Commit 525a4f1efb for openssl.org
commit 525a4f1efbab0d3c2aff59ab8e671b8d9f35ddee
Author: Dr. David von Oheimb <dev@ddvo.net>
Date: Wed Oct 22 17:36:14 2025 +0200
cmp_vfy.c,doc/,test/: when trying to use cached CMP message sender cert, no more check its revocation and chain
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/28973)
diff --git a/apps/include/cmp_mock_srv.h b/apps/include/cmp_mock_srv.h
index 215b95b744..d05f99ea04 100644
--- a/apps/include/cmp_mock_srv.h
+++ b/apps/include/cmp_mock_srv.h
@@ -19,6 +19,8 @@
OSSL_CMP_SRV_CTX *ossl_cmp_mock_srv_new(OSSL_LIB_CTX *libctx,
const char *propq);
void ossl_cmp_mock_srv_free(OSSL_CMP_SRV_CTX *srv_ctx);
+OSSL_CMP_MSG *ossl_cmp_mock_server_perform(OSSL_CMP_CTX *ctx,
+ const OSSL_CMP_MSG *req);
int ossl_cmp_mock_srv_set1_refCert(OSSL_CMP_SRV_CTX *srv_ctx, X509 *cert);
int ossl_cmp_mock_srv_set1_certOut(OSSL_CMP_SRV_CTX *srv_ctx, X509 *cert);
@@ -34,6 +36,7 @@ int ossl_cmp_mock_srv_set1_oldWithNew(OSSL_CMP_SRV_CTX *srv_ctx, X509 *cert);
int ossl_cmp_mock_srv_set_statusInfo(OSSL_CMP_SRV_CTX *srv_ctx, int status,
int fail_info, const char *text);
int ossl_cmp_mock_srv_set_sendError(OSSL_CMP_SRV_CTX *srv_ctx, int bodytype);
+int ossl_cmp_mock_srv_set_useBadProtection(OSSL_CMP_SRV_CTX *srv_ctx, int bodytype);
int ossl_cmp_mock_srv_set_pollCount(OSSL_CMP_SRV_CTX *srv_ctx, int count);
int ossl_cmp_mock_srv_set_checkAfterTime(OSSL_CMP_SRV_CTX *srv_ctx, int sec);
diff --git a/apps/lib/cmp_mock_srv.c b/apps/lib/cmp_mock_srv.c
index 24c52b30de..caae0ae3b8 100644
--- a/apps/lib/cmp_mock_srv.c
+++ b/apps/lib/cmp_mock_srv.c
@@ -10,6 +10,7 @@
#include "apps.h"
#include "cmp_mock_srv.h"
+#include "../../crypto/cmp/cmp_local.h" /* for access to msg->protection */
#include <openssl/cmp.h>
#include <openssl/err.h>
@@ -28,6 +29,7 @@ typedef struct {
X509 *oldWithNew; /* to return in oldWithNew of rootKeyUpdate */
OSSL_CMP_PKISI *statusOut; /* status for ip/cp/kup/rp msg unless polling */
int sendError; /* send error response on given request type */
+ int useBadProtection; /* use bad protection on given response type */
OSSL_CMP_MSG *req; /* original request message during polling */
int pollCount; /* number of polls before actual cert response */
int curr_pollCount; /* number of polls so far for current request */
@@ -59,6 +61,7 @@ static mock_srv_ctx *mock_srv_ctx_new(void)
goto err;
ctx->sendError = -1;
+ ctx->useBadProtection = -1;
/* all other elements are initialized to 0 or NULL, respectively */
return ctx;
@@ -187,6 +190,19 @@ int ossl_cmp_mock_srv_set_sendError(OSSL_CMP_SRV_CTX *srv_ctx, int bodytype)
return 1;
}
+int ossl_cmp_mock_srv_set_useBadProtection(OSSL_CMP_SRV_CTX *srv_ctx, int bodytype)
+{
+ mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
+
+ if (ctx == NULL) {
+ ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
+ return 0;
+ }
+ /* might check bodytype, but this would require exporting all body types */
+ ctx->useBadProtection = bodytype;
+ return 1;
+}
+
