[openssl] master update
dev at ddvo.net
dev at ddvo.net
Thu Jan 21 16:54:03 UTC 2021
The branch master has been updated
via 3d46c81a7d6219fd51ccc3b16406f19b82d0176e (commit)
via 2039ac07b401932fa30a05ade80b3626e189d78a (commit)
via 6b63b7b61e50eadee6b274f7c0d1abd2e3fca3af (commit)
via 92d619450ad70a81252028d1daa0b8f2efb51a1d (commit)
from adcaebc3148fe0fde3f7641c4b607f30e1479986 (commit)
- Log -----------------------------------------------------------------
commit 3d46c81a7d6219fd51ccc3b16406f19b82d0176e
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date: Tue Jan 12 12:16:32 2021 +0100
CMP: Allow PKCS#10 input also for ir, cr, kur, and rr messages
Also update documentation regarding sources of certs and keys,
improve type of OSSL_CMP_exec_RR_ses(),
add tests for CSR-based cert revocation
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13841)
commit 2039ac07b401932fa30a05ade80b3626e189d78a
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date: Fri Jan 8 08:27:17 2021 +0100
X509_REQ_get_extensions(): Return empty stack if no extensions found
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13841)
commit 6b63b7b61e50eadee6b274f7c0d1abd2e3fca3af
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date: Fri Jan 8 07:43:56 2021 +0100
apps/cmp.c: Check self-signature on CSR input and warn on failure
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13841)
commit 92d619450ad70a81252028d1daa0b8f2efb51a1d
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date: Fri Jan 8 07:30:51 2021 +0100
apps/cmp.c: Improve diagnostics on loading private vs. public key for cert request
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13841)
-----------------------------------------------------------------------
Summary of changes:
apps/cmp.c | 85 +++++++++++------
apps/cmp_mock_srv.c | 6 +-
crypto/cmp/cmp_client.c | 32 +++----
crypto/cmp/cmp_msg.c | 96 +++++++++++++------
crypto/cmp/cmp_server.c | 6 +-
crypto/x509/x509_req.c | 4 +-
doc/man1/openssl-cmp.pod.in | 105 +++++++++++----------
doc/man3/OSSL_CMP_exec_certreq.pod | 6 +-
include/openssl/cmp.h.in | 2 +-
test/cmp_client_test.c | 2 +-
.../recipes/81-test_cmp_cli_data/test_commands.csv | 4 +-
.../81-test_cmp_cli_data/test_enrollment.csv | 2 +-
12 files changed, 214 insertions(+), 136 deletions(-)
diff --git a/apps/cmp.c b/apps/cmp.c
index b28b7431ce..a64ac9ae60 100644
--- a/apps/cmp.c
+++ b/apps/cmp.c
@@ -272,7 +272,7 @@ const OPTIONS cmp_options[] = {
{"subject", OPT_SUBJECT, 's',
"Distinguished Name (DN) of subject to use in the requested cert template"},
{OPT_MORE_STR, 0, 0,
- "For kur, default is the subject DN of the reference cert (see -oldcert);"},
+ "For kur, default is subject of -csr arg or else of reference cert (see -oldcert)"},
{OPT_MORE_STR, 0, 0,
"this default is used for ir and cr only if no Subject Alt Names are set"},
{"issuer", OPT_ISSUER, 's',
@@ -282,7 +282,9 @@ const OPTIONS cmp_options[] = {
{"days", OPT_DAYS, 'n',
"Requested validity time of the new certificate in number of days"},
{"reqexts", OPT_REQEXTS, 's',
- "Name of config file section defining certificate request extensions"},
+ "Name of config file section defining certificate request extensions."},
+ {OPT_MORE_STR, 0, 0,
+ "Augments or replaces any extensions contained CSR given with -csr"},
{"sans", OPT_SANS, 's',
"Subject Alt Names (IPADDR/DNS/URI) to add as (critical) cert req extension"},
{"san_nodefault", OPT_SAN_NODEFAULT, '-',
@@ -298,7 +300,7 @@ const OPTIONS cmp_options[] = {
{OPT_MORE_STR, 0, 0,
"-1 = NONE, 0 = RAVERIFIED, 1 = SIGNATURE (default), 2 = KEYENC"},
{"csr", OPT_CSR, 's',
- "PKCS#10 CSR file in PEM or DER format to use in p10cr for legacy support"},
+ "PKCS#10 CSR file in PEM or DER format to convert or to use in p10cr"},
{"out_trusted", OPT_OUT_TRUSTED, 's',
"Certificates to trust when verifying newly enrolled certificates"},
{"implicit_confirm", OPT_IMPLICIT_CONFIRM, '-',
@@ -383,7 +385,7 @@ const OPTIONS cmp_options[] = {
"Optional certs to verify chain building for own CMP signer cert"},
{"key", OPT_KEY, 's', "CMP signer private key, not used when -secret given"},
{"keypass", OPT_KEYPASS, 's',
- "Client private key (and cert and old cert file) pass phrase source"},
+ "Client private key (and cert and old cert) pass phrase source"},
{"digest", OPT_DIGEST, 's',
"Digest to use in message protection and POPO signatures. Default \"sha256\""},
{"mac", OPT_MAC, 's',
@@ -418,7 +420,7 @@ const OPTIONS cmp_options[] = {
{"tls_key", OPT_TLS_KEY, 's',
"Private key for the client's TLS certificate"},
{"tls_keypass", OPT_TLS_KEYPASS, 's',
- "Pass phrase source for the client's private TLS key (and TLS cert file)"},
+ "Pass phrase source for the client's private TLS key (and TLS cert)"},
{"tls_extra", OPT_TLS_EXTRA, 's',
