diff options
Diffstat (limited to 'crypto/cmp/cmp_protect.c')
-rw-r--r-- | crypto/cmp/cmp_protect.c | 47 |
1 files changed, 26 insertions, 21 deletions
diff --git a/crypto/cmp/cmp_protect.c b/crypto/cmp/cmp_protect.c index b65de09..6313cc9 100644 --- a/crypto/cmp/cmp_protect.c +++ b/crypto/cmp/cmp_protect.c @@ -139,32 +139,37 @@ int ossl_cmp_msg_add_extraCerts(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg) && (msg->extraCerts = sk_X509_new_null()) == NULL) return 0; - if (ctx->cert != NULL && ctx->pkey != NULL) { - /* make sure that our own cert is included in the first position */ - if (!X509_add_cert(msg->extraCerts, ctx->cert, - X509_ADD_FLAG_UP_REF | X509_ADD_FLAG_NO_DUP - | X509_ADD_FLAG_PREPEND)) - return 0; - /* if we have untrusted certs, try to add intermediate certs */ - if (ctx->untrusted != NULL) { - STACK_OF(X509) *chain; - int res; + /* Add first ctx->cert and its chain if using signature-based protection */ + if (!ctx->unprotectedSend && ctx->secretValue == NULL) { + int flags_prepend = X509_ADD_FLAG_UP_REF | X509_ADD_FLAG_NO_DUP + | X509_ADD_FLAG_PREPEND | X509_ADD_FLAG_NO_SS; + /* if not yet done try to build chain using available untrusted certs */ + if (ctx->chain == NULL) { ossl_cmp_debug(ctx, "trying to build chain for own CMP signer cert"); - chain = ossl_cmp_build_cert_chain(ctx->libctx, ctx->propq, NULL, - ctx->untrusted, ctx->cert); - res = X509_add_certs(msg->extraCerts, chain, - X509_ADD_FLAG_UP_REF | X509_ADD_FLAG_NO_DUP - | X509_ADD_FLAG_NO_SS); - sk_X509_pop_free(chain, X509_free); - if (res == 0) { - ossl_cmp_err(ctx, - "could not build chain for own CMP signer cert"); - return 0; + ctx->chain = + ossl_cmp_build_cert_chain(ctx->libctx, ctx->propq, NULL, + ctx->untrusted, ctx->cert); + if (ctx->chain != NULL) { + ossl_cmp_debug(ctx, + "success building chain for own CMP signer cert"); + } else { + /* dump errors to avoid confusion when printing further ones */ + OSSL_CMP_CTX_print_errors(ctx); + ossl_cmp_warn(ctx, + "could not build chain for own CMP signer cert"); } + } + if (ctx->chain != NULL) { + if (!X509_add_certs(msg->extraCerts, ctx->chain, flags_prepend)) + return 0; + } else { + /* make sure that at least our own signer cert is included first */ + if (!X509_add_cert(msg->extraCerts, ctx->cert, flags_prepend)) + return 0; ossl_cmp_debug(ctx, - "succeeded building chain for own CMP signer cert"); + "fallback: adding just own CMP signer cert"); } } |