CMP client: fix error response on -csr without private key, also in docs

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/20832)

1 files changed, 17 insertions, 2 deletions

diff --git a/apps/cmp.c b/apps/cmp.c
index ec60e677c1..1cd8841b61 100644
--- a/apps/cmp.c
+++ b/apps/cmp.c
@@ -1525,10 +1525,25 @@ static int setup_request_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
         CMP_warn("no -subject given; no -csr or -oldcert or -cert available for fallback");
 
     if (opt_cmd == CMP_IR || opt_cmd == CMP_CR || opt_cmd == CMP_KUR) {
-        if (opt_newkey == NULL && opt_key == NULL && opt_csr == NULL) {
-            CMP_err("missing -newkey (or -key) to be certified and no -csr given");
+        if (opt_newkey == NULL
+            && opt_key == NULL && opt_csr == NULL && opt_oldcert == NULL) {
+            CMP_err("missing -newkey (or -key) to be certified and no -csr, -oldcert, or -cert given for fallback public key");
             return 0;
         }
+        if (opt_newkey == NULL
+            && opt_popo != OSSL_CRMF_POPO_NONE
+            && opt_popo != OSSL_CRMF_POPO_RAVERIFIED) {
+            if (opt_csr != NULL) {
+                CMP_err1("no -newkey option given with private key for POPO, -csr option only provides public key%s",
+                        opt_key == NULL ? "" :
+                        ", and -key option superseded by by -csr");
+                return 0;
+            }
+            if (opt_key == NULL) {
+                CMP_err("missing -newkey (or -key) option for POPO");
+                return 0;
+            }
+        }
         if (opt_certout == NULL) {
             CMP_err("-certout not given, nowhere to save newly enrolled certificate");
             return 0;