[openssl] master update
beldmit at gmail.com
beldmit at gmail.com
Wed Feb 17 16:14:58 UTC 2021
The branch master has been updated
via b51bed05c2ab54a1933b5c18862e68cd4540278c (commit)
via d44a8a16c8a2851af7f70575ff3dd23cc06f30e1 (commit)
from fe75766c9c2919f649df7b3ad209df2bc5e56dd0 (commit)
- Log -----------------------------------------------------------------
commit b51bed05c2ab54a1933b5c18862e68cd4540278c
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date: Sun Feb 14 20:25:42 2021 +0100
apps/cmp.c: Improve initialization of ext_ctx structure w.r.t. CSR
Also improve doc how the -reqexts option affects the CSR given with the -csr option.
Reviewed-by: David von Oheimb <david.von.oheimb at siemens.com>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit at gmail.com>
(Merged from https://github.com/openssl/openssl/pull/14181)
commit d44a8a16c8a2851af7f70575ff3dd23cc06f30e1
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date: Sun Feb 14 20:12:38 2021 +0100
apps/ca.c: Make sure ext_ctx structure gets initialized
Fixes #14175
Reviewed-by: David von Oheimb <david.von.oheimb at siemens.com>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit at gmail.com>
(Merged from https://github.com/openssl/openssl/pull/14181)
-----------------------------------------------------------------------
Summary of changes:
apps/ca.c | 11 +++++----
apps/cmp.c | 54 +++++++++++++++++++++++----------------------
doc/man1/openssl-cmp.pod.in | 2 ++
3 files changed, 37 insertions(+), 30 deletions(-)
diff --git a/apps/ca.c b/apps/ca.c
index 29f62f86f2..dbb4d15eb8 100755
--- a/apps/ca.c
+++ b/apps/ca.c
@@ -863,6 +863,7 @@ end_of_options:
if (extensions != NULL) {
/* Check syntax of config file section */
X509V3_CTX ctx;
+
X509V3_set_ctx_test(&ctx);
X509V3_set_nconf(&ctx, conf);
if (!X509V3_EXT_add_nconf(conf, &ctx, extensions, NULL)) {
@@ -1141,6 +1142,7 @@ end_of_options:
if (crl_ext != NULL) {
/* Check syntax of file */
X509V3_CTX ctx;
+
X509V3_set_ctx_test(&ctx);
X509V3_set_nconf(&ctx, conf);
if (!X509V3_EXT_add_nconf(conf, &ctx, crl_ext, NULL)) {
@@ -1230,6 +1232,7 @@ end_of_options:
if (crl_ext != NULL || crlnumberfile != NULL) {
X509V3_CTX crlctx;
+
X509V3_set_ctx(&crlctx, x509, NULL, NULL, crl, 0);
X509V3_set_nconf(&crlctx, conf);
@@ -1697,12 +1700,12 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509,
if (!i)
goto end;
+ /* Initialize the context structure */
+ X509V3_set_ctx(&ext_ctx, selfsign ? ret : x509,
+ ret, req, NULL, X509V3_CTX_REPLACE);
+
/* Lets add the extensions, if there are any */
if (ext_sect) {
- /* Initialize the context structure */
- X509V3_set_ctx(&ext_ctx, selfsign ? ret : x509,
- ret, req, NULL, X509V3_CTX_REPLACE);
-
if (extfile_conf != NULL) {
if (verbose)
BIO_printf(bio_err, "Extra configuration file found\n");
diff --git a/apps/cmp.c b/apps/cmp.c
index 1dbd1f7339..887ec5d22e 100644
--- a/apps/cmp.c
+++ b/apps/cmp.c
@@ -1601,6 +1601,10 @@ static int setup_protection_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
*/
static int setup_request_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
{
+ X509_REQ *csr = NULL;
+ X509_EXTENSIONS *exts = NULL;
+ X509V3_CTX ext_ctx;
+
if (opt_subject == NULL
