summaryrefslogtreecommitdiffstats
path: root/doc
diff options
context:
space:
mode:
authorDr. David von Oheimb <David.von.Oheimb@siemens.com>2020-08-28 12:11:31 +0200
committerDr. David von Oheimb <David.von.Oheimb@siemens.com>2020-09-10 07:07:55 +0200
commita0745e2be6635ffdf286ba5bc3bd867c8d4152a9 (patch)
tree00d93474fb208fba1ce021a5a82d1effb933535b /doc
parentFix markdown nits in NOTES-Windows.txt (diff)
downloadopenssl-a0745e2be6635ffdf286ba5bc3bd867c8d4152a9.tar.xz
openssl-a0745e2be6635ffdf286ba5bc3bd867c8d4152a9.zip
Clean up CMP chain building for CMP signer, TLS client, and newly enrolled certs
* Use strenghtened cert chain building, verifying chain using optional trust store while making sure that no certificate status (e.g., CRL) checks are done * Use OSSL_CMP_certConf_cb() by default and move its doc to OSSL_CMP_CTX_new.pod * Simplify certificate and cert store loading in apps/cmp.c Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/12741)
Diffstat (limited to 'doc')
-rw-r--r--doc/internal/man3/ossl_cmp_msg_protect.pod2
-rw-r--r--doc/man1/openssl-cmp.pod.in1
-rw-r--r--doc/man3/OSSL_CMP_CTX_new.pod19
-rw-r--r--doc/man3/OSSL_CMP_exec_certreq.pod15
4 files changed, 21 insertions, 16 deletions
diff --git a/doc/internal/man3/ossl_cmp_msg_protect.pod b/doc/internal/man3/ossl_cmp_msg_protect.pod
index 39f5146530..0a6b70fe9d 100644
--- a/doc/internal/man3/ossl_cmp_msg_protect.pod
+++ b/doc/internal/man3/ossl_cmp_msg_protect.pod
@@ -46,7 +46,7 @@ It also sets the protectionAlg field in the message header accordingly.
ossl_cmp_msg_add_extraCerts() adds elements to the extraCerts field in I<msg>.
If signature-based message protection is used it adds first the CMP signer cert
ctx->cert and then its chain ctx->chain. If this chain is not present in I<ctx>
-tries to build it using ctx->untrusted_certs and caches the result in ctx->chain.
+tries to build it using ctx->untrusted and caches the result in ctx->chain.
In any case all the certificates explicitly specified to be sent out (i.e.,
I<ctx->extraCertsOut>) are added. Note that it will NOT add the root certificate
of the chain, i.e, the trust anchor (unless it is part of extraCertsOut).
diff --git a/doc/man1/openssl-cmp.pod.in b/doc/man1/openssl-cmp.pod.in
index 623e3f7dee..75ee82211d 100644
--- a/doc/man1/openssl-cmp.pod.in
+++ b/doc/man1/openssl-cmp.pod.in
@@ -681,6 +681,7 @@ Defaults to C<hmac-sha1> as per RFC 4210.
=item B<-extracerts> I<sources>
Certificates to append in the extraCerts field when sending messages.
+They can be used as the default CMP signer certificate chain to include.
Multiple filenames or URLs may be given, separated by commas and/or whitespace
(where in the latter case the whole argument must be enclosed in "...").
diff --git a/doc/man3/OSSL_CMP_CTX_new.pod b/doc/man3/OSSL_CMP_CTX_new.pod
index 972cef9047..246c302685 100644
--- a/doc/man3/OSSL_CMP_CTX_new.pod
+++ b/doc/man3/OSSL_CMP_CTX_new.pod
@@ -48,6 +48,7 @@ OSSL_CMP_CTX_set1_oldCert,
OSSL_CMP_CTX_set1_p10CSR,
OSSL_CMP_CTX_push0_genm_ITAV,
OSSL_CMP_certConf_cb_t,
+OSSL_CMP_certConf_cb,
OSSL_CMP_CTX_set_certConf_cb,
OSSL_CMP_CTX_set_certConf_cb_arg,
OSSL_CMP_CTX_get_certConf_cb_arg,
@@ -137,6 +138,8 @@ OSSL_CMP_CTX_set1_senderNonce
/* certificate confirmation: */
typedef int (*OSSL_CMP_certConf_cb_t)(OSSL_CMP_CTX *ctx, X509 *cert,
int fail_info, const char **txt);
+ int OSSL_CMP_certConf_cb(OSSL_CMP_CTX *ctx, X509 *cert, int fail_info,
+ const char **text);
int OSSL_CMP_CTX_set_certConf_cb(OSSL_CMP_CTX *ctx, OSSL_CMP_certConf_cb_t cb);
int OSSL_CMP_CTX_set_certConf_cb_arg(OSSL_CMP_CTX *ctx, void *arg);
void *OSSL_CMP_CTX_get_certConf_cb_arg(const OSSL_CMP_CTX *ctx);
@@ -430,7 +433,7 @@ list of untrusted certs, which may be empty if unset.