"Extra certificates to provide to TLS server during TLS handshake"},
{"tls_trusted", OPT_TLS_TRUSTED, 's',
@@ -455,7 +457,7 @@ const OPTIONS cmp_options[] = {
{"srv_key", OPT_SRV_KEY, 's',
"Private key used by the server for signing messages"},
{"srv_keypass", OPT_SRV_KEYPASS, 's',
- "Server private key (and cert) file pass phrase source"},
+ "Server private key (and cert) pass phrase source"},
{"srv_trusted", OPT_SRV_TRUSTED, 's',
"Trusted certificates for client authentication"},
@@ -673,6 +675,14 @@ static X509_REQ *load_csr_autofmt(const char *infile, const char *desc)
ERR_print_errors(bio_err);
BIO_printf(bio_err, "error: unable to load %s from file '%s'\n", desc,
infile);
+ } else {
+ EVP_PKEY *pkey = X509_REQ_get0_pubkey(csr);
+ int ret = do_X509_REQ_verify(csr, pkey, NULL /* vfyopts */);
+
+ if (pkey == NULL || ret < 0)
+ CMP_warn("error while verifying CSR self-signature");
+ else if (ret == 0)
+ CMP_warn("CSR self-signature does not match the contents");
}
return csr;
}
@@ -1591,9 +1601,10 @@ static int setup_protection_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
*/
static int setup_request_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
{
- if (opt_subject == NULL && opt_oldcert == NULL && opt_cert == NULL
+ if (opt_subject == NULL
+ && opt_csr == NULL && opt_oldcert == NULL && opt_cert == NULL
&& opt_cmd != CMP_RR && opt_cmd != CMP_GENM)
- CMP_warn("no -subject given, neither -oldcert nor -cert available as default");
+ CMP_warn("no -subject given; no -csr or -oldcert or -cert available for fallback");
if (!set_name(opt_subject, OSSL_CMP_CTX_set1_subjectName, ctx, "subject")
|| !set_name(opt_issuer, OSSL_CMP_CTX_set1_issuer, ctx, "issuer"))
return 0;
@@ -1603,12 +1614,18 @@ static int setup_request_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
const int format = opt_keyform;
const char *pass = opt_newkeypass;
const char *desc = "new private key for cert to be enrolled";
- EVP_PKEY *pkey = load_key_pwd(file, format, pass, engine, desc);
+ EVP_PKEY *pkey;
int priv = 1;
+ BIO *bio_bak = bio_err;
+ bio_err = NULL; /* suppress diagnostics on first try loading key */
+ pkey = load_key_pwd(file, format, pass, engine, desc);
+ bio_err = bio_bak;
if (pkey == NULL) {
ERR_clear_error();
- desc = "fallback public key for cert to be enrolled";
+ desc = opt_csr == NULL
+ ? "fallback public key for cert to be enrolled"
+ : "public key for checking cert resulting from p10cr";
pkey = load_pubkey(file, format, 0, pass, engine, desc);
priv = 0;
}
@@ -1704,11 +1721,10 @@ static int setup_request_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
(void)OSSL_CMP_CTX_set_option(ctx, OSSL_CMP_OPT_POPO_METHOD, opt_popo);
if (opt_csr != NULL) {
- if (opt_cmd != CMP_P10CR) {
- CMP_warn("-csr option is ignored for command other than p10cr");
+ if (opt_cmd == CMP_GENM) {
+ CMP_warn("-csr option is ignored for genm command");
} else {
- X509_REQ *csr =
- load_csr_autofmt(opt_csr, "PKCS#10 CSR for p10cr");
+ X509_REQ *csr = load_csr_autofmt(opt_csr, "PKCS#10 CSR for p10cr");
if (csr == NULL)
return 0;
@@ -1721,17 +1737,21 @@ static int setup_request_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
}
if (opt_oldcert != NULL) {
- X509 *oldcert = load_cert_pwd(opt_oldcert, opt_keypass,
- "certificate to be updated/revoked");
- /* opt_keypass is needed if opt_oldcert is an encrypted PKCS#12 file */
+ if (opt_cmd == CMP_GENM) {
+ CMP_warn("-oldcert option is ignored for genm command");
+ } else {
+ X509 *oldcert = load_cert_pwd(opt_oldcert, opt_keypass,
+ "certificate to be updated/revoked");
+ /* opt_keypass needed if opt_oldcert is an encrypted PKCS#12 file */
- if (oldcert == NULL)
- return 0;
- if (!OSSL_CMP_CTX_set1_oldCert(ctx, oldcert)) {
+ if (oldcert == NULL)
+ return 0;
+ if (!OSSL_CMP_CTX_set1_oldCert(ctx, oldcert)) {
+ X509_free(oldcert);
+ goto oom;
+ }
X509_free(oldcert);
- goto oom;
}
- X509_free(oldcert);
}
cleanse(opt_keypass);
if (opt_revreason > CRL_REASON_NONE)
@@ -1869,17 +1889,21 @@ static int setup_client_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
if (opt_cmd == CMP_KUR) {
char *ref_cert = opt_oldcert != NULL ? opt_oldcert : opt_cert;
- if (ref_cert == NULL) {
- CMP_err("missing -oldcert option for certificate to be updated");
+ if (ref_cert == NULL && opt_csr == NULL) {
+ CMP_err("missing -oldcert or -csr option for certificate to be updated");
goto err;
}
if (opt_subject != NULL)
- CMP_warn2("-subject '%s' given, which overrides the subject of '%s' in KUR",
- opt_subject, ref_cert);
+ CMP_warn2("given -subject '%s' overrides the subject of '%s' for KUR",
+ opt_subject, ref_cert != NULL ? ref_cert : opt_csr);
}
- if (opt_cmd == CMP_RR && opt_oldcert == NULL) {
- CMP_err("missing certificate to be revoked");
- goto err;
+ if (opt_cmd == CMP_RR) {
+ if (opt_oldcert == NULL && opt_csr == NULL) {
+ CMP_err("missing certificate to be revoked and no fallback -csr given");
+ goto err;
+ }
+ if (opt_oldcert != NULL && opt_csr != NULL)
+ CMP_warn("Ignoring -csr since certificate to be revoked is given");
}
if (opt_cmd == CMP_P10CR && opt_csr == NULL) {
CMP_err("missing PKCS#10 CSR for p10cr");
@@ -2831,8 +2855,7 @@ int cmp_main(int argc, char **argv)
ret = 1;
break;
case CMP_RR:
- if (OSSL_CMP_exec_RR_ses(cmp_ctx) != NULL)
- ret = 1;
+ ret = OSSL_CMP_exec_RR_ses(cmp_ctx);
break;
case CMP_GENM:
{
diff --git a/apps/cmp_mock_srv.c b/apps/cmp_mock_srv.c
index 9acbcdf60a..16a4e41721 100644
--- a/apps/cmp_mock_srv.c
+++ b/apps/cmp_mock_srv.c
@@ -234,7 +234,7 @@ static OSSL_CMP_PKISI *process_rr(OSSL_CMP_SRV_CTX *srv_ctx,
{
mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
- if (ctx == NULL || rr == NULL || issuer == NULL || serial == NULL) {
+ if (ctx == NULL || rr == NULL) {
ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
return NULL;
}
@@ -243,6 +243,10 @@ static OSSL_CMP_PKISI *process_rr(OSSL_CMP_SRV_CTX *srv_ctx,
return NULL;
}
+ /* Allow any RR derived from CSR, which may include subject and serial */
+ if (issuer == NULL || serial == NULL)
+ return OSSL_CMP_PKISI_dup(ctx->statusOut);
+
/* accept revocation only for the certificate we sent in ir/cr/kur */
if (X509_NAME_cmp(issuer, X509_get_issuer_name(ctx->certOut)) != 0
|| ASN1_INTEGER_cmp(serial,
diff --git a/crypto/cmp/cmp_client.c b/crypto/cmp/cmp_client.c
index 9b01b772e3..a0b9443546 100644
--- a/crypto/cmp/cmp_client.c
+++ b/crypto/cmp/cmp_client.c
@@ -742,7 +742,7 @@ X509 *OSSL_CMP_exec_certreq(OSSL_CMP_CTX *ctx, int req_type,
return result;
}
-X509 *OSSL_CMP_exec_RR_ses(OSSL_CMP_CTX *ctx)
+int OSSL_CMP_exec_RR_ses(OSSL_CMP_CTX *ctx)
{
OSSL_CMP_MSG *rr = NULL;
OSSL_CMP_MSG *rp = NULL;
@@ -751,13 +751,13 @@ X509 *OSSL_CMP_exec_RR_ses(OSSL_CMP_CTX *ctx)
OSSL_CMP_REVREPCONTENT *rrep = NULL;
OSSL_CMP_PKISI *si = NULL;
char buf[OSSL_CMP_PKISI_BUFLEN];
- X509 *result = NULL;
+ int ret = 0;
if (ctx == NULL) {
ERR_raise(ERR_LIB_CMP, CMP_R_INVALID_ARGS);
return 0;
}
- if (ctx->oldCert == NULL) {
+ if (ctx->oldCert == NULL && ctx->p10CSR == NULL) {
ERR_raise(ERR_LIB_CMP, CMP_R_MISSING_REFERENCE_CERT);
return 0;
}
@@ -790,24 +790,24 @@ X509 *OSSL_CMP_exec_RR_ses(OSSL_CMP_CTX *ctx)
switch (ossl_cmp_pkisi_get_status(si)) {
case OSSL_CMP_PKISTATUS_accepted:
ossl_cmp_info(ctx, "revocation accepted (PKIStatus=accepted)");
- result = ctx->oldCert;
+ ret = 1;
break;
case OSSL_CMP_PKISTATUS_grantedWithMods:
ossl_cmp_info(ctx, "revocation accepted (PKIStatus=grantedWithMods)");
- result = ctx->oldCert;
+ ret = 1;
break;
case OSSL_CMP_PKISTATUS_rejection:
ERR_raise(ERR_LIB_CMP, CMP_R_REQUEST_REJECTED_BY_SERVER);
goto err;
case OSSL_CMP_PKISTATUS_revocationWarning:
ossl_cmp_info(ctx, "revocation accepted (PKIStatus=revocationWarning)");
- result = ctx->oldCert;
+ ret = 1;
break;
case OSSL_CMP_PKISTATUS_revocationNotification:
/* interpretation as warning or error depends on CA */
ossl_cmp_warn(ctx,
"revocation accepted (PKIStatus=revocationNotification)");
- result = ctx->oldCert;
+ ret = 1;
break;
case OSSL_CMP_PKISTATUS_waiting:
case OSSL_CMP_PKISTATUS_keyUpdateWarning:
@@ -818,8 +818,8 @@ X509 *OSSL_CMP_exec_RR_ses(OSSL_CMP_CTX *ctx)
goto err;
}
- /* check any present CertId in optional revCerts field */
- if (rrep->revCerts != NULL) {
+ /* check any pretent CertId in optional revCerts field */
+ if (sk_OSSL_CRMF_CERTID_num(rrep->revCerts) >= 1) {
OSSL_CRMF_CERTID *cid;
OSSL_CRMF_CERTTEMPLATE *tmpl =
sk_OSSL_CMP_REVDETAILS_value(rr->body->value.rr, rsid)->certDetails;
@@ -828,17 +828,17 @@ X509 *OSSL_CMP_exec_RR_ses(OSSL_CMP_CTX *ctx)
if (sk_OSSL_CRMF_CERTID_num(rrep->revCerts) != num_RevDetails) {
ERR_raise(ERR_LIB_CMP, CMP_R_WRONG_RP_COMPONENT_COUNT);
- result = NULL;
+ ret = 0;
goto err;
}
if ((cid = ossl_cmp_revrepcontent_get_CertId(rrep, rsid)) == NULL) {
- result = NULL;
+ ret = 0;
goto err;
}
if (X509_NAME_cmp(issuer, OSSL_CRMF_CERTID_get0_issuer(cid)) != 0) {
#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
ERR_raise(ERR_LIB_CMP, CMP_R_WRONG_CERTID_IN_RP);
- result = NULL;
+ ret = 0;
goto err;
#endif
}
@@ -846,7 +846,7 @@ X509 *OSSL_CMP_exec_RR_ses(OSSL_CMP_CTX *ctx)
OSSL_CRMF_CERTID_get0_serialNumber(cid)) != 0) {
#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
ERR_raise(ERR_LIB_CMP, CMP_R_WRONG_SERIAL_IN_RP);
- result = NULL;
+ ret = 0;
goto err;
#endif
}
@@ -855,19 +855,19 @@ X509 *OSSL_CMP_exec_RR_ses(OSSL_CMP_CTX *ctx)
/* check number of any optionally present crls */
if (rrep->crls != NULL && sk_X509_CRL_num(rrep->crls) != num_RevDetails) {
ERR_raise(ERR_LIB_CMP, CMP_R_WRONG_RP_COMPONENT_COUNT);
- result = NULL;
+ ret = 0;
goto err;
}
err:
- if (result == NULL
+ if (ret == 0
&& OSSL_CMP_CTX_snprint_PKIStatus(ctx, buf, sizeof(buf)) != NULL)
ERR_add_error_data(1, buf);
end:
OSSL_CMP_MSG_free(rr);
OSSL_CMP_MSG_free(rp);
- return result;
+ return ret;
}
STACK_OF(OSSL_CMP_ITAV) *OSSL_CMP_exec_GENM_ses(OSSL_CMP_CTX *ctx)
diff --git a/crypto/cmp/cmp_msg.c b/crypto/cmp/cmp_msg.c
index 45cda58879..93e99f9610 100644
--- a/crypto/cmp/cmp_msg.c
+++ b/crypto/cmp/cmp_msg.c
@@ -79,6 +79,34 @@ static int add1_extension(X509_EXTENSIONS **pexts, int nid, int crit, void *ex)
return res;
}
+/* Add extension list to the referenced extension stack, which may be NULL */
+static int add_extensions(STACK_OF(X509_EXTENSION) **target,
+ const STACK_OF(X509_EXTENSION) *exts)
+{
+ int i;
+
+ if (target == NULL)
+ return 0;
+
+ for (i = 0; i < sk_X509_EXTENSION_num(exts); i++) {
+ X509_EXTENSION *ext = sk_X509_EXTENSION_value(exts, i);
+ ASN1_OBJECT *obj = X509_EXTENSION_get_object(ext);
+ int idx = X509v3_get_ext_by_OBJ(*target, obj, -1);
+
+ /* Does extension exist in target? */
+ if (idx != -1) {
+ /* Delete all extensions of same type */
+ do {
+ X509_EXTENSION_free(sk_X509_EXTENSION_delete(*target, idx));
+ idx = X509v3_get_ext_by_OBJ(*target, obj, -1);
+ } while (idx != -1);
+ }
+ if (!X509v3_add_ext(target, ext, -1))
+ return 0;
+ }
+ return 1;
+}
+
/* Add a CRL revocation reason code to extension stack, which may be NULL */
static int add_crl_reason_extension(X509_EXTENSIONS **pexts, int reason_code)
{
@@ -186,18 +214,19 @@ OSSL_CMP_MSG *ossl_cmp_msg_create(OSSL_CMP_CTX *ctx, int bodytype)
(sk_GENERAL_NAME_num((ctx)->subjectAltNames) > 0 \
|| OSSL_CMP_CTX_reqExtensions_have_SAN(ctx) == 1)
-static const X509_NAME *determine_subj(OSSL_CMP_CTX *ctx, X509 *refcert,
+static const X509_NAME *determine_subj(OSSL_CMP_CTX *ctx,
+ const X509_NAME *ref_subj,
int for_KUR)
{
if (ctx->subjectName != NULL)
return ctx->subjectName;
- if (refcert != NULL && (for_KUR || !HAS_SAN(ctx)))
+ if (ref_subj != NULL && (for_KUR || !HAS_SAN(ctx)))
/*
- * For KUR, copy subjectName from reference certificate.
+ * For KUR, copy subject from the reference.
* For IR or CR, do the same only if there is no subjectAltName.
*/
- return X509_get_subject_name(refcert);
+ return ref_subj;
return NULL;
}
@@ -208,13 +237,18 @@ OSSL_CRMF_MSG *OSSL_CMP_CTX_setup_CRM(OSSL_CMP_CTX *ctx, int for_KUR, int rid)
/* refcert defaults to current client cert */
EVP_PKEY *rkey = OSSL_CMP_CTX_get0_newPkey(ctx, 0);
STACK_OF(GENERAL_NAME) *default_sans = NULL;
- const X509_NAME *subject = determine_subj(ctx, refcert, for_KUR);
+ const X509_NAME *ref_subj =
+ ctx->p10CSR != NULL ? X509_REQ_get_subject_name(ctx->p10CSR) :
+ refcert != NULL ? X509_get_subject_name(refcert) : NULL;
+ const X509_NAME *subject = determine_subj(ctx, ref_subj, for_KUR);
const X509_NAME *issuer = ctx->issuer != NULL || refcert == NULL
? ctx->issuer : X509_get_issuer_name(refcert);
int crit = ctx->setSubjectAltNameCritical || subject == NULL;
/* RFC5280: subjectAltName MUST be critical if subject is null */
X509_EXTENSIONS *exts = NULL;
+ if (rkey == NULL && ctx->p10CSR != NULL)
+ rkey = X509_REQ_get0_pubkey(ctx->p10CSR);
if (rkey == NULL)
rkey = ctx->pkey; /* default is independent of ctx->oldCert */
if (rkey == NULL) {
@@ -223,7 +257,7 @@ OSSL_CRMF_MSG *OSSL_CMP_CTX_setup_CRM(OSSL_CMP_CTX *ctx, int for_KUR, int rid)
return NULL;
#endif
}
- if (for_KUR && refcert == NULL) {
+ if (for_KUR && refcert == NULL && ctx->p10CSR == NULL) {
ERR_raise(ERR_LIB_CMP, CMP_R_MISSING_REFERENCE_CERT);
return NULL;
}
@@ -256,14 +290,12 @@ OSSL_CRMF_MSG *OSSL_CMP_CTX_setup_CRM(OSSL_CMP_CTX *ctx, int for_KUR, int rid)
if (refcert != NULL && !ctx->SubjectAltName_nodefault)
default_sans = X509V3_get_d2i(X509_get0_extensions(refcert),
NID_subject_alt_name, NULL, NULL);
- /* exts are copied from ctx to allow reuse */
- if (ctx->reqExtensions != NULL) {
- exts = sk_X509_EXTENSION_deep_copy(ctx->reqExtensions,
- X509_EXTENSION_dup,
- X509_EXTENSION_free);
- if (exts == NULL)
- goto err;
- }
+ if (ctx->p10CSR != NULL
+ && (exts = X509_REQ_get_extensions(ctx->p10CSR)) == NULL)
+ goto err;
+ if (ctx->reqExtensions != NULL /* augment/override existing ones */
+ && !add_extensions(&exts, ctx->reqExtensions))
+ goto err;
if (sk_GENERAL_NAME_num(ctx->subjectAltNames) > 0
&& !add1_extension(&exts, NID_subject_alt_name,
crit, ctx->subjectAltNames))
@@ -281,7 +313,7 @@ OSSL_CRMF_MSG *OSSL_CMP_CTX_setup_CRM(OSSL_CMP_CTX *ctx, int for_KUR, int rid)
/* end fill certTemplate, now set any controls */
/* for KUR, set OldCertId according to D.6 */
- if (for_KUR) {
+ if (for_KUR && refcert != NULL) {
OSSL_CRMF_CERTID *cid =
OSSL_CRMF_CERTID_gen(X509_get_issuer_name(refcert),
X509_get0_serialNumber(refcert));
@@ -460,19 +492,27 @@ OSSL_CMP_MSG *ossl_cmp_rr_new(OSSL_CMP_CTX *ctx)
{
OSSL_CMP_MSG *msg = NULL;
OSSL_CMP_REVDETAILS *rd;
+ int ret;
- if (!ossl_assert(ctx != NULL && ctx->oldCert != NULL))
+ if (!ossl_assert(ctx != NULL && (ctx->oldCert != NULL
+ || ctx->p10CSR != NULL)))
return NULL;
if ((rd = OSSL_CMP_REVDETAILS_new()) == NULL)
goto err;
/* Fill the template from the contents of the certificate to be revoked */
- if (!OSSL_CRMF_CERTTEMPLATE_fill(rd->certDetails,
- NULL /* pubkey would be redundant */,
- NULL /* subject would be redundant */,
- X509_get_issuer_name(ctx->oldCert),
- X509_get0_serialNumber(ctx->oldCert)))
+ ret = ctx->oldCert != NULL
+ ? OSSL_CRMF_CERTTEMPLATE_fill(rd->certDetails,
+ NULL /* pubkey would be redundant */,
+ NULL /* subject would be redundant */,
+ X509_get_issuer_name(ctx->oldCert),
+ X509_get0_serialNumber(ctx->oldCert))
+ : OSSL_CRMF_CERTTEMPLATE_fill(rd->certDetails,
+ X509_REQ_get0_pubkey(ctx->p10CSR),
+ X509_REQ_get_subject_name(ctx->p10CSR),
+ NULL, NULL);
+ if (!ret)
goto err;
/* revocation reason code is optional */
@@ -513,7 +553,7 @@ OSSL_CMP_MSG *ossl_cmp_rp_new(OSSL_CMP_CTX *ctx, OSSL_CMP_PKISI *si,
OSSL_CRMF_CERTID *cid_copy = NULL;
OSSL_CMP_MSG *msg = NULL;
- if (!ossl_assert(ctx != NULL && si != NULL && cid != NULL))
+ if (!ossl_assert(ctx != NULL && si != NULL))
return NULL;
if ((msg = ossl_cmp_msg_create(ctx, OSSL_CMP_PKIBODY_RP)) == NULL)
@@ -530,11 +570,13 @@ OSSL_CMP_MSG *ossl_cmp_rp_new(OSSL_CMP_CTX *ctx, OSSL_CMP_PKISI *si,
if ((rep->revCerts = sk_OSSL_CRMF_CERTID_new_null()) == NULL)
goto err;
- if ((cid_copy = OSSL_CRMF_CERTID_dup(cid)) == NULL)
- goto err;
- if (!sk_OSSL_CRMF_CERTID_push(rep->revCerts, cid_copy)) {
- OSSL_CRMF_CERTID_free(cid_copy);
- goto err;
+ if (cid != NULL) {
+ if ((cid_copy = OSSL_CRMF_CERTID_dup(cid)) == NULL)
+ goto err;
+ if (!sk_OSSL_CRMF_CERTID_push(rep->revCerts, cid_copy)) {
+ OSSL_CRMF_CERTID_free(cid_copy);
+ goto err;
+ }
}
if (!unprot_err
diff --git a/crypto/cmp/cmp_server.c b/crypto/cmp/cmp_server.c
index 73e996af4e..2abf672387 100644
--- a/crypto/cmp/cmp_server.c
+++ b/crypto/cmp/cmp_server.c
@@ -248,7 +248,7 @@ static OSSL_CMP_MSG *process_rr(OSSL_CMP_SRV_CTX *srv_ctx,
{
OSSL_CMP_MSG *msg = NULL;
OSSL_CMP_REVDETAILS *details;
- OSSL_CRMF_CERTID *certId;
+ OSSL_CRMF_CERTID *certId = NULL;
OSSL_CRMF_CERTTEMPLATE *tmpl;
const X509_NAME *issuer;
ASN1_INTEGER *serial;
@@ -272,8 +272,8 @@ static OSSL_CMP_MSG *process_rr(OSSL_CMP_SRV_CTX *srv_ctx,
tmpl = details->certDetails;
issuer = OSSL_CRMF_CERTTEMPLATE_get0_issuer(tmpl);
serial = OSSL_CRMF_CERTTEMPLATE_get0_serialNumber(tmpl);
- /* here issuer and serial may safely be NULL */
- if ((certId = OSSL_CRMF_CERTID_gen(issuer, serial)) == NULL)
+ if (issuer != NULL && serial != NULL
+ && (certId = OSSL_CRMF_CERTID_gen(issuer, serial)) == NULL)
return NULL;
if ((si = srv_ctx->process_rr(srv_ctx, req, issuer, serial)) == NULL)
goto err;
diff --git a/crypto/x509/x509_req.c b/crypto/x509/x509_req.c
index 4f4319a30c..0d9fce303e 100644
--- a/crypto/x509/x509_req.c
+++ b/crypto/x509/x509_req.c
@@ -152,7 +152,9 @@ STACK_OF(X509_EXTENSION) *X509_REQ_get_extensions(X509_REQ *req)
ext = X509_ATTRIBUTE_get0_type(attr, 0);
break;
}
- if (!ext || (ext->type != V_ASN1_SEQUENCE))
+ if (ext == NULL) /* no extensions is not an error */
+ return sk_X509_EXTENSION_new_null();
+ if (ext->type != V_ASN1_SEQUENCE)
return NULL;
p = ext->value.sequence->data;
return (STACK_OF(X509_EXTENSION) *)
diff --git a/doc/man1/openssl-cmp.pod.in b/doc/man1/openssl-cmp.pod.in
index 7841d2b0f3..6ef288168e 100644
--- a/doc/man1/openssl-cmp.pod.in
+++ b/doc/man1/openssl-cmp.pod.in
@@ -34,7 +34,7 @@ Certificate enrollment options:
[B<-policy_oids_critical>]
[B<-popo> I<number>]
[B<-csr> I<filename>]
-[B<-out_trusted> I<filenames>]
+[B<-out_trusted> I<filenames>|I<uris>]
[B<-implicit_confirm>]
[B<-disable_confirm>]
[B<-certout> I<filename>]
@@ -42,7 +42,7 @@ Certificate enrollment options:
Certificate enrollment and revocation options:
-[B<-oldcert> I<filename>]
+[B<-oldcert> I<filename>|I<uri>]
[B<-revreason> I<number>]
Message transfer options:
@@ -56,9 +56,9 @@ Message transfer options:
Server authentication options:
-[B<-trusted> I<filenames>]
+[B<-trusted> I<filenames>|I<uris>]
[B<-untrusted> I<sources>]
-[B<-srvcert> I<filename>]
+[B<-srvcert> I<filename>|I<uri>]
[B<-recipient> I<name>]
[B<-expect_sender> I<name>]
[B<-ignore_keyusage>]
@@ -70,9 +70,9 @@ Client authentication options:
[B<-ref> I<value>]
[B<-secret> I<arg>]
-[B<-cert> I<filename>]
-[B<-own_trusted> I<filenames>]
-[B<-key> I<filename>]
+[B<-cert> I<filename>|I<uri>]
+[B<-own_trusted> I<filenames>|I<uris>]
+[B<-key> I<filename>|I<uri>]
[B<-keypass> I<arg>]
[B<-digest> I<name>]
