add -crlcert option for genm with infotype crlStatusList

siemens · Mar 5, 2024 · 7ec68ff · 7ec68ff
1 parent bfb2957
commit 7ec68ff
Showing 1 changed file with 30 additions and 15 deletions.
diff --git a/apps/cmp.c b/apps/cmp.c
@@ -94,6 +94,7 @@ static char *opt_oldwithold = NULL;
 static char *opt_newwithnew = NULL;
 static char *opt_newwithold = NULL;
 static char *opt_oldwithnew = NULL;
+static char *opt_crlcert = NULL;
 static char *opt_oldcrl = NULL;
 static char *opt_crlout = NULL;
 
@@ -238,7 +239,7 @@ typedef enum OPTION_choice {
     OPT_IGNORE_KEYUSAGE, OPT_UNPROTECTED_ERRORS, OPT_NO_CACHE_EXTRACERTS,
     OPT_SRVCERTOUT, OPT_EXTRACERTSOUT, OPT_CACERTSOUT,
     OPT_OLDWITHOLD, OPT_NEWWITHNEW, OPT_NEWWITHOLD, OPT_OLDWITHNEW,
-    OPT_OLDCRL, OPT_CRLOUT,
+    OPT_CRLCERT, OPT_OLDCRL, OPT_CRLOUT,
 
     OPT_REF, OPT_SECRET, OPT_CERT, OPT_OWN_TRUSTED, OPT_KEY, OPT_KEYPASS,
     OPT_DIGEST, OPT_MAC, OPT_EXTRACERTS,
@@ -429,6 +430,8 @@ const OPTIONS cmp_options[] = {
       "File to save NewWithOld cert received in genp of type rootCaKeyUpdate"},
     { "oldwithnew", OPT_OLDWITHNEW, 's',
       "File to save OldWithNew cert received in genp of type rootCaKeyUpdate"},
+    { "crlcert", OPT_CRLCERT, 's',
+      "certificate to request CRL update for in genm of type crlStatusList"},
     { "oldcrl", OPT_OLDCRL, 's',
       "CRL to request update for in genm of type crlStatusList"},
     { "crlout", OPT_CRLOUT, 's',
@@ -628,7 +631,7 @@ static varref cmp_vars[] = { /* must be in same order as enumerated above! */
     {(char **)&opt_no_cache_extracerts},
     {&opt_srvcertout}, {&opt_extracertsout}, {&opt_cacertsout},
     {&opt_oldwithold}, {&opt_newwithnew}, {&opt_newwithold}, {&opt_oldwithnew},
-    {&opt_oldcrl}, {&opt_crlout},
+    {&opt_crlcert}, {&opt_oldcrl}, {&opt_crlout},
 
     {&opt_ref}, {&opt_secret},
     {&opt_cert}, {&opt_own_trusted}, {&opt_key}, {&opt_keypass},
@@ -658,9 +661,9 @@ static varref cmp_vars[] = { /* must be in same order as enumerated above! */
     {&opt_srv_ref}, {&opt_srv_secret},
     {&opt_srv_cert}, {&opt_srv_key}, {&opt_srv_keypass},
     {&opt_srv_trusted}, {&opt_srv_untrusted},
-    {&opt_ref_cert}, {&opt_rsp_cert}, {&opt_rsp_crl}, {&opt_rsp_extracerts},
-    {&opt_rsp_capubs}, {&opt_rsp_newwithnew}, {&opt_rsp_newwithold},
-    {&opt_rsp_oldwithnew},
+    {&opt_ref_cert}, {&opt_rsp_cert}, {&opt_rsp_crl},
+    {&opt_rsp_extracerts}, {&opt_rsp_capubs},
+    {&opt_rsp_newwithnew}, {&opt_rsp_newwithold}, {&opt_rsp_oldwithnew},
 
