[openssl] master update
dev at ddvo.net
dev at ddvo.net
Fri Sep 11 10:20:36 UTC 2020
The branch master has been updated
via 5ea4c6e553c1f4feb76f70a896a6a8ac912233c4 (commit)
via 1cd77e2eca30bd638b58176f3be43886a93b7482 (commit)
via 4d2b2889da8a3e343762cdd72f669ec4bcd353a5 (commit)
via 62261446b21be4dcdc75af81e07253b803ae57f9 (commit)
via 7a7d6b514fb2c95570896e512e165a38c9ecac46 (commit)
via ef2d3588e8d4dea8910ab1f7dfec768403efb265 (commit)
from 82bdd6419361136e7be533d31a990ba0476fced3 (commit)
- Log -----------------------------------------------------------------
commit 5ea4c6e553c1f4feb76f70a896a6a8ac912233c4
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date: Wed Sep 9 10:15:45 2020 +0200
apps/cmp.c: Improve example given for -geninfo option (also in man page)
Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
Reviewed-by: Paul Dale <paul.dale at oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12825)
commit 1cd77e2eca30bd638b58176f3be43886a93b7482
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date: Mon Aug 10 17:36:41 2020 +0200
OSSL_CMP_CTX_new.pod: improve doc of OSSL_CMP_CTX_get1_{extraCertsIn,caPubs}
Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
Reviewed-by: Paul Dale <paul.dale at oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12825)
commit 4d2b2889da8a3e343762cdd72f669ec4bcd353a5
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date: Tue Aug 11 07:57:57 2020 +0200
openssl-cmp.pod.in: Update Insta Demo CA port number in case needed
Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
Reviewed-by: Paul Dale <paul.dale at oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12825)
commit 62261446b21be4dcdc75af81e07253b803ae57f9
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date: Fri Aug 28 15:03:11 2020 +0200
apps/cmp.c: Improve user guidance on missing -subject etc. options
Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
Reviewed-by: Paul Dale <paul.dale at oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12825)
commit 7a7d6b514fb2c95570896e512e165a38c9ecac46
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date: Fri Aug 28 14:55:38 2020 +0200
apps/cmp.c: Improve documentation of -extracerts, -untrusted, and -otherpass
Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
Reviewed-by: Paul Dale <paul.dale at oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12825)
commit ef2d3588e8d4dea8910ab1f7dfec768403efb265
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date: Fri Aug 28 13:28:24 2020 +0200
apps/cmp.c: Improve documentation of -secret, -cert, and -key options
Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
Reviewed-by: Paul Dale <paul.dale at oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12825)
-----------------------------------------------------------------------
Summary of changes:
apps/cmp.c | 27 ++++++++++++++++-----------
doc/man1/openssl-cmp.pod.in | 35 ++++++++++++++++++++++-------------
doc/man3/OSSL_CMP_CTX_new.pod | 5 +++--
3 files changed, 41 insertions(+), 26 deletions(-)
diff --git a/apps/cmp.c b/apps/cmp.c
index 003c75517d..db0d418bd4 100644
--- a/apps/cmp.c
+++ b/apps/cmp.c
@@ -269,7 +269,7 @@ const OPTIONS cmp_options[] = {
{"geninfo", OPT_GENINFO, 's',
"generalInfo integer values to place in request PKIHeader with given OID"},
{OPT_MORE_STR, 0, 0,
- "specified in the form <OID>:int:<n>, e.g. \"1.2.3:int:987\""},
+ "specified in the form <OID>:int:<n>, e.g. \"1.2.3.4:int:56789\""},
OPT_SECTION("Certificate enrollment"),
{"newkey", OPT_NEWKEY, 's',
@@ -378,14 +378,16 @@ const OPTIONS cmp_options[] = {
{"ref", OPT_REF, 's',
"Reference value to use as senderKID in case no -cert is given"},
{"secret", OPT_SECRET, 's',
- "Password source for client authentication with a pre-shared key (secret)"},
+ "Prefer PBM (over signatures) for protecting msgs with given password source"},
{"cert", OPT_CERT, 's',
