From 6b326fc396d203d84f5461a0025495dfef88e1e8 Mon Sep 17 00:00:00 2001 From: "Dr. David von Oheimb" Date: Thu, 30 Apr 2020 19:38:58 +0200 Subject: [PATCH] Improve CMP documentation regarding use of untrusted certs Reviewed-by: Matt Caswell Reviewed-by: David von Oheimb (Merged from https://github.com/openssl/openssl/pull/11470) --- apps/cmp.c | 2 +- doc/man1/openssl-cmp.pod.in | 2 +- doc/man3/OSSL_CMP_CTX_new.pod | 8 ++++---- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/apps/cmp.c b/apps/cmp.c index 24a7fcbe6c..1e4642d466 100644 --- a/apps/cmp.c +++ b/apps/cmp.c @@ -619,7 +619,7 @@ const OPTIONS cmp_options[] = { {"srv_trusted", OPT_SRV_TRUSTED, 's', "Trusted certificates for client authentication"}, {"srv_untrusted", OPT_SRV_UNTRUSTED, 's', - "Intermediate certs for constructing chains for CMP protection by client"}, + "Intermediate certs that may be useful for verifying CMP protection"}, {"rsp_cert", OPT_RSP_CERT, 's', "Certificate to be returned as mock enrollment result"}, {"rsp_extracerts", OPT_RSP_EXTRACERTS, 's', diff --git a/doc/man1/openssl-cmp.pod.in b/doc/man1/openssl-cmp.pod.in index b746d26c33..a99391ac6d 100644 --- a/doc/man1/openssl-cmp.pod.in +++ b/doc/man1/openssl-cmp.pod.in @@ -889,7 +889,7 @@ Trusted certificates for client authentication. =item B<-srv_untrusted> I -Intermediate certs for constructing chains for CMP protection by client. +Intermediate CA certs that may be useful when verifying client certificates. =item B<-rsp_cert> I diff --git a/doc/man3/OSSL_CMP_CTX_new.pod b/doc/man3/OSSL_CMP_CTX_new.pod index 1bc9ef8cd0..b9b8ffb2e0 100644 --- a/doc/man3/OSSL_CMP_CTX_new.pod +++ b/doc/man3/OSSL_CMP_CTX_new.pod @@ -403,13 +403,13 @@ parameter the entry is cleared. OSSL_CMP_CTX_get0_trustedStore() returns a pointer to the certificate store containing trusted root CA certificates, which may be empty if unset. -OSSL_CMP_CTX_set1_untrusted_certs() takes over a list of certificates containing -non-trusted intermediate certs used for path construction in authentication -of the CMP server and potentially others (TLS server, newly enrolled cert). +OSSL_CMP_CTX_set1_untrusted_certs() sets up a list of non-trusted certificates +of intermediate CAs that may be useful for path construction when authenticating +the CMP server and when verifying newly enrolled certificates. The reference counts of those certificates handled successfully are increased. OSSL_CMP_CTX_get0_untrusted_certs(OSSL_CMP_CTX *ctx) returns a pointer to the -list of untrusted certs, which my be empty if unset. +list of untrusted certs, which may be empty if unset. OSSL_CMP_CTX_set1_clCert() sets the client certificate in the given B. The public key of this B must correspond to -- 2.25.1