diff options
author | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2020-08-28 12:11:31 +0200 |
---|---|---|
committer | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2020-09-10 07:07:55 +0200 |
commit | a0745e2be6635ffdf286ba5bc3bd867c8d4152a9 (patch) | |
tree | 00d93474fb208fba1ce021a5a82d1effb933535b /doc | |
parent | Fix markdown nits in NOTES-Windows.txt (diff) | |
download | openssl-a0745e2be6635ffdf286ba5bc3bd867c8d4152a9.tar.xz openssl-a0745e2be6635ffdf286ba5bc3bd867c8d4152a9.zip |
Clean up CMP chain building for CMP signer, TLS client, and newly enrolled certs
* Use strenghtened cert chain building, verifying chain using optional trust store
while making sure that no certificate status (e.g., CRL) checks are done
* Use OSSL_CMP_certConf_cb() by default and move its doc to OSSL_CMP_CTX_new.pod
* Simplify certificate and cert store loading in apps/cmp.c
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12741)
Diffstat (limited to 'doc')
-rw-r--r-- | doc/internal/man3/ossl_cmp_msg_protect.pod | 2 | ||||
-rw-r--r-- | doc/man1/openssl-cmp.pod.in | 1 | ||||
-rw-r--r-- | doc/man3/OSSL_CMP_CTX_new.pod | 19 | ||||
-rw-r--r-- | doc/man3/OSSL_CMP_exec_certreq.pod | 15 |
4 files changed, 21 insertions, 16 deletions
diff --git a/doc/internal/man3/ossl_cmp_msg_protect.pod b/doc/internal/man3/ossl_cmp_msg_protect.pod index 39f5146530..0a6b70fe9d 100644 --- a/doc/internal/man3/ossl_cmp_msg_protect.pod +++ b/doc/internal/man3/ossl_cmp_msg_protect.pod @@ -46,7 +46,7 @@ It also sets the protectionAlg field in the message header accordingly. ossl_cmp_msg_add_extraCerts() adds elements to the extraCerts field in I<msg>. If signature-based message protection is used it adds first the CMP signer cert ctx->cert and then its chain ctx->chain. If this chain is not present in I<ctx> -tries to build it using ctx->untrusted_certs and caches the result in ctx->chain. +tries to build it using ctx->untrusted and caches the result in ctx->chain. In any case all the certificates explicitly specified to be sent out (i.e., I<ctx->extraCertsOut>) are added. Note that it will NOT add the root certificate of the chain, i.e, the trust anchor (unless it is part of extraCertsOut). diff --git a/doc/man1/openssl-cmp.pod.in b/doc/man1/openssl-cmp.pod.in index 623e3f7dee..75ee82211d 100644 --- a/doc/man1/openssl-cmp.pod.in +++ b/doc/man1/openssl-cmp.pod.in @@ -681,6 +681,7 @@ Defaults to C<hmac-sha1> as per RFC 4210. =item B<-extracerts> I<sources> Certificates to append in the extraCerts field when sending messages. +They can be used as the default CMP signer certificate chain to include. Multiple filenames or URLs may be given, separated by commas and/or whitespace (where in the latter case the whole argument must be enclosed in "..."). diff --git a/doc/man3/OSSL_CMP_CTX_new.pod b/doc/man3/OSSL_CMP_CTX_new.pod index 972cef9047..246c302685 100644 --- a/doc/man3/OSSL_CMP_CTX_new.pod +++ b/doc/man3/OSSL_CMP_CTX_new.pod @@ -48,6 +48,7 @@ OSSL_CMP_CTX_set1_oldCert, OSSL_CMP_CTX_set1_p10CSR, OSSL_CMP_CTX_push0_genm_ITAV, OSSL_CMP_certConf_cb_t, +OSSL_CMP_certConf_cb, OSSL_CMP_CTX_set_certConf_cb, OSSL_CMP_CTX_set_certConf_cb_arg, OSSL_CMP_CTX_get_certConf_cb_arg, @@ -137,6 +138,8 @@ OSSL_CMP_CTX_set1_senderNonce /* certificate confirmation: */ typedef int (*OSSL_CMP_certConf_cb_t)(OSSL_CMP_CTX *ctx, X509 *cert, int fail_info, const char **txt); + int OSSL_CMP_certConf_cb(OSSL_CMP_CTX *ctx, X509 *cert, int fail_info, + const char **text); int OSSL_CMP_CTX_set_certConf_cb(OSSL_CMP_CTX *ctx, OSSL_CMP_certConf_cb_t cb); int OSSL_CMP_CTX_set_certConf_cb_arg(OSSL_CMP_CTX *ctx, void *arg); void *OSSL_CMP_CTX_get_certConf_cb_arg(const OSSL_CMP_CTX *ctx); @@ -430,7 +433,7 @@ list of untrusted certs, which may be empty if unset. OSSL_CMP_CTX_set1_cert() sets the certificate used for CMP message protection. The public key of this B<cert> must correspond to -the private key set via B<OSSL_CMP_CTX_set1_pkey()>. +the