[B<-mac> I<name>]
@@ -89,11 +89,11 @@ Credentials format options:
TLS connection options:
[B<-tls_used>]
-[B<-tls_cert> I<filename>]
+[B<-tls_cert> I<filename>|I<uri>]
[B<-tls_key> I<filename>|I<uri>]
[B<-tls_keypass> I<arg>]
-[B<-tls_extra> I<filenames>]
-[B<-tls_trusted> I<filenames>]
+[B<-tls_extra> I<filenames>|I<uris>]
+[B<-tls_trusted> I<filenames>|I<uris>]
[B<-tls_host> I<name>]
Client-side debugging options:
@@ -113,14 +113,14 @@ Mock server options:
[B<-max_msgs> I<number>]
[B<-srv_ref> I<value>]
[B<-srv_secret> I<arg>]
-[B<-srv_cert> I<filename>]
-[B<-srv_key> I<filename>]
+[B<-srv_cert> I<filename>|I<uri>]
+[B<-srv_key> I<filename>|I<uri>]
[B<-srv_keypass> I<arg>]
-[B<-srv_trusted> I<filenames>]
-[B<-srv_untrusted> I<filenames>]
-[B<-rsp_cert> I<filename>]
-[B<-rsp_extracerts> I<filenames>]
-[B<-rsp_capubs> I<filenames>]
+[B<-srv_trusted> I<filenames>|I<uris>]
+[B<-srv_untrusted> I<filenames>|I<uris>]
+[B<-rsp_cert> I<filename>|I<uri>]
+[B<-rsp_extracerts> I<filenames>|I<uris>]
+[B<-rsp_capubs> I<filenames>|I<uris>]
[B<-poll_count> I<number>]
[B<-check_after> I<number>]
[B<-grant_implicitconf>]
@@ -216,7 +216,7 @@ B<cr> requests issuing an additional certificate for an End Entity already
initialized to the PKI hierarchy.
B<p10cr> requests issuing an additional certificate similarly to B<cr>
-but uses PKCS#10 CSR format.
+but using PKCS#10 CSR format.
B<kur> requests a (key) update for an existing, given certificate.
@@ -263,11 +263,11 @@ L<openssl-passphrase-options(1)>.
X509 Distinguished Name (DN) of subject to use in the requested certificate
template.
-For KUR, it defaults to the subject DN of the reference certificate
-(see B<-oldcert>).
+For KUR, it defaults to the subject DN of any given CSR
+or of the reference certificate (see B<-oldcert>) if provided.
This default is used for IR and CR only if no SANs are set.
-The subject DN is also used as fallback sender of outgoing CMP messages
+The provided subject DN is also used as fallback sender of outgoing CMP messages
if no B<-cert> and no B<-oldcert> are given.
The argument must be formatted as I</type0=value0/type1=value1/type2=...>.
@@ -341,13 +341,18 @@ is provided via the B<-newkey> or B<-key> options.
=item B<-csr> I<filename>
-PKCS#10 CSR in PEM or DER format to use in legacy P10CR messages.
+PKCS#10 CSR in PEM or DER format containing a certificate request.
+When used with a with B<-cmd> I<p10cr> used directly in a legacy P10CR message.
+When used with B<-cmd> I<ir>, I<cr>, or I<kur>, it is tranformed into the
+respective regular CMP request.
+It may also be used with B<-cmd> I<rr> to specifiy the certificate to be revoked
+via the included subject and public key.
-=item B<-out_trusted> I<filenames>
+=item B<-out_trusted> I<filenames>|I<uris>
Trusted certificate(s) to use for verifying the newly enrolled certificate.
-Multiple filenames may be given, separated by commas and/or whitespace
+Multiple sources may be given, separated by commas and/or whitespace
(where in the latter case the whole argument must be enclosed in "...").
Each source may contain multiple certificates.
@@ -380,15 +385,17 @@ The file where the chain of the newly enrolled certificate should be saved.
=over 4
-=item B<-oldcert> I<filename>
+=item B<-oldcert> I<filename>|I<uri>]
The certificate to be updated (i.e., renewed or re-keyed) in Key Update Request
(KUR) messages or to be revoked in Revocation Request (RR) messages.
-It must be given for RR, while for KUR it defaults to B<-cert>.
+For RR the certificate to be revoked can also be specified using B<-csr>.
+For KUR certificate to be updated defaults to B<-cert>, and the resulting certificate is called
+I<reference certificate>.
-The reference certificate determined in this way, if any, is also used for
+The reference certificate, if any, is also used for
deriving default subject DN and Subject Alternative Names and the
-default issuer entry in the requested certificate template of IR/CR/KUR.
+default issuer entry in the requested certificate template of a IR/CR/KUR.
Its subject is used as sender of outgoing messages if B<-cert> is not given.
Its issuer is used as default recipient in CMP message headers
if neither B<-recipient>, B<-srvcert>, nor B<-issuer> is given.
@@ -465,7 +472,7 @@ Default is 0 (infinite).
=over 4
-=item B<-trusted> I<filenames>
+=item B<-trusted> I<filenames>|I<uris>
When verifying signature-based protection of CMP response messages,
these are the CA certificate(s) to trust while checking certificate chains
@@ -477,7 +484,7 @@ for which a chain to one of the given trusted certificates can be constructed.
If no B<-trusted>, B<-srvcert>, and B<-secret> option is given
then protected response messages from the server are not authenticated.
