The branch master has been updated via b51bed05c2ab54a1933b5c18862e68cd4540278c (commit) via d44a8a16c8a2851af7f70575ff3dd23cc06f30e1 (commit) from fe75766c9c2919f649df7b3ad209df2bc5e56dd0 (commit)
- Log ----------------------------------------------------------------- commit b51bed05c2ab54a1933b5c18862e68cd4540278c Author: Dr. David von Oheimb <david.von.ohe...@siemens.com> Date: Sun Feb 14 20:25:42 2021 +0100 apps/cmp.c: Improve initialization of ext_ctx structure w.r.t. CSR Also improve doc how the -reqexts option affects the CSR given with the -csr option. Reviewed-by: David von Oheimb <david.von.ohe...@siemens.com> Reviewed-by: Tomas Mraz <to...@openssl.org> Reviewed-by: Dmitry Belyavskiy <beld...@gmail.com> (Merged from https://github.com/openssl/openssl/pull/14181) commit d44a8a16c8a2851af7f70575ff3dd23cc06f30e1 Author: Dr. David von Oheimb <david.von.ohe...@siemens.com> Date: Sun Feb 14 20:12:38 2021 +0100 apps/ca.c: Make sure ext_ctx structure gets initialized Fixes #14175 Reviewed-by: David von Oheimb <david.von.ohe...@siemens.com> Reviewed-by: Tomas Mraz <to...@openssl.org> Reviewed-by: Dmitry Belyavskiy <beld...@gmail.com> (Merged from https://github.com/openssl/openssl/pull/14181) ----------------------------------------------------------------------- Summary of changes: apps/ca.c | 11 +++++---- apps/cmp.c | 54 +++++++++++++++++++++++---------------------- doc/man1/openssl-cmp.pod.in | 2 ++ 3 files changed, 37 insertions(+), 30 deletions(-) diff --git a/apps/ca.c b/apps/ca.c index 29f62f86f2..dbb4d15eb8 100755 --- a/apps/ca.c +++ b/apps/ca.c @@ -863,6 +863,7 @@ end_of_options: if (extensions != NULL) { /* Check syntax of config file section */ X509V3_CTX ctx; + X509V3_set_ctx_test(&ctx); X509V3_set_nconf(&ctx, conf); if (!X509V3_EXT_add_nconf(conf, &ctx, extensions, NULL)) { @@ -1141,6 +1142,7 @@ end_of_options: if (crl_ext != NULL) { /* Check syntax of file */ X509V3_CTX ctx; + X509V3_set_ctx_test(&ctx); X509V3_set_nconf(&ctx, conf); if (!X509V3_EXT_add_nconf(conf, &ctx, crl_ext, NULL)) { @@ -1230,6 +1232,7 @@ end_of_options: if (crl_ext != NULL || crlnumberfile != NULL) { X509V3_CTX crlctx; + X509V3_set_ctx(&crlctx, x509, NULL, NULL, crl, 0); X509V3_set_nconf(&crlctx, conf); @@ -1697,12 +1700,12 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, if (!i) goto end; + /* Initialize the context structure */ + X509V3_set_ctx(&ext_ctx, selfsign ? ret : x509, + ret, req, NULL, X509V3_CTX_REPLACE); + /* Lets add the extensions, if there are any */ if (ext_sect) { - /* Initialize the context structure */ - X509V3_set_ctx(&ext_ctx, selfsign ? ret : x509, - ret, req, NULL, X509V3_CTX_REPLACE); - if (extfile_conf != NULL) { if (verbose) BIO_printf(bio_err, "Extra configuration file found\n"); diff --git a/apps/cmp.c b/apps/cmp.c index 1dbd1f7339..887ec5d22e 100644 --- a/apps/cmp.c +++ b/apps/cmp.c @@ -1601,6 +1601,10 @@ static int setup_protection_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine) */ static int setup_request_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine) { + X509_REQ *csr = NULL; + X509_EXTENSIONS *exts = NULL; + X509V3_CTX ext_ctx; + if (opt_subject == NULL && opt_csr == NULL && opt_oldcert == NULL && opt_cert == NULL && opt_cmd != CMP_RR && opt_cmd != CMP_GENM) @@ -1648,30 +1652,41 @@ static int setup_request_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine) return 0; } + if (opt_csr != NULL) { + if (opt_cmd == CMP_GENM) { + CMP_warn("-csr option is ignored for genm command"); + } else { + csr = load_csr_autofmt(opt_csr, "PKCS#10 CSR for p10cr"); + if (csr == NULL) + return 0; + if (!OSSL_CMP_CTX_set1_p10CSR(ctx, csr)) { + X509_REQ_free(csr); + goto oom; + } + } + } if (opt_reqexts != NULL || opt_policies != NULL) { - X509V3_CTX ext_ctx; - X509_EXTENSIONS *exts = sk_X509_EXTENSION_new_null(); - - if (exts == NULL) - return 0; - X509V3_set_ctx(&ext_ctx, NULL, NULL, NULL, NULL, 0); + if ((exts = sk_X509_EXTENSION_new_null()) == NULL) + goto exts_err; + X509V3_set_ctx(&ext_ctx, NULL, NULL, csr, NULL, X509V3_CTX_REPLACE); X509V3_set_nconf(&ext_ctx, conf); if (opt_reqexts != NULL && !X509V3_EXT_add_nconf_sk(conf, &ext_ctx, opt_reqexts, &exts)) { CMP_err1("cannot load certificate request extension section '%s'", opt_reqexts); - sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free); - return 0; + goto exts_err; } if (opt_policies != NULL && !X509V3_EXT_add_nconf_sk(conf, &ext_ctx, opt_policies, &exts)) { CMP_err1("cannot load policy cert request extension section '%s'", opt_policies); - sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free); - return 0; + goto exts_err; } OSSL_CMP_CTX_set0_reqExtensions(ctx, exts); + exts = NULL; } + X509_REQ_free(csr); + csr = NULL; if (OSSL_CMP_CTX_reqExtensions_have_SAN(ctx) && opt_sans != NULL) { CMP_err("cannot have Subject Alternative Names both via -reqexts and via -sans"); return 0; @@ -1720,22 +1735,6 @@ static int setup_request_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine) if (opt_popo >= OSSL_CRMF_POPO_NONE) (void)OSSL_CMP_CTX_set_option(ctx, OSSL_CMP_OPT_POPO_METHOD, opt_popo); - if (opt_csr != NULL) { - if (opt_cmd == CMP_GENM) { - CMP_warn("-csr option is ignored for genm command"); - } else { - X509_REQ *csr = load_csr_autofmt(opt_csr, "PKCS#10 CSR for p10cr"); - - if (csr == NULL) - return 0; - if (!OSSL_CMP_CTX_set1_p10CSR(ctx, csr)) { - X509_REQ_free(csr); - goto oom; - } - X509_REQ_free(csr); - } - } - if (opt_oldcert != NULL) { if (opt_cmd == CMP_GENM) { CMP_warn("-oldcert option is ignored for genm command"); @@ -1762,6 +1761,9 @@ static int setup_request_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine) oom: CMP_err("out of memory"); + exts_err: + sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free); + X509_REQ_free(csr); return 0; } diff --git a/doc/man1/openssl-cmp.pod.in b/doc/man1/openssl-cmp.pod.in index 3f2b742a36..9800de6465 100644 --- a/doc/man1/openssl-cmp.pod.in +++ b/doc/man1/openssl-cmp.pod.in @@ -298,6 +298,8 @@ validity period starts from the current time (as seen by the host). =item B<-reqexts> I<name> Name of section in OpenSSL config file defining certificate request extensions. +If the B<-csr> option is present, these extensions augment the extensions +contained the given PKCS#10 CSR, overriding any extensions with same OIDs. =item B<-sans> I<spec>