int ossl_cmp_mock_srv_set_pollCount(OSSL_CMP_SRV_CTX *srv_ctx, int count)
{
mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
@@ -713,6 +729,25 @@ static int process_pollReq(OSSL_CMP_SRV_CTX *srv_ctx,
return 1;
}
+OSSL_CMP_MSG *ossl_cmp_mock_server_perform(OSSL_CMP_CTX *ctx,
+ const OSSL_CMP_MSG *req)
+{
+ OSSL_CMP_SRV_CTX *srv_ctx = OSSL_CMP_CTX_get_transfer_cb_arg(ctx);
+ OSSL_CMP_MSG *rsp = OSSL_CMP_CTX_server_perform(ctx, req);
+
+ if (srv_ctx != NULL && rsp != NULL) {
+ mock_srv_ctx *mock_ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
+
+ if (mock_ctx != NULL && OSSL_CMP_MSG_get_bodytype(rsp) == mock_ctx->useBadProtection) {
+ ASN1_BIT_STRING *prot = rsp->protection;
+
+ if (prot != NULL && prot->length != 0 && prot->data != NULL)
+ prot->data[0] ^= 0x80; /* flip most significant bit of the first byte */
+ }
+ }
+ return rsp;
+}
+
OSSL_CMP_SRV_CTX *ossl_cmp_mock_srv_new(OSSL_LIB_CTX *libctx, const char *propq)
{
OSSL_CMP_SRV_CTX *srv_ctx = OSSL_CMP_SRV_CTX_new(libctx, propq);
diff --git a/crypto/cmp/cmp_client.c b/crypto/cmp/cmp_client.c
index 3e5973158d..8c6afa8607 100644
--- a/crypto/cmp/cmp_client.c
+++ b/crypto/cmp/cmp_client.c
@@ -140,6 +140,7 @@ static int send_receive_check(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *req,
int time_left;
OSSL_CMP_transfer_cb_t transfer_cb = ctx->transfer_cb;
+ ctx->status = OSSL_CMP_PKISTATUS_trans;
#ifndef OPENSSL_NO_HTTP
if (transfer_cb == NULL)
transfer_cb = OSSL_CMP_MSG_http_perform;
@@ -166,7 +167,7 @@ static int send_receive_check(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *req,
/* should print error queue since transfer_cb may call ERR_clear_error() */
OSSL_CMP_CTX_print_errors(ctx);
- if (ctx->server != NULL)
+ if (ctx->server != NULL || ctx->transfer_cb != NULL)
ossl_cmp_log1(INFO, ctx, "sending %s", req_type_str);
*rep = (*transfer_cb)(ctx, req);
@@ -180,6 +181,7 @@ static int send_receive_check(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *req,
return 0;
}
+ ctx->status = OSSL_CMP_PKISTATUS_checking_response;
bt = OSSL_CMP_MSG_get_bodytype(*rep);
/*
* The body type in the 'bt' variable is not yet verified.
@@ -275,11 +277,15 @@ static int poll_for_response(OSSL_CMP_CTX *ctx, int sleep, int rid,
"received 'waiting' PKIStatus, starting to poll for response");
*rep = NULL;
for (;;) {
+ int bak = ctx->status;
+
+ ctx->status = OSSL_CMP_PKISTATUS_request;
if ((preq = ossl_cmp_pollReq_new(ctx, rid)) == NULL)
goto err;
if (!send_receive_check(ctx, preq, &prep, OSSL_CMP_PKIBODY_POLLREP))
goto err;
+ ctx->status = bak;
/* handle potential pollRep */
if (OSSL_CMP_MSG_get_bodytype(prep) == OSSL_CMP_PKIBODY_POLLREP) {
@@ -335,6 +341,7 @@ static int poll_for_response(OSSL_CMP_CTX *ctx, int sleep, int rid,
int64_t time_left = (int64_t)(ctx->end_time - exp - time(NULL));
if (time_left <= 0) {
+ ctx->status = OSSL_CMP_PKISTATUS_trans;
ERR_raise(ERR_LIB_CMP, CMP_R_TOTAL_TIMEOUT);
goto err;
}
@@ -446,7 +453,9 @@ int ossl_cmp_exchange_certConf(OSSL_CMP_CTX *ctx, int certReqId,
OSSL_CMP_MSG *certConf;
OSSL_CMP_MSG *PKIconf = NULL;
int res = 0;
+ int bak = ctx->status;
+ ctx->status = OSSL_CMP_PKISTATUS_request;
/* OSSL_CMP_certConf_new() also checks if all necessary options are set */
certConf = ossl_cmp_certConf_new(ctx, certReqId, fail_info, txt);
if (certConf == NULL)
@@ -455,6 +464,9 @@ int ossl_cmp_exchange_certConf(OSSL_CMP_CTX *ctx, int certReqId,
res = send_receive_also_delayed(ctx, certConf, &PKIconf,
OSSL_CMP_PKIBODY_PKICONF);
+ if (res)
+ ctx->status = bak;
+
err:
OSSL_CMP_MSG_free(certConf);
OSSL_CMP_MSG_free(PKIconf);
@@ -470,6 +482,7 @@ int ossl_cmp_exchange_error(OSSL_CMP_CTX *ctx, int status, int fail_info,
OSSL_CMP_MSG *PKIconf = NULL;
int res = 0;
+ ctx->status = OSSL_CMP_PKISTATUS_request;
/* not overwriting ctx->status on error exchange */
if ((si = OSSL_CMP_STATUSINFO_new(status, fail_info, txt)) == NULL)
goto err;
@@ -479,6 +492,7 @@ int ossl_cmp_exchange_error(OSSL_CMP_CTX *ctx, int status, int fail_info,
res = send_receive_also_delayed(ctx, error,
&PKIconf, OSSL_CMP_PKIBODY_PKICONF);
+ ctx->status = OSSL_CMP_PKISTATUS_rejected_by_client;
err:
OSSL_CMP_MSG_free(error);
@@ -781,7 +795,7 @@ retry:
ERR_raise_data(ERR_LIB_CMP, CMP_R_CERTIFICATE_NOT_ACCEPTED,
"rejecting newly enrolled cert with subject: %s; %s",
subj, txt);
- ctx->status = OSSL_CMP_PKISTATUS_rejection;
+ ctx->status = OSSL_CMP_PKISTATUS_rejected_by_client;
ret = 0;
}
OPENSSL_free(subj);
@@ -803,7 +817,6 @@ static int initial_certreq(OSSL_CMP_CTX *ctx,
if ((req = ossl_cmp_certreq_new(ctx, req_type, crm)) == NULL)
return 0;
- ctx->status = OSSL_CMP_PKISTATUS_trans;
res = send_receive_check(ctx, req, p_rep, rep_type);
OSSL_CMP_MSG_free(req);
return res;
@@ -909,7 +922,6 @@ int OSSL_CMP_exec_RR_ses(OSSL_CMP_CTX *ctx)
if ((rr = ossl_cmp_rr_new(ctx)) == NULL)
goto end;
- ctx->status = OSSL_CMP_PKISTATUS_trans;
if (!send_receive_also_delayed(ctx, rr, &rp, OSSL_CMP_PKIBODY_RP))
goto end;
@@ -1029,7 +1041,6 @@ STACK_OF(OSSL_CMP_ITAV) *OSSL_CMP_exec_GENM_ses(OSSL_CMP_CTX *ctx)
if ((genm = ossl_cmp_genm_new(ctx)) == NULL)
goto err;
- ctx->status = OSSL_CMP_PKISTATUS_trans;
if (!send_receive_also_delayed(ctx, genm, &genp, OSSL_CMP_PKIBODY_GENP))
goto err;
ctx->status = OSSL_CMP_PKISTATUS_accepted;
diff --git a/crypto/cmp/cmp_vfy.c b/crypto/cmp/cmp_vfy.c
index a28cafd704..0f161df1b6 100644
--- a/crypto/cmp/cmp_vfy.c
+++ b/crypto/cmp/cmp_vfy.c
@@ -380,13 +380,12 @@ err:
return valid;
}
+/* checks protection of msg but not cert revocation nor cert chain */
static int check_msg_given_cert(const OSSL_CMP_CTX *ctx, X509 *cert,
const OSSL_CMP_MSG *msg)
{
return cert_acceptable(ctx, "previously validated", "sender cert",
- cert, NULL, NULL, msg)
- && (check_cert_path(ctx, ctx->trusted, cert)
- || check_cert_path_3gpp(ctx, msg, cert));
+ cert, NULL, NULL, msg);
}
/*-
@@ -496,11 +495,13 @@ static int check_msg_find_cert(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *msg)
(void)ERR_set_mark();
ctx->log_cb = NULL; /* temporarily disable logging */
- /*
- * try first cached scrt, used successfully earlier in same transaction,
- * for validating this and any further msgs where extraCerts may be left out
- */
if (scrt != NULL) {
+ /*-
+ * try first using cached message sender cert (in 'scrt' variable),
+ * which was used successfully earlier in the same transaction
+ * (assuming that the certificate itself was not revoked meanwhile and
+ * is a good guess for use in validating also the current message)
+ */
if (check_msg_given_cert(ctx, scrt, msg)) {
ctx->log_cb = backup_log_cb;
(void)ERR_pop_to_mark();
diff --git a/doc/man1/openssl-cmp.pod.in b/doc/man1/openssl-cmp.pod.in
index 13b5b895e3..d62afe61aa 100644
--- a/doc/man1/openssl-cmp.pod.in
+++ b/doc/man1/openssl-cmp.pod.in
@@ -736,9 +736,15 @@ implements a form of trust-on-first-use (TOFU).
=item B<-no_cache_extracerts>
Do not cache certificates in the extraCerts field of CMP messages received.
-By default, they are kept as they may be helful for validating further messages.
+By default, they are kept as they may be helpful for validating further messages.
This option applies to both CMP clients and the mock server.
+In any case, after successfully validating an incoming message, its protection
+certificate (if any) is cached for reuse with validation of subsequent messages.
+This is done not only for efficiency but also
+to eliminate the need for the sender to include its certificate and related chain
+in the extraCerts field of subsequent messages of the same transaction.
+
=item B<-srvcertout> I<filename>
The file where to save the successfully validated certificate, if any,
diff --git a/doc/man3/OSSL_CMP_CTX_new.pod b/doc/man3/OSSL_CMP_CTX_new.pod
index a99702b83a..6f40173b6e 100644
--- a/doc/man3/OSSL_CMP_CTX_new.pod
+++ b/doc/man3/OSSL_CMP_CTX_new.pod
@@ -361,6 +361,12 @@ implements a form of trust-on-first-use (TOFU).
Do not cache certificates received in the extraCerts CMP message field.
Otherwise they are stored to potentially help validate further messages.
+In any case, after successfully validating an incoming message, its protection
+certificate (if any) is cached for reuse with validation of subsequent messages.
+This is done not only for efficiency but also
+to eliminate the need for the sender to include its certificate and related chain
+in the extraCerts field of subsequent messages of the same transaction.
+
=back
OSSL_CMP_CTX_get_option() reads the current value of the given option
diff --git a/include/openssl/cmp.h.in b/include/openssl/cmp.h.in
index 096fe41b19..639197eef3 100644
--- a/include/openssl/cmp.h.in
+++ b/include/openssl/cmp.h.in
@@ -197,6 +197,8 @@ typedef ASN1_BIT_STRING OSSL_CMP_PKIFAILUREINFO;
* -- CertReqMsg
* }
*/
+#define OSSL_CMP_PKISTATUS_rejected_by_client -5
+#define OSSL_CMP_PKISTATUS_checking_response -4
#define OSSL_CMP_PKISTATUS_request -3
#define OSSL_CMP_PKISTATUS_trans -2
#define OSSL_CMP_PKISTATUS_unspecified -1
diff --git a/test/cmp_client_test.c b/test/cmp_client_test.c
