]> git.ipfire.org Git - thirdparty/openssl.git/commitdiff
projects / thirdparty / openssl.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 01027c9)
OSSL_CMP_get1_rootCaKeyUpdate(): warn if genp contains oldWithNew certificate but...
authorDr. David von Oheimb <dev@ddvo.net>
Fri, 7 Feb 2025 09:50:02 +0000 (10:50 +0100)
committerTomas Mraz <tomas@openssl.foundation>
Tue, 24 Mar 2026 17:06:45 +0000 (18:06 +0100)
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Tue Mar 24 17:06:56 2026
(Merged from https://github.com/openssl/openssl/pull/29074)

crypto/cmp/cmp_genm.c patch | blob | blame | history

diff --git a/crypto/cmp/cmp_genm.c b/crypto/cmp/cmp_genm.c
index 1c7ed9757d7fc43ee08efb642e66a517545b1e37..86bad3a7445fe1dbb88e538cc2c143f33043668a 100644 (file)
--- a/crypto/cmp/cmp_genm.c
+++ b/crypto/cmp/cmp_genm.c
@@ -336,11 +336,14 @@ int OSSL_CMP_get1_rootCaKeyUpdate(OSSL_CMP_CTX *ctx,
         ERR_raise(ERR_LIB_CMP, CMP_R_INVALID_ROOTCAKEYUPDATE);
         goto end;
     }
-    if (oldWithOld != NULL && my_oldWithNew != NULL
-        && !verify_ss_cert_trans(ctx, *newWithNew, my_oldWithNew,
-            oldWithOld_copy, "oldWithOld")) {
-        ERR_raise(ERR_LIB_CMP, CMP_R_INVALID_ROOTCAKEYUPDATE);
-        goto end;
+    if (my_oldWithNew != NULL) {
+        if (oldWithOld == NULL) {
+            ossl_cmp_log(WARN, ctx, "oldWithNew certificate received in genp for verifying oldWithOld, but oldWithOld was not provided");
+        } else if (!verify_ss_cert_trans(ctx, *newWithNew, my_oldWithNew,
+                       oldWithOld_copy, "oldWithOld")) {
+            ERR_raise(ERR_LIB_CMP, CMP_R_INVALID_ROOTCAKEYUPDATE);
+            goto end;
+        }
     }
 
     if (!X509_up_ref(*newWithNew))
Mirror of https://github.com/openssl/openssl.git