Hi !

After checking the code/documentation, it seems the option OSSL_CMP_OPT_PERMIT_TA_IN_EXTRACERTS_FOR_IR is not possible to be set using a specific option in openssl cmp client.

It is only available to be set using the lib and the call:
OSSL_CMP_CTX_set_option(ctx, OSSL_CMP_OPT_PERMIT_TA_IN_EXTRACERTS_FOR_IR, 1);

I see there is a discussion opened about it here:
#25586

and this option was also mentioned here:
#23706

I feel like reading these as well as the documentation (extract below), the hiding of this option is intended to avoid wrong usage.
But in my case, I wanted to use the openssl client as it is, but I can't because I can't provide trusted certificate since I receive the recipient CA on the fly and I don't know it before hand and it doesn't necessarily will have a chain to a root ca that I could commission. So I need to trust what I receive.

If the option OSSL_CMP_OPT_PERMIT_TA_IN_EXTRACERTS_FOR_IR was set by calling OSSL_CMP_CTX_set_option(3), for an Initialization Response (IP) message any self-issued certificate from the msg extraCerts field may be used as a trust anchor for the path verification of an 'acceptable' cert if it can be used also to validate the issued certificate returned in the IP message. This is according to TS 33.310 [Network Domain Security (NDS); Authentication Framework (AF)] document specified by The 3rd Generation Partnership Project (3GPP). Note that using this option is dangerous as the certificate obtained this way has not been authenticated (at least not at CMP level). Taking it over as a trust anchor implements trust-on-first-use (TOFU).

is it possible to introduce a new cli/config option -tofu, like the option -unprotected_errors ?