&& opt_csr == NULL && opt_oldcert == NULL && opt_cert == NULL
&& opt_cmd != CMP_RR && opt_cmd != CMP_GENM)
@@ -1648,30 +1652,41 @@ static int setup_request_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
return 0;
}
+ if (opt_csr != NULL) {
+ if (opt_cmd == CMP_GENM) {
+ CMP_warn("-csr option is ignored for genm command");
+ } else {
+ csr = load_csr_autofmt(opt_csr, "PKCS#10 CSR for p10cr");
+ if (csr == NULL)
+ return 0;
+ if (!OSSL_CMP_CTX_set1_p10CSR(ctx, csr)) {
+ X509_REQ_free(csr);
+ goto oom;
+ }
+ }
+ }
if (opt_reqexts != NULL || opt_policies != NULL) {
- X509V3_CTX ext_ctx;
- X509_EXTENSIONS *exts = sk_X509_EXTENSION_new_null();
-
- if (exts == NULL)
- return 0;
- X509V3_set_ctx(&ext_ctx, NULL, NULL, NULL, NULL, 0);
+ if ((exts = sk_X509_EXTENSION_new_null()) == NULL)
+ goto exts_err;
+ X509V3_set_ctx(&ext_ctx, NULL, NULL, csr, NULL, X509V3_CTX_REPLACE);
X509V3_set_nconf(&ext_ctx, conf);
if (opt_reqexts != NULL
&& !X509V3_EXT_add_nconf_sk(conf, &ext_ctx, opt_reqexts, &exts)) {
CMP_err1("cannot load certificate request extension section '%s'",
opt_reqexts);
- sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free);
- return 0;
+ goto exts_err;
}
if (opt_policies != NULL
&& !X509V3_EXT_add_nconf_sk(conf, &ext_ctx, opt_policies, &exts)) {
CMP_err1("cannot load policy cert request extension section '%s'",
opt_policies);
- sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free);
- return 0;
+ goto exts_err;
}
OSSL_CMP_CTX_set0_reqExtensions(ctx, exts);
+ exts = NULL;
}
+ X509_REQ_free(csr);
+ csr = NULL;
if (OSSL_CMP_CTX_reqExtensions_have_SAN(ctx) && opt_sans != NULL) {
CMP_err("cannot have Subject Alternative Names both via -reqexts and via -sans");
return 0;
@@ -1720,22 +1735,6 @@ static int setup_request_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
if (opt_popo >= OSSL_CRMF_POPO_NONE)
(void)OSSL_CMP_CTX_set_option(ctx, OSSL_CMP_OPT_POPO_METHOD, opt_popo);
- if (opt_csr != NULL) {
- if (opt_cmd == CMP_GENM) {
- CMP_warn("-csr option is ignored for genm command");
- } else {
- X509_REQ *csr = load_csr_autofmt(opt_csr, "PKCS#10 CSR for p10cr");
-
- if (csr == NULL)
- return 0;
- if (!OSSL_CMP_CTX_set1_p10CSR(ctx, csr)) {
- X509_REQ_free(csr);
- goto oom;
- }
- X509_REQ_free(csr);
- }
- }
-
if (opt_oldcert != NULL) {
if (opt_cmd == CMP_GENM) {
CMP_warn("-oldcert option is ignored for genm command");
@@ -1762,6 +1761,9 @@ static int setup_request_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
oom:
CMP_err("out of memory");
+ exts_err:
+ sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free);
+ X509_REQ_free(csr);
return 0;
}
diff --git a/doc/man1/openssl-cmp.pod.in b/doc/man1/openssl-cmp.pod.in
index 3f2b742a36..9800de6465 100644
--- a/doc/man1/openssl-cmp.pod.in
+++ b/doc/man1/openssl-cmp.pod.in
@@ -298,6 +298,8 @@ validity period starts from the current time (as seen by the host).
=item B<-reqexts> I<name>
Name of section in OpenSSL config file defining certificate request extensions.
+If the B<-csr> option is present, these extensions augment the extensions
+contained the given PKCS#10 CSR, overriding any extensions with same OIDs.
=item B<-sans> I<spec>
More information about the openssl-commits
mailing list