Extend usability of `CMP_OPT_PERMIT_TA_IN_EXTRACERTS_FOR_IR` quirk by DDvO · Pull Request #28015 · openssl/openssl

DDvO · 2025-07-10T15:48:16Z

As requested in #27888, allow setting the quirk option CMP_OPT_PERMIT_TA_IN_EXTRACERTS_FOR_IR,
which had been added for special 3GPP support, also from the cmp app.
~~Yet as discussed there, not doing this by default: only if OPENSSL_CMP_APP_ALLOW_UNSAFE is defined at compile time.~~

Also make sure that with this quirk option, the new TA(s) are used for whole transaction (also pkiconf)
and update and slightly improve its doc.

Copilot

Pull Request Overview

This PR exposes the CMP_OPT_PERMIT_TA_IN_EXTRACERTS_FOR_IR quirk in the openssl cmp CLI (behind a compile‐time guard), ensures newly accepted trust anchors persist through the full transaction, and updates the related documentation.

Expose -ta_in_ip_extracerts CLI switch when built with OPENSSL_CMP_APP_ALLOW_UNSAFE
Persist self–issued extraCerts as trust anchors across all CMP messages in a transaction
Revise and expand documentation for the 3GPP TS 33.310 quirk option

Reviewed Changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.

File	Description
doc/man3/OSSL_CMP_CTX_new.pod	Expanded and clarified the behavior of the `PERMIT_TA_IN_EXTRACERTS_FOR_IR` option.
doc/man1/openssl-cmp.pod.in	Added `-ta_in_ip_extracerts` flag, its description, and version note behind a guard.
crypto/cmp/cmp_vfy.c	After initial validation, cache self–issued extraCerts into the trust store for further messages.
apps/cmp.c	Introduced `opt_ta_in_ip_extracerts` under `OPENSSL_CMP_APP_ALLOW_UNSAFE` and wired it into context setup and option parsing.

Comments suppressed due to low confidence (1)

apps/cmp.c:90

[nitpick] Consider adding a test case for the new -ta_in_ip_extracerts CLI flag to verify it correctly enables CMP_OPT_PERMIT_TA_IN_EXTRACERTS_FOR_IR in the context.

#ifdef OPENSSL_CMP_APP_ALLOW_UNSAFE

doc/man3/OSSL_CMP_CTX_new.pod

doc/man1/openssl-cmp.pod.in

crypto/cmp/cmp_vfy.c

shahsb

Consider adding a CMP_CTX_clear_extra_certs_cache(ctx) API for explicit cleanup (though not required in this PR).

crypto/cmp/cmp_vfy.c

DDvO · 2025-07-28T07:16:52Z

Consider adding a CMP_CTX_clear_extra_certs_cache(ctx) API for explicit cleanup (though not required in this PR).

I do not see the need for this. The extraCertsIn field in the CMP context will be filled from the extraCerts of the first response message in a transaction.
When reusing a CMP context for a further transaction, anyway OSSL_CMP_CTX_reinit() needs to be called, which clear it.

openssl-machine · 2025-08-28T00:09:52Z

This PR is in a state where it requires action by @openssl/committers but the last update was 30 days ago

openssl-machine · 2025-09-28T00:09:19Z

This PR is in a state where it requires action by @openssl/committers but the last update was 61 days ago

doc/man1/openssl-cmp.pod.in

DDvO · 2025-10-20T07:55:45Z

Rebased on latest master, also auto-squashing the fixup commits, which IMO are not of interest for reviewers.

DDvO · 2025-10-20T10:10:26Z

I suppose the new CIFuzz failure is unrelated.
Looks like in this case I better should not have rebased on bleeding-edge master.

apps/cmp.c

DDvO · 2025-10-20T16:19:59Z

Looks like in this case I better should not have rebased on bleeding-edge master.

While following the latest reviewer suggestion, rebased again to hopefully get rid of the recent unrelated CI fuzz failure.