index 50e3906fde..f080fe1615 100644
--- a/test/cmp_client_test.c
+++ b/test/cmp_client_test.c
@@ -35,7 +35,7 @@ static EVP_PKEY *server_key = NULL;
static X509 *server_cert = NULL;
static EVP_PKEY *client_key = NULL;
static X509 *client_cert = NULL;
-static unsigned char ref[CMP_TEST_REFVALUE_LENGTH];
+static unsigned char ref[CMP_TEST_REFVALUE_LENGTH]; /* not actually used */
/*
* For these unit tests, the client abandons message protection, and for
@@ -51,6 +51,30 @@ static void tear_down(CMP_SES_TEST_FIXTURE *fixture)
OPENSSL_free(fixture);
}
+static int set_simple_trust(OSSL_CMP_CTX *ctx, X509 *trusted)
+{
+ X509_STORE *ts = X509_STORE_new();
+ X509_VERIFY_PARAM *vpm;
+
+ /*
+ * not simply using OSSL_CMP_CTX_set1_srvCert() (to pin the server cert)
+ * in order to make sure that validated server cert gets cached,
+ * which is needed for the negative test case test_exec_KUR_bad_pkiConf_protection
+ */
+ if (ts == NULL || !X509_STORE_add_cert(ts, trusted))
+ goto err;
+
+ vpm = X509_STORE_get0_param(ts);
+ if (!X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_NO_CHECK_TIME | X509_V_FLAG_PARTIAL_CHAIN)
+ || !OSSL_CMP_CTX_set0_trusted(ctx, ts))
+ goto err;
+
+ return 1;
+err:
+ X509_STORE_free(ts);
+ return 0;
+}
+
static CMP_SES_TEST_FIXTURE *set_up(const char *const test_case_name)
{
CMP_SES_TEST_FIXTURE *fixture;
@@ -70,15 +94,15 @@ static CMP_SES_TEST_FIXTURE *set_up(const char *const test_case_name)
goto err;
if (!TEST_ptr(fixture->cmp_ctx = ctx = OSSL_CMP_CTX_new(libctx, NULL))
|| !OSSL_CMP_CTX_set_log_cb(fixture->cmp_ctx, print_to_bio_out)
- || !OSSL_CMP_CTX_set_transfer_cb(ctx, OSSL_CMP_CTX_server_perform)
+ /* using default verbosity: OSSL_CMP_LOG_INFO */
+ || !OSSL_CMP_CTX_set_transfer_cb(ctx, ossl_cmp_mock_server_perform)
|| !OSSL_CMP_CTX_set_transfer_cb_arg(ctx, fixture->srv_ctx)
|| !OSSL_CMP_CTX_set_option(ctx, OSSL_CMP_OPT_UNPROTECTED_SEND, 1)
- || !OSSL_CMP_CTX_set_option(ctx, OSSL_CMP_OPT_UNPROTECTED_ERRORS, 1)
|| !OSSL_CMP_CTX_set1_oldCert(ctx, client_cert)
|| !OSSL_CMP_CTX_set1_pkey(ctx, client_key)
/* client_key is by default used also for newPkey */
- || !OSSL_CMP_CTX_set1_srvCert(ctx, server_cert)
- || !OSSL_CMP_CTX_set1_referenceValue(ctx, ref, sizeof(ref)))
+ || !set_simple_trust(ctx, server_cert)
+ || !OSSL_CMP_CTX_set1_referenceValue(ctx, ref, sizeof(ref))) /* not actually needed */
goto err;
fixture->req_type = -1;
return fixture;
@@ -143,9 +167,7 @@ static int execute_exec_certrequest_ses_test(CMP_SES_TEST_FIXTURE *fixture)
int status = OSSL_CMP_CTX_get_status(ctx);
print_errors_PKIStatusInfo(ctx);
- if (!TEST_int_eq(status, fixture->expected)
- && !(fixture->expected == OSSL_CMP_PKISTATUS_waiting
- && TEST_int_eq(status, OSSL_CMP_PKISTATUS_trans)))
+ if (!TEST_int_eq(status, fixture->expected))
return 0;
if (fixture->expected != OSSL_CMP_PKISTATUS_accepted)
return TEST_ptr_null(res);
@@ -249,9 +271,9 @@ static int test_exec_IR_ses_poll_no_timeout(void)
