diff options
author | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2020-05-29 17:14:14 +0200 |
---|---|---|
committer | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2020-06-13 15:13:21 +0200 |
commit | c4a9e3ebbbbc2dc371b4fea5fa62120ed14ecaa7 (patch) | |
tree | f38ee0f3448b660e89366b35fb4d5fb992241d08 /doc | |
parent | 7e8dbb74620ac4420ad4d3adca51ce1b9a3e114c (diff) | |
download | openssl-c4a9e3ebbbbc2dc371b4fea5fa62120ed14ecaa7.tar.gz |
Move part of OSSL_CMP_validate_msg() to ossl_cmp_msg_check_update()
as checking expected_sender and adding caPubs is not part of msg validation.
Also constify a couple of internal and public functions related to cmp_vfy.c
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11998)
Diffstat (limited to 'doc')
-rw-r--r-- | doc/internal/man3/ossl_cmp_msg_check_update.pod | 10 | ||||
-rw-r--r-- | doc/man3/OSSL_CMP_CTX_new.pod | 2 | ||||
-rw-r--r-- | doc/man3/OSSL_CMP_validate_msg.pod | 7 |
3 files changed, 11 insertions, 8 deletions
diff --git a/doc/internal/man3/ossl_cmp_msg_check_update.pod b/doc/internal/man3/ossl_cmp_msg_check_update.pod index c058e90ffb..4e7a9224af 100644 --- a/doc/internal/man3/ossl_cmp_msg_check_update.pod +++ b/doc/internal/man3/ossl_cmp_msg_check_update.pod @@ -27,6 +27,9 @@ The B<msg> is checked for the following: =over 4 +=item its sender is of appropriate type (currently only B<X509_NAME>) + and matches any expected sender or srvCert subject given in B<ctx>, + =item its protection is present and valid (or a callback function B<cb> is present and indicates that a missing or invalid protection is acceptable), @@ -61,6 +64,13 @@ If all checks pass then ossl_cmp_msg_check_update() records in B<ctx> the senderNonce of the received message as the new recipNonce and learns the transaction ID if none is currently present in B<ctx>. +Moreover, according to RFC 4210 section 5.3.2, if the message protection is +PBM-based then any certificates in the caPubs field are added to the list of +trusted certificates (if set via L<OSSL_CMP_CTX_set0_trustedStore(3)>). +This way these certs are available for validating subsequent messages in the +same context and could apply to any Polling Response (pollRep), error, or PKI +Confirmation (PKIConf) messages following in the same or future transactions. + =head1 RETURN VALUES ossl_cmp_msg_check_update() returns 1 on success, -1 on error. diff --git a/doc/man3/OSSL_CMP_CTX_new.pod b/doc/man3/OSSL_CMP_CTX_new.pod index 27933b58f9..97927fb45e 100644 --- a/doc/man3/OSSL_CMP_CTX_new.pod +++ b/doc/man3/OSSL_CMP_CTX_new.pod @@ -73,7 +73,7 @@ OSSL_CMP_CTX_set1_senderNonce /* logging and error reporting: */ int OSSL_CMP_CTX_set_log_cb(OSSL_CMP_CTX *ctx, OSSL_CMP_log_cb_t cb); #define OSSL_CMP_CTX_set_log_verbosity(ctx, level) - void OSSL_CMP_CTX_print_errors(OSSL_CMP_CTX *ctx); + void OSSL_CMP_CTX_print_errors(const OSSL_CMP_CTX *ctx); /* message transfer: */ int OSSL_CMP_CTX_set1_serverPath(OSSL_CMP_CTX *ctx, const char *path); diff --git a/doc/man3/OSSL_CMP_validate_msg.pod b/doc/man3/OSSL_CMP_validate_msg.pod index 3b06532ceb..3bf5c06811 100644 --- a/doc/man3/OSSL_CMP_validate_msg.pod +++ b/doc/man3/OSSL_CMP_validate_msg.pod @@ -46,13 +46,6 @@ according to TS 33.310 [Network Domain Security (NDS); Authentication Framework Any cert that has been found as described above is cached and tried first when validating the signatures of subsequent messages in the same transaction. -After successful validation of PBM-based protection of a certificate response -the certificates in the caPubs field (if any) are added to the trusted -certificates provided via L<OSSL_CMP_CTX_set0_trustedStore(3)>, such that -they are available for validating subsequent messages in the same context. -Those could apply to any Polling Response (pollRep), error, or PKI Confirmation -(PKIConf) messages following in the same or future transactions. - OSSL_CMP_validate_cert_path() attempts to validate the given certificate and its path using the given store of trusted certs (possibly including CRLs and a cert verification callback) and non-trusted intermediate certs from the B<ctx>. |