private key set before or thereafter via B<OSSL_CMP_CTX_set1_pkey()>. When using signature-based protection of CMP request messages this "protection certificate" will be included first in the extraCerts field. The subject of this B<cert> will be used as the sender field of outgoing @@ -552,6 +555,16 @@ OSSL_CMP_CTX_set1_p10CSR() sets the PKCS#10 CSR to be used in P10CR. OSSL_CMP_CTX_push0_genm_ITAV() adds B<itav> to the stack in the B<ctx> which will be the body of a General Message sent with this context. +OSSL_CMP_certConf_cb() is the default certificate confirmation callback function. +If the callback argument is not NULL it must point to a trust store. +In this case the function checks that the newly enrolled certificate can be +verified using this trust store and untrusted certificates from the B<ctx>, +which have been augmented by the list of extraCerts received. +If the callback argument is NULL the function tries building an approximate +chain as far as possible using the same untrusted certificates from the B<ctx>, +and if this fails it takes the received extraCerts as fallback. +The resulting cert chain can be retrieved using OSSL_CMP_CTX_get1_newChain(). + OSSL_CMP_CTX_set_certConf_cb() sets the callback used for evaluating the newly enrolled certificate before the library sends, depending on its result, a positive or negative certConf message to the server. The callback has type @@ -644,6 +657,10 @@ OSSL_CMP_CTX_get_status(), and OSSL_CMP_CTX_get_failInfoCode() return the intended value as described above or -1 on error. +OSSL_CMP_certConf_cb() returns B<fail_info> if it is not equal to B<0>, +else B<0> on successful validation, +or else a bit field with the B<OSSL_CMP_PKIFAILUREINFO_incorrectData> bit set. + All other functions return 1 on success, 0 on error. =head1 EXAMPLES diff --git a/doc/man3/OSSL_CMP_exec_certreq.pod b/doc/man3/OSSL_CMP_exec_certreq.pod index 098b60ae61..55fa73f563 100644 --- a/doc/man3/OSSL_CMP_exec_certreq.pod +++ b/doc/man3/OSSL_CMP_exec_certreq.pod @@ -13,8 +13,7 @@ OSSL_CMP_P10CR, OSSL_CMP_KUR, OSSL_CMP_try_certreq, OSSL_CMP_exec_RR_ses, -OSSL_CMP_exec_GENM_ses, -OSSL_CMP_certConf_cb +OSSL_CMP_exec_GENM_ses - functions implementing CMP client transactions =head1 SYNOPSIS @@ -33,8 +32,6 @@ OSSL_CMP_certConf_cb #define OSSL_CMP_KUR int OSSL_CMP_try_certreq(OSSL_CMP_CTX *ctx, int req_type, const OSSL_CRMF_MSG *crm, int *checkAfter); - int OSSL_CMP_certConf_cb(OSSL_CMP_CTX *ctx, X509 *cert, int fail_info, - const char **text); X509 *OSSL_CMP_exec_RR_ses(OSSL_CMP_CTX *ctx); STACK_OF(OSSL_CMP_ITAV) *OSSL_CMP_exec_GENM_ses(OSSL_CMP_CTX *ctx); @@ -101,12 +98,6 @@ If the caller decides to abort the pending certificate request and provides a negative value as the B<req_type> argument then OSSL_CMP_try_certreq() aborts the CMP transaction by sending an error message to the server. -OSSL_CMP_certConf_cb() is a basic certificate confirmation callback validating -that the new certificate can be verified with the trusted/untrusted certificates -in B<ctx>. -As there is no requirement in RFC 4210 that the certificate can be -validated by the client, this callback is not set by default in the context. - OSSL_CMP_exec_RR_ses() requests the revocation of the certificate specified in the B<ctx> using L<OSSL_CMP_CTX_set1_oldCert(3)>. RFC 4210 is vague in which PKIStatus should be returned by the server. @@ -146,10 +137,6 @@ In the latter case L<OSSL_CMP_CTX_get0_newCert(3)> yields NULL and the output parameter B<checkAfter> has been used to assign the received value unless B<checkAfter> is NULL. -OSSL_CMP_certConf_cb() returns B<fail_info> if it is not equal to B<0>, -else B<0> on successful validation, -or else a bit field with the B<OSSL_CMP_PKIFAILUREINFO_incorrectData> bit set. - OSSL_CMP_exec_RR_ses() returns the pointer to the revoked certificate on success, B<NULL> on error. This pointer will be freed implicitly by OSSL_CMP_CTX_free(). |