Menu

#43 Output only those certs from extraCerts useful for validating the newly enrolled cert

Version 2
open
David von Oheimb
None
5
2018-01-09
2017-12-18
David von Oheimb
No

Users or applications using the library should not be bothered with certificates needed only for checking the protection of CMP messages received. One could modifiy CMP_CTX_extraCertsIn_get1() not to return such such certifiactes, or add a new function called, e.g., CMP_CTX_get1_newClChain() that returns only the relavant portion of the extraCerts received.

This has been requested originally by Hendrik Brockhaus.

Discussion

  • Martin Peylo

    Martin Peylo - 2017-12-18

    Generally one should be careful how to implement that. It should likely best also consider potential x-signing and therefore not only include the chain to the currently used trust anchor but also incomplete potentally possible branches.

     

  • David von Oheimb

    David von Oheimb - 2017-12-19
    • Description has changed:

    Diff:

    --- old
+++ new
@@ -1,2 +1,5 @@
-This has been requested by Hendrik Brockhaus. 
-It can be implemented essentially by extending certConf_cb().
+Users or applications using the library should not be bothered with certificates needed only for protecting CMP messages.
+
+This be implemented essentially by extending certConf_cb().
+
+This has been requested originally by Hendrik Brockhaus.
     

  • David von Oheimb

    David von Oheimb - 2017-12-19

    Proposal for implementation within the library taking into account Martin's comment:

    When returning the extraCerts received, exclude those certificates that have been used for validiating the CMP message protection but are not needed for validating the newly enrolled certificate.

     

  • David von Oheimb

    David von Oheimb - 2017-12-19
    • summary: Add option to output only those certs from extraCertsOut useful for validating the newly enrolled cert --> Add option to output only those certs from extraCerts useful for validating the newly enrolled cert
     

  • David von Oheimb

    David von Oheimb - 2017-12-19
    • Description has changed:

    Diff:

    --- old
+++ new
@@ -1,5 +1,3 @@
-Users or applications using the library should not be bothered with certificates needed only for protecting CMP messages.
-
-This be implemented essentially by extending certConf_cb().
+Users or applications using the library should not be bothered with certificates needed only for checking the protection of CMP messages received. One could modifiy `CMP_CTX_extraCertsIn_get1()` not to return such such certifiactes, or add a new function called, e.g., `CMP_CTX_get1_newClChain()` that returns only the relavant portion of the extraCerts received. 

 This has been requested originally by Hendrik Brockhaus.
     

  • David von Oheimb

    David von Oheimb - 2018-01-09
    • summary: Add option to output only those certs from extraCerts useful for validating the newly enrolled cert --> Output only those certs from extraCerts useful for validating the newly enrolled cert
    • Group: Upstream submission --> Version 2
     

Log in to post a comment.