static int test_exec_IR_ses_poll_total_timeout(void)
{
- return !test_exec_REQ_ses_poll(OSSL_CMP_PKIBODY_IR, checkAfter,
+ return test_exec_REQ_ses_poll(OSSL_CMP_PKIBODY_IR, checkAfter,
3 /* pollCount */, checkAfter + 4,
- OSSL_CMP_PKISTATUS_waiting);
+ OSSL_CMP_PKISTATUS_trans);
}
static int test_exec_CR_ses(int implicit_confirm, int granted, int reject)
@@ -281,7 +303,9 @@ static int test_exec_CR_ses_implicit_confirm(void)
&& test_exec_CR_ses(1, 1 /* granted */, 0);
}
-static int test_exec_KUR_ses(int transfer_error, int pubkey, int raverified)
+/* the KUR transactions include certConf/pkiConf */
+static int test_exec_KUR_ses(int transfer_error, int server_use_bad_protection,
+ int pubkey, int raverified)
{
SETUP_TEST_FIXTURE(CMP_SES_TEST_FIXTURE, set_up);
fixture->req_type = OSSL_CMP_PKIBODY_KUR;
@@ -289,6 +313,8 @@ static int test_exec_KUR_ses(int transfer_error, int pubkey, int raverified)
if (transfer_error)
OSSL_CMP_CTX_set_transfer_cb_arg(fixture->cmp_ctx, NULL);
+ (void)ossl_cmp_mock_srv_set_useBadProtection(fixture->srv_ctx, server_use_bad_protection);
+
if (pubkey) {
EVP_PKEY *key = raverified /* wrong key */ ? server_key : client_key;
@@ -301,7 +327,8 @@ static int test_exec_KUR_ses(int transfer_error, int pubkey, int raverified)
if (pubkey || raverified)
OSSL_CMP_CTX_set_option(fixture->cmp_ctx, OSSL_CMP_OPT_POPO_METHOD,
OSSL_CRMF_POPO_RAVERIFIED);
- fixture->expected = transfer_error ? OSSL_CMP_PKISTATUS_trans : raverified ? OSSL_CMP_PKISTATUS_rejection
+ fixture->expected = transfer_error ? OSSL_CMP_PKISTATUS_trans : raverified ? (pubkey ? OSSL_CMP_PKISTATUS_rejected_by_client : OSSL_CMP_PKISTATUS_rejection)
+ : server_use_bad_protection != -1 ? OSSL_CMP_PKISTATUS_checking_response
: OSSL_CMP_PKISTATUS_accepted;
EXECUTE_TEST(execute_exec_certrequest_ses_test, tear_down);
return result;
@@ -309,18 +336,23 @@ static int test_exec_KUR_ses(int transfer_error, int pubkey, int raverified)
static int test_exec_KUR_ses_ok(void)
{
- return test_exec_KUR_ses(0, 0, 0);
+ return test_exec_KUR_ses(0, -1, 0, 0);
}
static int test_exec_KUR_ses_transfer_error(void)
{
- return test_exec_KUR_ses(1, 0, 0);
+ return test_exec_KUR_ses(1, -1, 0, 0);
+}
+
+static int test_exec_KUR_bad_pkiConf_protection(void)
+{
+ return test_exec_KUR_ses(0, OSSL_CMP_PKIBODY_PKICONF, 0, 0);
}
static int test_exec_KUR_ses_wrong_popo(void)
{
#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION /* cf ossl_cmp_verify_popo() */
- return test_exec_KUR_ses(0, 0, 1);
+ return test_exec_KUR_ses(0, -1, 0, 1);
#else
return 1;
#endif
@@ -328,12 +360,12 @@ static int test_exec_KUR_ses_wrong_popo(void)
static int test_exec_KUR_ses_pub(void)
{
- return test_exec_KUR_ses(0, 1, 0);
+ return test_exec_KUR_ses(0, -1, 1, 0);
}
static int test_exec_KUR_ses_wrong_pub(void)
{
- return test_exec_KUR_ses(0, 1, 1);
+ return test_exec_KUR_ses(0, -1, 1, 1);
}
static int test_certConf_cb(OSSL_CMP_CTX *ctx, X509 *cert, int fail_info,
@@ -355,7 +387,7 @@ static int test_exec_P10CR_ses(int reject)
