Clean up CMP chain building for CMP signer, TLS client, and newly enrolled certs

* Use strenghtened cert chain building, verifying chain using optional trust store
  while making sure that no certificate status (e.g., CRL) checks are done
* Use OSSL_CMP_certConf_cb() by default and move its doc to OSSL_CMP_CTX_new.pod
* Simplify certificate and cert store loading in apps/cmp.c

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12741)

1 files changed, 1 insertions, 1 deletions

diff --git a/doc/internal/man3/ossl_cmp_msg_protect.pod b/doc/internal/man3/ossl_cmp_msg_protect.pod
index 39f5146530..0a6b70fe9d 100644
--- a/doc/internal/man3/ossl_cmp_msg_protect.pod
+++ b/doc/internal/man3/ossl_cmp_msg_protect.pod
@@ -46,7 +46,7 @@ It also sets the protectionAlg field in the message header accordingly.
 ossl_cmp_msg_add_extraCerts() adds elements to the extraCerts field in I<msg>.
 If signature-based message protection is used it adds first the CMP signer cert
 ctx->cert and then its chain ctx->chain. If this chain is not present in I<ctx>
-tries to build it using ctx->untrusted_certs and caches the result in ctx->chain.
+tries to build it using ctx->untrusted and caches the result in ctx->chain.
 In any case all the certificates explicitly specified to be sent out (i.e.,
 I<ctx->extraCertsOut>) are added. Note that it will NOT add the root certificate
 of the chain, i.e, the trust anchor (unless it is part of extraCertsOut).