-Multiple filenames may be given, separated by commas and/or whitespace
+Multiple sources may be given, separated by commas and/or whitespace
(where in the latter case the whole argument must be enclosed in "...").
Each source may contain multiple certificates.
@@ -496,10 +503,10 @@ as well as for chain building
when verifying the CMP server certificate (checking signature-based
CMP message protection) and when verifying newly enrolled certificates.
-Multiple filenames may be given, separated by commas and/or whitespace.
+Multiple sources may be given, separated by commas and/or whitespace.
Each file may contain multiple certificates.
-=item B<-srvcert> I<filename>
+=item B<-srvcert> I<filename>|I<uri>]
The specific CMP server certificate to expect and directly trust (even if it is
expired) when verifying signature-based protection of CMP response messages.
@@ -609,7 +616,7 @@ This takes precedence over the B<-cert> and B<-key> options.
For more information about the format of B<arg> see
L<openssl-passphrase-options(1)>.
-=item B<-cert> I<filename>
+=item B<-cert> I<filename>|I<uri>]
The client's current CMP signer certificate.
Requires the corresponding key to be given with B<-key>.
@@ -628,13 +635,13 @@ If the file includes further certs, they are appended to the untrusted certs
because they typically constitute the chain of the client certificate, which
is included in the extraCerts field in signature-protected request messages.
-=item B<-own_trusted> I<filenames>
+=item B<-own_trusted> I<filenames>|I<uris>
If this list of certificates is provided then the chain built for
the client-side CMP signer certificate given with the B<-cert> option
is verified using the given certificates as trust anchors.
-Multiple filenames may be given, separated by commas and/or whitespace
+Multiple sources may be given, separated by commas and/or whitespace
(where in the latter case the whole argument must be enclosed in "...").
Each source may contain multiple certificates.
@@ -642,7 +649,7 @@ The certificate verification options
B<-verify_hostname>, B<-verify_ip>, and B<-verify_email>
have no effect on the certificate verification enabled via this option.
-=item B<-key> I<filename>
+=item B<-key> I<filename>|I<uri>]
The corresponding private key file for the client's current certificate given in
the B<-cert> option.
@@ -680,7 +687,7 @@ Defaults to C<hmac-sha1> as per RFC 4210.
Certificates to append in the extraCerts field when sending messages.
They can be used as the default CMP signer certificate chain to include.
-Multiple filenames or URLs may be given, separated by commas and/or whitespace
+Multiple sources may be given, separated by commas and/or whitespace
(where in the latter case the whole argument must be enclosed in "...").
Each source may contain multiple certificates.
@@ -743,10 +750,10 @@ B<-tls_key>.
Enable using TLS (even when other TLS_related options are not set)
when connecting to CMP server.
-=item B<-tls_cert> I<filename>
+=item B<-tls_cert> I<filename>|I<uri>]
Client's TLS certificate.
-If the file includes further certs they are used (along with B<-untrusted>
+If the source includes further certs they are used (along with B<-untrusted>
certs) for constructing the client cert chain provided to the TLS server.
=item B<-tls_key> I<filename>|I<uri>
@@ -762,16 +769,16 @@ If not given here, the password will be prompted for if needed.
For more information about the format of B<arg> see
L<openssl-passphrase-options(1)>.
-=item B<-tls_extra> I<filenames>
+=item B<-tls_extra> I<filenames>|I<uris>
Extra certificates to provide to TLS server during TLS handshake
-=item B<-tls_trusted> I<filenames>
+=item B<-tls_trusted> I<filenames>|I<uris>
Trusted certificate(s) to use for verifying the TLS server certificate.
This implies hostname validation.
-Multiple filenames may be given, separated by commas and/or whitespace
+Multiple sources may be given, separated by commas and/or whitespace
(where in the latter case the whole argument must be enclosed in "...").
Each source may contain multiple certificates.
@@ -868,11 +875,11 @@ Reference value to use as senderKID of server in case no B<-srv_cert> is given.
Password source for server authentication with a pre-shared key (secret).
-=item B<-srv_cert> I<filename>
+=item B<-srv_cert> I<filename>|I<uri>]
Certificate of the server.
-=item B<-srv_key> I<filename>
+=item B<-srv_key> I<filename>|I<uri>]
Private key used by the server for signing messages.
@@ -880,7 +887,7 @@ Private key used by the server for signing messages.
Server private key (and cert) file pass phrase source.
-=item B<-srv_trusted> I<filenames>
+=item B<-srv_trusted> I<filenames>|I<uris>
Trusted certificates for client authentication.
@@ -888,19 +895,19 @@ The certificate verification options
B<-verify_hostname>, B<-verify_ip>, and B<-verify_email>
have no effect on the certificate verification enabled via this option.
-=item B<-srv_untrusted> I<filenames>
+=item B<-srv_untrusted> I<filenames>|I<uris>
Intermediate CA certs that may be useful when verifying client certificates.
-=item B<-rsp_cert> I<filename>
+=item B<-rsp_cert> I<filename>|I<uri>]
Certificate to be returned as mock enrollment result.
-=item B<-rsp_extracerts> I<filenames>
+=item B<-rsp_extracerts> I<filenames>|I<uris>
Extra certificates to be included in mock certification responses.
-=item B<-rsp_capubs> I<filenames>
+=item B<-rsp_capubs> I<filenames>|I<uris>
CA certificates to be included in mock Initialization Response (IP) message.
diff --git a/doc/man3/OSSL_CMP_exec_certreq.pod b/doc/man3/OSSL_CMP_exec_certreq.pod
index 895a8a9497..070f775914 100644
--- a/doc/man3/OSSL_CMP_exec_certreq.pod
+++ b/doc/man3/OSSL_CMP_exec_certreq.pod
@@ -32,7 +32,7 @@ OSSL_CMP_exec_GENM_ses
#define OSSL_CMP_KUR
int OSSL_CMP_try_certreq(OSSL_CMP_CTX *ctx, int req_type,
const OSSL_CRMF_MSG *crm, int *checkAfter);
- X509 *OSSL_CMP_exec_RR_ses(OSSL_CMP_CTX *ctx);
+ int OSSL_CMP_exec_RR_ses(OSSL_CMP_CTX *ctx);
STACK_OF(OSSL_CMP_ITAV) *OSSL_CMP_exec_GENM_ses(OSSL_CMP_CTX *ctx);
=head1 DESCRIPTION
@@ -137,9 +137,7 @@ In the latter case L<OSSL_CMP_CTX_get0_newCert(3)> yields NULL
and the output parameter I<checkAfter> has been used to
assign the received value unless I<checkAfter> is NULL.