     {(char **)&opt_poll_count}, {(char **)&opt_check_after},
     {(char **)&opt_grant_implicitconf},
@@ -1849,8 +1852,8 @@ static int setup_request_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
         (void)OSSL_CMP_CTX_set_option(ctx, OSSL_CMP_OPT_POPO_METHOD, opt_popo);
 
     if (opt_oldcert != NULL) {
-        if (opt_cmd == CMP_GENM && opt_infotype != NID_id_it_crlStatusList) {
-            CMP_warn("-oldcert option is ignored for 'genm' command except with -infotype crlStatusList");
+        if (opt_cmd == CMP_GENM) {
+            CMP_warn("-oldcert option is ignored for 'genm' command");
         } else {
             if (!setup_cert(ctx, opt_oldcert, opt_keypass,
                             /* needed if opt_oldcert is encrypted PKCS12 file */
@@ -2751,6 +2754,9 @@ static int get_opts(int argc, char **argv)
         case OPT_OLDWITHNEW:
             opt_oldwithnew = opt_str();
             break;
+        case OPT_CRLCERT:
+            opt_crlcert = opt_str();
+            break;
         case OPT_OLDCRL:
             opt_oldcrl = opt_str();
             break;
@@ -3172,37 +3178,45 @@ static int do_genm(OSSL_CMP_CTX *ctx)
         return res;
     } else if (opt_infotype == NID_id_it_crlStatusList) {
         X509_CRL *oldcrl = NULL, *crl = NULL;
+        X509 *crlcert = NULL;
         int res = 0;
         const char *desc = "CRL from genp of type 'crls'";
 
-        if (opt_oldcrl == NULL && opt_oldcert == NULL) {
-            CMP_err("Missing -oldcrl and no -oldcert given for -infotype crlStatusList");
+        if (opt_oldcrl == NULL && opt_crlcert == NULL) {
+            CMP_err("Missing -oldcrl and no -crlcert given for -infotype crlStatusList");
             return 0;
         }
         if (opt_crlout == NULL) {
             CMP_err("Missing -crlout for -infotype crlStatusList");
             return 0;
         }
 
+        if (opt_crlcert == NULL) {
+            CMP_warn("No -crlcert given, will use data from -oldcrl");
+        } else {
+            crlcert = load_cert_pwd(opt_crlcert, opt_otherpass,
+                                    "Cert for genm with -infotype crlStatusList");
+            if (crlcert == NULL)
+                goto end_crlupd;
+        }
+
         if (opt_oldcrl == NULL) {
-            CMP_warn("No -oldcrl given, will use data from -oldcert");
+            CMP_warn("No -oldcrl given, will use data from -crlcert");
         } else {
             oldcrl = load_crl(opt_oldcrl, FORMAT_UNDEF, 0,
                               "CRL for genm with -infotype crlStatusList");
             if (oldcrl == NULL)
                 goto end_crlupd;
         }
 
-        if (opt_oldcrl != NULL && opt_oldcert != NULL)
-        {
+        if (opt_oldcrl != NULL && opt_crlcert != NULL) {
             if (X509_NAME_cmp(X509_CRL_get_issuer(oldcrl),
-                              X509_get_issuer_name(OSSL_CMP_CTX_get0_oldCert(ctx)))
+                              X509_get_issuer_name(crlcert))
                 != 0)
                 CMP_warn("-oldcrl and -oldcert have different issuer");
         }
 
-        if (!OSSL_CMP_get1_crlUpdate(ctx, OSSL_CMP_CTX_get0_oldCert(ctx),
-                                     oldcrl, &crl))
+        if (!OSSL_CMP_get1_crlUpdate(ctx, crlcert, oldcrl, &crl))
             goto end_crlupd;
 
         if (crl == NULL) {
@@ -3215,6 +3229,7 @@ static int do_genm(OSSL_CMP_CTX *ctx)
         res = 1;
 
     end_crlupd:
+        X509_free(crlcert);
         X509_CRL_free(oldcrl);
         X509_CRL_free(crl);
         return res;