OSSL_CMP_CTX_set1_cert() sets the certificate used for CMP message protection.
The public key of this B<cert> must correspond to
-the private key set via B<OSSL_CMP_CTX_set1_pkey()>.
+the private key set before or thereafter via B<OSSL_CMP_CTX_set1_pkey()>.
When using signature-based protection of CMP request messages
this "protection certificate" will be included first in the extraCerts field.
The subject of this B<cert> will be used as the sender field of outgoing
@@ -552,6 +555,16 @@ OSSL_CMP_CTX_set1_p10CSR() sets the PKCS#10 CSR to be used in P10CR.
OSSL_CMP_CTX_push0_genm_ITAV() adds B<itav> to the stack in the B<ctx> which
will be the body of a General Message sent with this context.
+OSSL_CMP_certConf_cb() is the default certificate confirmation callback function.
+If the callback argument is not NULL it must point to a trust store.
+In this case the function checks that the newly enrolled certificate can be
+verified using this trust store and untrusted certificates from the B<ctx>,
+which have been augmented by the list of extraCerts received.
+If the callback argument is NULL the function tries building an approximate
+chain as far as possible using the same untrusted certificates from the B<ctx>,
+and if this fails it takes the received extraCerts as fallback.
+The resulting cert chain can be retrieved using OSSL_CMP_CTX_get1_newChain().
+
OSSL_CMP_CTX_set_certConf_cb() sets the callback used for evaluating the newly
enrolled certificate before the library sends, depending on its result,
a positive or negative certConf message to the server. The callback has type
@@ -644,6 +657,10 @@ OSSL_CMP_CTX_get_status(), and
OSSL_CMP_CTX_get_failInfoCode()
return the intended value as described above or -1 on error.
+OSSL_CMP_certConf_cb() returns B<fail_info> if it is not equal to B<0>,
+else B<0> on successful validation,
+or else a bit field with the B<OSSL_CMP_PKIFAILUREINFO_incorrectData> bit set.
+
All other functions return 1 on success, 0 on error.
=head1 EXAMPLES
diff --git a/doc/man3/OSSL_CMP_exec_certreq.pod b/doc/man3/OSSL_CMP_exec_certreq.pod
index 098b60ae61..55fa73f563 100644
--- a/doc/man3/OSSL_CMP_exec_certreq.pod
+++ b/doc/man3/OSSL_CMP_exec_certreq.pod
@@ -13,8 +13,7 @@ OSSL_CMP_P10CR,
OSSL_CMP_KUR,
OSSL_CMP_try_certreq,
OSSL_CMP_exec_RR_ses,
-OSSL_CMP_exec_GENM_ses,
-OSSL_CMP_certConf_cb
+OSSL_CMP_exec_GENM_ses
- functions implementing CMP client transactions
=head1 SYNOPSIS
@@ -33,8 +32,6 @@ OSSL_CMP_certConf_cb
#define OSSL_CMP_KUR
int OSSL_CMP_try_certreq(OSSL_CMP_CTX *ctx, int req_type,
const OSSL_CRMF_MSG *crm, int *checkAfter);
- int OSSL_CMP_certConf_cb(OSSL_CMP_CTX *ctx, X509 *cert, int fail_info,
- const char **text);
X509 *OSSL_CMP_exec_RR_ses(OSSL_CMP_CTX *ctx);
STACK_OF(OSSL_CMP_ITAV) *OSSL_CMP_exec_GENM_ses(OSSL_CMP_CTX *ctx);
@@ -101,12 +98,6 @@ If the caller decides to abort the pending certificate request and provides
a negative value as the B<req_type> argument then OSSL_CMP_try_certreq()
aborts the CMP transaction by sending an error message to the server.
-OSSL_CMP_certConf_cb() is a basic certificate confirmation callback validating
-that the new certificate can be verified with the trusted/untrusted certificates
-in B<ctx>.
-As there is no requirement in RFC 4210 that the certificate can be
-validated by the client, this callback is not set by default in the context.
-
OSSL_CMP_exec_RR_ses() requests the revocation of the certificate
specified in the B<ctx> using L<OSSL_CMP_CTX_set1_oldCert(3)>.
RFC 4210 is vague in which PKIStatus should be returned by the server.
@@ -146,10 +137,6 @@ In the latter case L<OSSL_CMP_CTX_get0_newCert(3)> yields NULL
and the output parameter B<checkAfter> has been used to
assign the received value unless B<checkAfter> is NULL.
-OSSL_CMP_certConf_cb() returns B<fail_info> if it is not equal to B<0>,
-else B<0> on successful validation,
-or else a bit field with the B<OSSL_CMP_PKIFAILUREINFO_incorrectData> bit set.
-
OSSL_CMP_exec_RR_ses() returns the
pointer to the revoked certificate on success, B<NULL> on error.
This pointer will be freed implicitly by OSSL_CMP_CTX_free().