- "Client's current certificate (needed unless using -secret for PBM);"},
+ "Client's CMP signer certificate; its public key must match the -key argument"},
{OPT_MORE_STR, 0, 0,
- "any further certs included are appended in extraCerts field"},
+ "This also used as default reference for subject DN and SANs."},
+ {OPT_MORE_STR, 0, 0,
+ "Any further certs included are appended to the untrusted certs"},
{"own_trusted", OPT_OWN_TRUSTED, 's',
"Optional certs to verify chain building for own CMP signer cert"},
- {"key", OPT_KEY, 's', "Private key for the client's current certificate"},
+ {"key", OPT_KEY, 's', "CMP signer private key, not used when -secret given"},
{"keypass", OPT_KEYPASS, 's',
"Client private key (and cert and old cert file) pass phrase source"},
{"digest", OPT_DIGEST, 's',
@@ -393,7 +395,9 @@ const OPTIONS cmp_options[] = {
{"mac", OPT_MAC, 's',
"MAC algorithm to use in PBM-based message protection. Default \"hmac-sha1\""},
{"extracerts", OPT_EXTRACERTS, 's',
- "Certificates to append in extraCerts field of outgoing messages"},
+ "Certificates to append in extraCerts field of outgoing messages."},
+ {OPT_MORE_STR, 0, 0,
+ "This can be used as the default CMP signer cert chain to include"},
{"unprotected_requests", OPT_UNPROTECTED_REQUESTS, '-',
"Send messages without CMP-level protection"},
@@ -1479,8 +1483,8 @@ static SSL_CTX *setup_ssl_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
*/
static int setup_protection_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
{
- if (!opt_unprotected_requests && opt_secret == NULL && opt_cert == NULL) {
- CMP_err("must give client credentials unless -unprotected_requests is set");
+ if (!opt_unprotected_requests && opt_secret == NULL && opt_key == NULL) {
+ CMP_err("must give -key or -secret unless -unprotected_requests is used");
return 0;
}
@@ -1507,7 +1511,7 @@ static int setup_protection_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
return 0;
}
if (opt_cert != NULL || opt_key != NULL)
- CMP_warn("no signature-based protection used since -secret is given");
+ CMP_warn("-cert and -key not used for protection since -secret is given");
}
if (opt_ref != NULL
&& !OSSL_CMP_CTX_set1_referenceValue(ctx, (unsigned char *)opt_ref,
@@ -1597,7 +1601,8 @@ static int setup_protection_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
*/
static int setup_request_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
{
- if (opt_subject == NULL && opt_oldcert == NULL && opt_cert == NULL)
+ if (opt_subject == NULL && opt_oldcert == NULL && opt_cert == NULL
+ && opt_cmd != CMP_RR && opt_cmd != CMP_GENM)
CMP_warn("no -subject given, neither -oldcert nor -cert available as default");
if (!set_name(opt_subject, OSSL_CMP_CTX_set1_subjectName, ctx, "subject")
|| !set_name(opt_issuer, OSSL_CMP_CTX_set1_issuer, ctx, "issuer"))
@@ -2950,5 +2955,5 @@ int cmp_main(int argc, char **argv)
NCONF_free(conf); /* must not do as long as opt_... variables are used */
OSSL_CMP_log_close();
- return ret == 0 ? EXIT_FAILURE : EXIT_SUCCESS;
+ return ret == 0 ? EXIT_FAILURE : EXIT_SUCCESS; /* ret == -1 for -help */
}
diff --git a/doc/man1/openssl-cmp.pod.in b/doc/man1/openssl-cmp.pod.in
index 44f71b8358..71902ab7da 100644
--- a/doc/man1/openssl-cmp.pod.in
+++ b/doc/man1/openssl-cmp.pod.in
@@ -235,7 +235,7 @@ e.g., C<signKeyPairTypes>.
=item B<-geninfo> I<OID:int:N>
generalInfo integer values to place in request PKIHeader with given OID,
-e.g., C<1.2.3:int:987>.
+e.g., C<1.2.3.4:int:56789>.
=back
@@ -499,11 +499,14 @@ Each source may contain multiple certificates.
=item B<-untrusted> I<sources>
-Non-trusted intermediate CA certificate(s) that may be useful for cert path
-construction for the CMP client certificate (to include in the extraCerts field
-of outgoing messages), for the TLS client certificate (if TLS is enabled),
+Non-trusted intermediate CA certificate(s).
+Any extra certificates given with the B<-cert> option are appended to it.
