@ -1513,6 +1530,8 @@ and B<-rsp_crl> options were added in OpenSSL 3.4.
 B<-centralkeygen>, B<-newkeyout>, B<-rsp_key> and
 B<-rsp_keypass> were added in OpenSSL 3.5.
 
+The B<-ta_in_ip_extracerts> quirk option was added in OpenSSL 4.0.
+
 The B<-engine> option was removed in OpenSSL 4.0.
 
 =head1 COPYRIGHT