DDvO · 2025-10-24T06:06:49Z

@t8m did you see that I followed your change suggestion?
Would be nice if you can approve now.

openssl-machine · 2025-11-24T00:10:29Z

This PR is in a state where it requires action by @openssl/committers but the last update was 30 days ago

DDvO · 2025-12-03T10:31:26Z

Rebased to fix simple merge conflict.

Ping @t8m for checking the requested changes done and approval

DDvO · 2025-12-03T11:14:35Z

Windoze CI failures are unrelated.

DDvO · 2025-12-05T08:00:34Z

Rebased to fix simple doc merge conflict and removed from here the addtion
if (OSSL_CMP_MSG_get_bodytype(msg) == OSSL_CMP_PKIBODY_IP) in cmp_vfy.c
because this is now covered by #29302.

DDvO · 2025-12-05T08:03:51Z

@t8m et al., can we please now get this PR done as well.

This will close #27888, and user @Krisscut is waiting for it.

DDvO · 2025-12-08T08:30:23Z

Asking again @openssl/committers for 2nd approval.

beldmit

LGTM

openssl-machine · 2025-12-09T09:01:19Z

This pull request is ready to merge

…transaction (also pkiconf); update doc

…st anchors in IP extracerts according to 3GPP TS 33.310 Fixes openssl#27888

DDvO · 2025-12-09T15:26:06Z

Unfortunately, this PR suffered from merge conflicts a few hours before it was allowed to get merged
due to the overall code re-formatting that took place this morning.

Moreover, now ./util/check-format-commit.sh, which is still in use for the CI, is of course unhappy with the new coding style.

Are re-approvals required here?

t8m · 2025-12-11T11:27:51Z

I do not think we need re-approvals. New coding style check passes.

t8m · 2025-12-11T11:29:20Z

Merged to the master branch. Thank you for your contribution.

…transaction (also pkiconf); update doc Reviewed-by: Dmitry Belyavskiy <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from #28015)

…st anchors in IP extracerts according to 3GPP TS 33.310 Fixes #27888 Reviewed-by: Dmitry Belyavskiy <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from #28015)

…transaction (also pkiconf); update doc Reviewed-by: Dmitry Belyavskiy <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from openssl#28015)

…st anchors in IP extracerts according to 3GPP TS 33.310 Fixes openssl#27888 Reviewed-by: Dmitry Belyavskiy <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from openssl#28015)

DDvO added branch: master Applies to master branch approval: review pending This pull request needs review by a committer triaged: feature The issue/pr requests/adds a feature tests: exempted The PR is exempt from requirements for testing labels Jul 10, 2025

DDvO requested a review from Copilot July 10, 2025 15:51

This comment was marked as outdated.

Sign in to view

DDvO requested a review from Copilot July 10, 2025 15:51

Copilot AI reviewed Jul 10, 2025

View reviewed changes

doc/man3/OSSL_CMP_CTX_new.pod Outdated Show resolved Hide resolved

doc/man1/openssl-cmp.pod.in Outdated Show resolved Hide resolved

crypto/cmp/cmp_vfy.c Outdated Show resolved Hide resolved

DDvO force-pushed the fix_CMP_OPT_PERMIT_TA_IN_EXTRACERTS_FOR_IR branch from 0237d1f to 8d5a972 Compare July 10, 2025 16:05

shahsb reviewed Jul 15, 2025

View reviewed changes

crypto/cmp/cmp_vfy.c Outdated Show resolved Hide resolved

DDvO requested a review from t8m October 16, 2025 18:24

t8m requested changes Oct 17, 2025

View reviewed changes

doc/man1/openssl-cmp.pod.in Outdated Show resolved Hide resolved

DDvO force-pushed the fix_CMP_OPT_PERMIT_TA_IN_EXTRACERTS_FOR_IR branch from b16efa8 to 02e2081 Compare October 20, 2025 07:53

t8m reviewed Oct 20, 2025

View reviewed changes

apps/cmp.c Outdated Show resolved Hide resolved

DDvO force-pushed the fix_CMP_OPT_PERMIT_TA_IN_EXTRACERTS_FOR_IR branch from 02e2081 to 34a0e0b Compare October 20, 2025 16:17

DDvO requested a review from t8m October 22, 2025 06:06

DDvO force-pushed the fix_CMP_OPT_PERMIT_TA_IN_EXTRACERTS_FOR_IR branch from 34a0e0b to 407b440 Compare December 3, 2025 10:30

loci-dev mentioned this pull request Dec 3, 2025

UPSTREAM PR #28015: Extend usability of CMP_OPT_PERMIT_TA_IN_EXTRACERTS_FOR_IR quirk auroralabs-loci/openssl#151

Open

DDvO mentioned this pull request Dec 3, 2025

Segfault validating CMP pkiConf in 3GPP quirk mode PERMIT_TA_IN_EXTRACERTS_FOR_IR #29285

Closed

DDvO force-pushed the fix_CMP_OPT_PERMIT_TA_IN_EXTRACERTS_FOR_IR branch from 407b440 to 4e399cd Compare December 5, 2025 07:59

t8m previously approved these changes Dec 5, 2025

View reviewed changes

t8m requested a review from a team December 5, 2025 10:37

beldmit previously approved these changes Dec 8, 2025

View reviewed changes

beldmit added approval: done This pull request has the required number of approvals and removed approval: review pending This pull request needs review by a committer labels Dec 8, 2025

openssl-machine added approval: ready to merge The 24 hour grace period has passed, ready to merge and removed approval: done This pull request has the required number of approvals labels Dec 9, 2025

DDvO added 2 commits December 9, 2025 10:18

OSSL_CMP_OPT_PERMIT_TA_IN_EXTRACERTS_FOR_IR: use new TA(s) for whole …

1e41262

…transaction (also pkiconf); update doc

apps/cmp.c: add -ta_in_ip_extracerts permitting non-authenticated tru…

8d210a7

…st anchors in IP extracerts according to 3GPP TS 33.310 Fixes openssl#27888

DDvO dismissed stale reviews from beldmit and t8m via 8d210a7 December 9, 2025 15:19

DDvO force-pushed the fix_CMP_OPT_PERMIT_TA_IN_EXTRACERTS_FOR_IR branch from 4e399cd to 8d210a7 Compare December 9, 2025 15:19

t8m closed this Dec 11, 2025

t8m reopened this Dec 11, 2025

t8m closed this Dec 11, 2025

Uh oh!

Comments

Conversation

DDvO commented Jul 10, 2025 • edited by t8m Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

This comment was marked as outdated.

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull Request Overview

Reviewed Changes

Uh oh!

Uh oh!

Uh oh!

Uh oh!

shahsb left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

DDvO commented Jul 28, 2025

Uh oh!

openssl-machine commented Aug 28, 2025

Uh oh!

openssl-machine commented Sep 28, 2025

Uh oh!

Uh oh!

DDvO commented Oct 20, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

DDvO commented Oct 20, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Uh oh!

DDvO commented Oct 20, 2025

Uh oh!

DDvO commented Oct 24, 2025

Uh oh!

openssl-machine commented Nov 24, 2025

Uh oh!

DDvO commented Dec 3, 2025

Uh oh!

DDvO commented Dec 3, 2025

Uh oh!

DDvO commented Dec 5, 2025

Uh oh!

DDvO commented Dec 5, 2025

Uh oh!

DDvO commented Dec 8, 2025

Uh oh!

beldmit left a comment

Choose a reason for hiding this comment

Uh oh!

openssl-machine commented Dec 9, 2025

Uh oh!

DDvO commented Dec 9, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

t8m commented Dec 11, 2025

Uh oh!

t8m commented Dec 11, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

DDvO commented Jul 10, 2025 •

edited by t8m

Loading

DDvO commented Oct 20, 2025 •

edited

Loading

DDvO commented Oct 20, 2025 •

edited

Loading

DDvO commented Dec 9, 2025 •

edited

Loading