Allow subject of CMP -oldcert as sender unless protection cert is given

Reviewed-by: N Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11998)

Allow subject of CMP -oldcert as sender unless protection cert is given
Reviewed-by: N Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11998)
16931355 · Dr. David von Oheimb · 7e998a0f · 16931355 · 16931355 · 16931355
隐藏空白更改
内联并排

Showing with 10 addition and 7 deletion

crypto/cmp/cmp_hdr.c crypto/cmp/cmp_hdr.c +5 -4

doc/man1/openssl-cmp.pod.in doc/man1/openssl-cmp.pod.in +3 -2

doc/man3/OSSL_CMP_CTX_new.pod doc/man3/OSSL_CMP_CTX_new.pod +2 -1

未找到文件。
--- a/crypto/cmp/cmp_hdr.c
+++ b/crypto/cmp/cmp_hdr.c
@@ -300,11 +300,12 @@ int ossl_cmp_hdr_init(OSSL_CMP_CTX *ctx, OSSL_CMP_PKIHEADER *hdr)
        return 0;

    /*
-     * The sender name is copied from the subject of the client cert, if any,
-     * or else from the subject name provided for certification requests.
+     * If neither protection cert nor oldCert nor subject are given,
+     * sender name is not known to the client and thus set to NULL-DN
     */
-    sender = ctx->cert != NULL ?
-        X509_get_subject_name(ctx->cert) : ctx->subjectName;
+    sender = ctx->cert != NULL ? X509_get_subject_name(ctx->cert) :
+        ctx->oldCert != NULL ? X509_get_subject_name(ctx->oldCert) :
+        ctx->subjectName;
    if (!ossl_cmp_hdr_set1_sender(hdr, sender))
        return 0;


--- a/doc/man1/openssl-cmp.pod.in
+++ b/doc/man1/openssl-cmp.pod.in
@@ -393,8 +393,9 @@ It must be given for RR, while for KUR it defaults to B<-cert>.

 The reference certificate determined in this way, if any, is also used for
 deriving default subject DN and Subject Alternative Names for IR, CR, and KUR.
-Its issuer, if any, is used as default recipient in the CMP message header
-if neither B<-srvcert>, B<-recipient>, nor B<-issuer> is available.
+Its subject is used as sender in CMP message headers if B<-cert> is not given.
+Its issuer is used as default recipient in CMP message headers
+if neither B<-recipient>, B<-srvcert>, nor B<-issuer> is given.

 =item B<-revreason> I<number>


--- a/doc/man3/OSSL_CMP_CTX_new.pod
+++ b/doc/man3/OSSL_CMP_CTX_new.pod
@@ -520,7 +520,8 @@ Key Update Requests (KUR) or to be revoked in Revocation Requests (RR).
 It must be given for RR, else it defaults to the protection B<cert>.
 The B<reference certificate> determined in this way, if any, is also used for
 deriving default subject DN and Subject Alternative Names for IR, CR, and KUR.
-Its issuer, if any, is used as default recipient in the CMP message header.
+Its subject is used as sender in CMP message headers if no protection cert is given.
+Its issuer is used as default recipient in CMP message headers.

 OSSL_CMP_CTX_set1_p10CSR() sets the PKCS#10 CSR to be used in P10CR.