-OSSL_CMP_exec_RR_ses() returns the
-pointer to the revoked certificate on success, NULL on error.
-This pointer will be freed implicitly by OSSL_CMP_CTX_free().
+OSSL_CMP_exec_RR_ses() returns 1 on success, 0 on error.
OSSL_CMP_exec_GENM_ses() returns a
pointer to the received B<ITAV> sequence on success, NULL on error.
diff --git a/include/openssl/cmp.h.in b/include/openssl/cmp.h.in
index 94c8ccf978..a2c0984f5e 100644
--- a/include/openssl/cmp.h.in
+++ b/include/openssl/cmp.h.in
@@ -457,7 +457,7 @@ X509 *OSSL_CMP_exec_certreq(OSSL_CMP_CTX *ctx, int req_type,
OSSL_CMP_exec_certreq(ctx, OSSL_CMP_KUR, NULL)
int OSSL_CMP_try_certreq(OSSL_CMP_CTX *ctx, int req_type,
const OSSL_CRMF_MSG *crm, int *checkAfter);
-X509 *OSSL_CMP_exec_RR_ses(OSSL_CMP_CTX *ctx);
+int OSSL_CMP_exec_RR_ses(OSSL_CMP_CTX *ctx);
STACK_OF(OSSL_CMP_ITAV) *OSSL_CMP_exec_GENM_ses(OSSL_CMP_CTX *ctx);
# ifdef __cplusplus
diff --git a/test/cmp_client_test.c b/test/cmp_client_test.c
index e2c0ca5534..8a570f62ea 100644
--- a/test/cmp_client_test.c
+++ b/test/cmp_client_test.c
@@ -92,7 +92,7 @@ static CMP_SES_TEST_FIXTURE *set_up(const char *const test_case_name)
static int execute_exec_RR_ses_test(CMP_SES_TEST_FIXTURE *fixture)
{
return TEST_int_eq(fixture->expected,
- OSSL_CMP_exec_RR_ses(fixture->cmp_ctx) == client_cert);
+ OSSL_CMP_exec_RR_ses(fixture->cmp_ctx) == 1);
}
static int execute_exec_GENM_ses_test(CMP_SES_TEST_FIXTURE *fixture)
diff --git a/test/recipes/81-test_cmp_cli_data/test_commands.csv b/test/recipes/81-test_cmp_cli_data/test_commands.csv
index 4d7a4be3eb..7feaebcdd0 100644
--- a/test/recipes/81-test_cmp_cli_data/test_commands.csv
+++ b/test/recipes/81-test_cmp_cli_data/test_commands.csv
@@ -33,8 +33,10 @@ expected,description, -section,val, -cmd,val,val2, -cacertsout,val,val2, -infoty
0, --- get certificate for revocation ----, -section,, -cmd,cr,,BLANK,,,BLANK,,,BLANK,,BLANK,
0,revreason AACompromise, -section,, -cmd,rr,,BLANK,,,BLANK,,, -oldcert,_RESULT_DIR/test.cert.pem, -revreason,10
0, --- get certificate for revocation ----, -section,, -cmd,cr,,BLANK,,,BLANK,,,BLANK,,BLANK,
+0, --- use csr for revocation ----, -section,, -cmd,rr,,BLANK,,,BLANK,,,BLANK,,BLANK, -revreason,0, -csr,csr.pem
+0, --- get certificate for revocation ----, -section,, -cmd,cr,,BLANK,,,BLANK,,,BLANK,,BLANK,
1,without oldcert, -section,, -cmd,rr,,BLANK,,,BLANK,,,BLANK,,BLANK,
-1,oldcert is directory, -section,, -cmd,rr,,BLANK,,,BLANK,,, -oldcert,dir/,BLANK,
+1,oldcert is directory, -section,, -cmd,rr,,BLANK,,,BLANK,,, -oldcert,dir/,BLANK,cmp
1,oldcert file nonexistent, -section,, -cmd,rr,,BLANK,,,BLANK,,, -oldcert,idontexist,BLANK,
1,empty oldcert file, -section,, -cmd,rr,,BLANK,,,BLANK,,, -oldcert,empty.txt,BLANK,
1,oldcert and key do not match, -section,, -cmd,rr,,BLANK,,,BLANK,,, -oldcert,trusted.crt, -revreason,0
diff --git a/test/recipes/81-test_cmp_cli_data/test_enrollment.csv b/test/recipes/81-test_cmp_cli_data/test_enrollment.csv
index dc65973c55..d8d6cd2c6c 100644
--- a/test/recipes/81-test_cmp_cli_data/test_enrollment.csv
+++ b/test/recipes/81-test_cmp_cli_data/test_enrollment.csv
@@ -85,7 +85,7 @@ expected,description, -section,val, -cmd,val, -newkey,val,val, -newkeypass,val,
1,oldcert empty file, -section,, -cmd,ir, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -certout,_RESULT_DIR/test.certout_oldcert4.pem,, -out_trusted,root.crt,, -oldcert,empty.txt,BLANK,,,
1,oldcert random contents, -section,, -cmd,ir, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -certout,_RESULT_DIR/test.certout_oldcert5.pem,, -out_trusted,root.crt,, -oldcert,random.bin,BLANK,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
-0,csr ignored for ir, -section,, -cmd,ir, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -certout,_RESULT_DIR/test.certout_csr_ignored.pem,, -out_trusted,root.crt,,BLANK,, -csr,idontexist,,
+0,csr used in ir, -section,, -cmd,ir, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -certout,_RESULT_DIR/test.certout_csr_ignored.pem,, -out_trusted,root.crt,,BLANK,, -csr,csr.pem,,
0,p10cr csr, -section,, -cmd,p10cr, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -certout,_RESULT_DIR/test.certout_p10cr.pem,, -out_trusted,root.crt,,BLANK,, -csr,csr.pem,,
1,p10cr csr missing, -section,, -cmd,p10cr, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -certout,_RESULT_DIR/test.certout_p10cr1.pem,, -out_trusted,root.crt,,BLANK,,BLANK,,,
1,p10cr csr missing arg, -section,, -cmd,p10cr, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -certout,_RESULT_DIR/test.certout_p10cr1.pem,, -out_trusted,root.crt,,BLANK,, -csr,,,
More information about the openssl-commits
mailing list