Skip to content

Commit

Permalink
OSSL_CMP_{validate_msg,CTX_new}.pod: add warning notes on OSSL_CMP_OP…
Browse files Browse the repository at this point in the history
…T_PERMIT_TA_IN_EXTRACERTS_FOR_IR

Reviewed-by: Tomas Mraz <[email protected]>
Reviewed-by: Neil Horman <[email protected]>
(Merged from openssl#23814)

(cherry picked from commit 40948c4)
  • Loading branch information
DDvO committed Jun 17, 2024
1 parent 9283c2b commit b38ebb3
Show file tree
Hide file tree
Showing 2 changed files with 10 additions and 2 deletions.
5 changes: 5 additions & 0 deletions doc/man3/OSSL_CMP_CTX_new.pod
Original file line number Diff line number Diff line change
Expand Up @@ -340,6 +340,11 @@ RFC 4210.

Allow retrieving a trust anchor from extraCerts and using that
to validate the certificate chain of an IP message.
This is a quirk option added to support 3GPP TS 33.310.

Note that using this option is dangerous as the certificate obtained
this way has not been authenticated (at least not at CMP level).
Taking it over as a trust anchor implements trust-on-first-use (TOFU).

=back

Expand Down
7 changes: 5 additions & 2 deletions doc/man3/OSSL_CMP_validate_msg.pod
Original file line number Diff line number Diff line change
Expand Up @@ -42,11 +42,14 @@ using any trust store set via L<OSSL_CMP_CTX_set0_trusted(3)>.

If the option OSSL_CMP_OPT_PERMIT_TA_IN_EXTRACERTS_FOR_IR was set by calling
L<OSSL_CMP_CTX_set_option(3)>, for an Initialization Response (IP) message
any self-issued certificate from the I<msg> extraCerts field may also be used
as trust anchor for the path verification of an acceptable cert if it can be
any self-issued certificate from the I<msg> extraCerts field may be used
as a trust anchor for the path verification of an 'acceptable' cert if it can be
used also to validate the issued certificate returned in the IP message. This is
according to TS 33.310 [Network Domain Security (NDS); Authentication Framework
(AF)] document specified by the The 3rd Generation Partnership Project (3GPP).
Note that using this option is dangerous as the certificate obtained this way
has not been authenticated (at least not at CMP level).
Taking it over as a trust anchor implements trust-on-first-use (TOFU).

Any cert that has been found as described above is cached and tried first when
validating the signatures of subsequent messages in the same transaction.
Expand Down

0 comments on commit b38ebb3

Please sign in to comment.