SETUP_TEST_FIXTURE(CMP_SES_TEST_FIXTURE, set_up);
fixture->req_type = OSSL_CMP_PKIBODY_P10CR;
- fixture->expected = reject ? OSSL_CMP_PKISTATUS_rejection
+ fixture->expected = reject ? OSSL_CMP_PKISTATUS_rejected_by_client
: OSSL_CMP_PKISTATUS_accepted;
ctx = fixture->cmp_ctx;
if (!TEST_ptr(csr = load_csr_der(pkcs10_f, libctx))
@@ -451,7 +483,7 @@ static int test_exec_GENM_ses_poll_total_timeout(void)
{
return test_exec_REQ_ses_poll(OSSL_CMP_PKIBODY_GENM, checkAfter,
3 /* pollCount */, checkAfter + 2,
- OSSL_CMP_PKISTATUS_waiting);
+ OSSL_CMP_PKISTATUS_trans);
}
static int test_exec_GENM_ses(int transfer_error, int total_timeout, int expect)
@@ -561,7 +593,7 @@ int setup_tests(void)
|| !TEST_ptr(server_cert = load_cert_pem(server_cert_f, libctx))
|| !TEST_ptr(client_key = load_pkey_pem(client_key_f, libctx))
|| !TEST_ptr(client_cert = load_cert_pem(client_cert_f, libctx))
- || !TEST_int_eq(1, RAND_bytes_ex(libctx, ref, sizeof(ref), 0))) {
+ || !TEST_int_eq(1, RAND_bytes_ex(libctx, ref, sizeof(ref), 0))) { /* not actually used */
cleanup_tests();
return 0;
}
@@ -577,6 +609,7 @@ int setup_tests(void)
ADD_TEST(test_exec_IR_ses_poll_total_timeout);
ADD_TEST(test_exec_KUR_ses_ok);
ADD_TEST(test_exec_KUR_ses_transfer_error);
+ ADD_TEST(test_exec_KUR_bad_pkiConf_protection);
ADD_TEST(test_exec_KUR_ses_wrong_popo);
ADD_TEST(test_exec_KUR_ses_pub);
ADD_TEST(test_exec_KUR_ses_wrong_pub);
diff --git a/test/recipes/80-test_cmp_http_data/test_commands.csv b/test/recipes/80-test_cmp_http_data/test_commands.csv
index fa13bb5ca9..9e77baa4b1 100644
--- a/test/recipes/80-test_cmp_http_data/test_commands.csv
+++ b/test/recipes/80-test_cmp_http_data/test_commands.csv
@@ -148,6 +148,6 @@ expected,description, -section,val, -cmd,val,val2, -cacertsout,val,val2, -infoty
1, using popo -1 redundantly with -centralkeygen, -section,, -cmd,cr,, -centralkeygen, -popo,-1, -newkeyout,_RESULT_DIR/newkeyout2.pem
1, using popo -1 alternatively to -centralkeygen, -section,, -cmd,cr,, -popo,-1, -newkeyout,_RESULT_DIR/newkeyout3.pem, -newkeypass,pass:12345, -certout,_RESULT_DIR/test.cert3.pem
1, using centrally generated key (and cert) with existing chain, -section,, -cmd,cr,,-cert,_RESULT_DIR/test.cert3.pem, -key,_RESULT_DIR/newkeyout3.pem, -keypass,pass:12345, -extracerts, issuing.crt
-0, using centrally generated key (and cert) missing chain, -section,, -cmd,cr,,-cert,_RESULT_DIR/test.cert3.pem, -key,_RESULT_DIR/newkeyout3.pem, -keypass,pass:12345, -extracerts, ""
+1, using centrally generated key (and cert) without giving chain (requires sender cert caching), -section,, -cmd,cr,,-cert,_RESULT_DIR/test.cert3.pem, -key,_RESULT_DIR/newkeyout3.pem, -keypass,pass:12345, -extracerts, ""
0, using centrally generated key with wrong password, -section,, -cmd,cr,,-cert,_RESULT_DIR/test.cert3.pem, -key,_RESULT_DIR/newkeyout3.pem, -keypass,pass:wrong
0, using popo -1 (instead of -centralkeygen) without -newkeyout, -section,, -cmd,cr,, -popo,-1,,BLANK,,BLANK,,BLANK,,BLANK