From 5202b718e82954d7224da178b4bb0036a6072236 Mon Sep 17 00:00:00 2001 From: "Rufus J.W. Buschart" Date: Tue, 15 Oct 2024 09:51:44 +0200 Subject: [PATCH 1/3] get trust from caPubs in IP --- Makefile_v1 | 1 + config/demo.cnf | 3 ++- creds/trusted/caPubs.pem | 0 3 files changed, 3 insertions(+), 1 deletion(-) create mode 100644 creds/trusted/caPubs.pem diff --git a/Makefile_v1 b/Makefile_v1 index b3c4e2a4..7238043d 100644 --- a/Makefile_v1 +++ b/Makefile_v1 @@ -390,6 +390,7 @@ else ifeq ($(CA_SECTION),CloudCA) PROFILE_PATH="/p/$(CMP_PROFILE)" endif override EXTRA_OPTS += -path "/.well-known/cmp$(PROFILE_PATH)" -reqexts empty + EXTRA_OPTS_IMPRINT = -trusted "" else CA_SECTION=EJBCA EXTRA_OPTS_IMPRINT= -path "$(ENV::EJBCA_PATH_IMPRINT)" -subject "$(EJBCA_CMP_SUBJECT_IMPRINT)" diff --git a/config/demo.cnf b/config/demo.cnf index 0753b420..008fd8cb 100644 --- a/config/demo.cnf +++ b/config/demo.cnf @@ -154,7 +154,8 @@ tls_trusted = creds/trusted/DigicertGlobalRootG2.crt # Tenant on server recipient = /CN=CloudPKI-Integration-Test cacert = creds/trusted/CloudCA_Root_v2.crt -trusted = $cacert +caPubs = creds/trusted/caPubs.pem +trusted = $cacert,$caPubs out_trusted = $cacert own_trusted = $cacert diff --git a/creds/trusted/caPubs.pem b/creds/trusted/caPubs.pem new file mode 100644 index 00000000..e69de29b From bddbe3bf267d4cb2af67c4f82f2a34d263d9e3cf Mon Sep 17 00:00:00 2001 From: "Dr. David von Oheimb" Date: Tue, 15 Oct 2024 14:25:56 +0200 Subject: [PATCH 2/3] fixup! get trust from caPubs in IP --- Makefile_v1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile_v1 b/Makefile_v1 index 7238043d..cc4924a6 100644 --- a/Makefile_v1 +++ b/Makefile_v1 @@ -390,7 +390,7 @@ else ifeq ($(CA_SECTION),CloudCA) PROFILE_PATH="/p/$(CMP_PROFILE)" endif override EXTRA_OPTS += -path "/.well-known/cmp$(PROFILE_PATH)" -reqexts empty - EXTRA_OPTS_IMPRINT = -trusted "" + EXTRA_OPTS_IMPRINT = -trusted "" -out_trusted "" -cacertsout creds/trusted/caPubs.pem else CA_SECTION=EJBCA EXTRA_OPTS_IMPRINT= -path "$(ENV::EJBCA_PATH_IMPRINT)" -subject "$(EJBCA_CMP_SUBJECT_IMPRINT)" From f99e3828a3e8026cc58124c4061e1e40bda95867 Mon Sep 17 00:00:00 2001 From: "Dr. David von Oheimb" Date: Tue, 15 Oct 2024 14:30:15 +0200 Subject: [PATCH 3/3] genericCMPClient.c: for validating the newly enrolled cert, trust caPubs if from MAC-based response --- src/genericCMPClient.c | 28 +++++++++++++++++++++++++++- 1 file changed, 27 insertions(+), 1 deletion(-) diff --git a/src/genericCMPClient.c b/src/genericCMPClient.c index 04464255..4f5af498 100644 --- a/src/genericCMPClient.c +++ b/src/genericCMPClient.c @@ -108,6 +108,32 @@ static X509_NAME *parse_DN(const char *str, const char *desc) return name; } +static int certConf_caPubs_cb(OSSL_CMP_CTX *ctx, X509 *cert, int fail_info, const char **text) +{ + X509_STORE *new_ts = NULL, *new_cert_truststore = OSSL_CMP_CTX_get_certConf_cb_arg(ctx); + STACK_OF(X509) *caPubs = NULL; + int i, ret = 0; + + if (OSSL_CMP_CTX_get0_trustedStore(ctx) == NULL) { /* with MAC-based response protection only */ + caPubs = OSSL_CMP_CTX_get1_caPubs(ctx); + if (new_cert_truststore == NULL) { + if ((new_ts = X509_STORE_new()) == NULL) + goto err; + new_cert_truststore = new_ts; + if (!OSSL_CMP_CTX_set_certConf_cb_arg(ctx, new_ts)) + goto err; + } + for (i = 0; i < sk_X509_num(caPubs); i++) + if (!X509_STORE_add_cert(new_cert_truststore, sk_X509_value(caPubs, i))) + goto err; + } + ret = OSSL_CMP_certConf_cb(ctx, cert, fail_info, text); + err: + X509_STORE_free(new_ts); + CERTS_free(caPubs); + return ret; +} + CMP_err CMPclient_prepare(OSSL_CMP_CTX **pctx, OSSL_LIB_CTX *libctx, const char *propq, OPTIONAL LOG_cb_t log_fn, @@ -247,7 +273,7 @@ CMP_err CMPclient_prepare(OSSL_CMP_CTX **pctx, X509_VERIFY_PARAM_clear_flags(out_vpm, X509_V_FLAG_USE_CHECK_TIME); - if (!OSSL_CMP_CTX_set_certConf_cb(ctx, OSSL_CMP_certConf_cb) || + if (!OSSL_CMP_CTX_set_certConf_cb(ctx, certConf_caPubs_cb) || !OSSL_CMP_CTX_set_certConf_cb_arg(ctx, new_cert_truststore) || !X509_STORE_up_ref(new_cert_truststore)) goto err;