Users or applications using the library should not be bothered with certificates needed only for checking the protection of CMP messages received. One could modifiy CMP_CTX_extraCertsIn_get1()
not to return such such certifiactes, or add a new function called, e.g., CMP_CTX_get1_newClChain()
that returns only the relavant portion of the extraCerts received.
This has been requested originally by Hendrik Brockhaus.
Generally one should be careful how to implement that. It should likely best also consider potential x-signing and therefore not only include the chain to the currently used trust anchor but also incomplete potentally possible branches.
Diff:
Proposal for implementation within the library taking into account Martin's comment:
When returning the extraCerts received, exclude those certificates that have been used for validiating the CMP message protection but are not needed for validating the newly enrolled certificate.
Diff: