From: Dr. David von Oheimb <David.von.Oheimb@siemens.com>
Date: Mon, 19 Dec 2022 10:09:33 +0000 (+0100)
Subject: CMP app: make -ignore_keyusage apply also for mock server
X-Git-Tag: openssl-3.3.0-alpha1~295
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fd514375e22d3039ab0ab12e3017aadf2c38b761;p=thirdparty%2Fopenssl.git

CMP app: make -ignore_keyusage apply also for mock server

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/19948)
---

diff --git a/apps/cmp.c b/apps/cmp.c
index e0b03c3cb59..8a0d182fbe6 100644
--- a/apps/cmp.c
+++ b/apps/cmp.c
@@ -1238,9 +1238,6 @@ static int setup_verification_ctx(OSSL_CMP_CTX *ctx)
         }
     }
 
-    if (opt_ignore_keyusage)
-        (void)OSSL_CMP_CTX_set_option(ctx, OSSL_CMP_OPT_IGNORE_KEYUSAGE, 1);
-
     if (opt_unprotected_errors)
         (void)OSSL_CMP_CTX_set_option(ctx, OSSL_CMP_OPT_UNPROTECTED_ERRORS, 1);
 
@@ -3244,6 +3241,9 @@ int cmp_main(int argc, char **argv)
     }
 #endif
 
+    if (opt_ignore_keyusage)
+        (void)OSSL_CMP_CTX_set_option(cmp_ctx, OSSL_CMP_OPT_IGNORE_KEYUSAGE, 1);
+
     if (opt_use_mock_srv
 #if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_HTTP)
         || opt_port != NULL
diff --git a/doc/man1/openssl-cmp.pod.in b/doc/man1/openssl-cmp.pod.in
index 21e4bd95b72..b42c4227669 100644
--- a/doc/man1/openssl-cmp.pod.in
+++ b/doc/man1/openssl-cmp.pod.in
@@ -632,6 +632,7 @@ For details see the description of the B<-subject> option.
 Ignore key usage restrictions in CMP signer certificates when validating
 signature-based protection of incoming CMP messages.
 By default, C<digitalSignature> must be allowed by CMP signer certificates.
+This option applies to both CMP clients and the mock server.
 
 =item B<-unprotected_errors>