+All these certificates may be useful for cert path construction
+for the CMP client certificate (to include in the extraCerts field of outgoing
+messages) and for the TLS client certificate (if TLS is enabled)
+as well as for chain building
when verifying the CMP server certificate (checking signature-based
-CMP message protection), and when verifying newly enrolled certificates.
+CMP message protection) and when verifying newly enrolled certificates.
Multiple filenames may be given, separated by commas and/or whitespace.
Each file may contain multiple certificates.
@@ -610,10 +613,11 @@ is typically used when authenticating with pre-shared key (password-based MAC).
=item B<-secret> I<arg>
-Source of secret value to use for creating PBM-based protection of outgoing
-messages and for verifying any PBM-based protection of incoming messages.
+Prefer PBM-based message protection with given source of a secret value.
+The secret is used for creating PBM-based protection of outgoing messages
+and (as far as needed) for verifying PBM-based protection of incoming messages.
PBM stands for Password-Based Message Authentication Code.
-This takes precedence over the B<-cert> option.
+This takes precedence over the B<-cert> and B<-key> options.
For more information about the format of B<arg> see the
B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
@@ -624,13 +628,17 @@ The client's current CMP signer certificate.
Requires the corresponding key to be given with B<-key>.
The subject of this certificate will be used as sender of outgoing CMP messages,
while the subject of B<-oldcert> or B<-subjectName> may provide fallback values.
+The issuer of this certificate is used as one of the recipient fallback values.
When using signature-based message protection, this "protection certificate"
-will be included first in the extraCerts field of outgoing messages.
+will be included first in the extraCerts field of outgoing messages
+and the signature is done with the corresponding key.
In Initialization Request (IR) messages this can be used for authenticating
using an external entity certificate as defined in appendix E.7 of RFC 4210.
For Key Update Request (KUR) messages this is also used as
the certificate to be updated if the B<-oldcert> option is not given.
-If the file includes further certs, they are appended to the untrusted certs.
+If the file includes further certs, they are appended to the untrusted certs
+because they typically constitute the chain of the client certificate, which
+is included in the extraCerts field in signature-protected request messages.
=item B<-own_trusted> I<filenames>
@@ -708,8 +716,9 @@ The only value with effect is B<ENGINE>.
=item B<-otherpass> I<arg>
Pass phrase source for certificate given with the B<-trusted>, B<-untrusted>,
-B<-own_trusted>,
-B<-out_trusted>, B<-extracerts>, B<-tls_extra>, or B<-tls_trusted> options.
+B<-own_trusted>, B<-srvcert>, B<-out_trusted>, B<-extracerts>,
+B<-srv_trusted>, B<-srv_untrusted>, B<-rsp_extracerts>, B<-rsp_capubs>,
+B<-tls_extra>, and B<-tls_trusted> options.
If not given here, the password will be prompted for if needed.
For more information about the format of B<arg> see the
@@ -1018,7 +1027,7 @@ to issue the following shell commands.
cd /path/to/openssl
export OPENSSL_CONF=openssl.cnf
=begin comment
- wget 'http://pki.certificate.fi:8080/install-ca-cert.html/ca-certificate.crt\
+ wget 'http://pki.certificate.fi:8081/install-ca-cert.html/ca-certificate.crt\
?ca-id=632&download-certificate=1' -O insta.ca.crt
=end comment
openssl genrsa -out insta.priv.pem
diff --git a/doc/man3/OSSL_CMP_CTX_new.pod b/doc/man3/OSSL_CMP_CTX_new.pod
index d581556ff1..3d9860114b 100644
--- a/doc/man3/OSSL_CMP_CTX_new.pod
+++ b/doc/man3/OSSL_CMP_CTX_new.pod
@@ -618,8 +618,9 @@ X.509 certificates computed by OSSL_CMP_certConf_cb() (if this function has
been called) on the last received certificate response message IP/CP/KUP.
OSSL_CMP_CTX_get1_caPubs() returns a pointer to a duplicate of the list of
-X.509 certificates received in the caPubs field of last received certificate
-response message IP/CP/KUP.
+X.509 certificates in the caPubs field of the last received certificate
+response message (of type IP, CP, or KUP),
+or an empty stack if no caPubs have been received in the current transaction.
OSSL_CMP_CTX_get1_extraCertsIn() returns a pointer to a duplicate of the list
of X.509 certificates contained in the extraCerts field of the last received
More information about the openssl-commits
mailing list