OSSL_CMP_certConf_cb(): fix regression on checking newly enrolled cert

Also add corresponding tests and to this end update credentials Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> (Merged from https://github.com/openssl/openssl/pull/20160)
author: Dr. David von Oheimb <David.von.Oheimb@siemens.com> 2023-01-27 21:17:50 +0100
committer: Dr. David von Oheimb <dev@ddvo.net> 2023-02-13 11:56:10 +0100
commit: 6b58f498b3f5d8e4c9197c3c5228fb450e33aaaf (patch)
tree: 481acfef6b930c147e060be157656eaee95edf0a /apps
parent: 1472127d9d6bc4866ab26b503e0d5937b40dca37 (diff)
download: openssl-new-6b58f498b3f5d8e4c9197c3c5228fb450e33aaaf.tar.gz
1 files changed, 3 insertions, 1 deletions
diff --git a/apps/cmp.c b/apps/cmp.c
index 00e8be63d1..f31358e741 100644
--- a/apps/cmp.c
+++ b/apps/cmp.c
@@ -1274,7 +1274,9 @@ static SSL_CTX *setup_ssl_ctx(OSSL_CMP_CTX *ctx, const char *host,
                 /* disable any cert status/revocation checking etc. */
                 X509_VERIFY_PARAM_clear_flags(tls_vpm,
                                               ~(X509_V_FLAG_USE_CHECK_TIME
-                                                | X509_V_FLAG_NO_CHECK_TIME));
+                                                | X509_V_FLAG_NO_CHECK_TIME
+                                                | X509_V_FLAG_PARTIAL_CHAIN
+                                                | X509_V_FLAG_POLICY_CHECK));
             }
             CMP_debug("trying to build cert chain for own TLS cert");
             if (SSL_CTX_build_cert_chain(ssl_ctx,
author	Dr. David von Oheimb <David.von.Oheimb@siemens.com>	2023-01-27 21:17:50 +0100
committer	Dr. David von Oheimb <dev@ddvo.net>	2023-02-13 11:56:10 +0100
commit	6b58f498b3f5d8e4c9197c3c5228fb450e33aaaf (patch)
tree	481acfef6b930c147e060be157656eaee95edf0a /apps
parent	1472127d9d6bc4866ab26b503e0d5937b40dca37 (diff)
download	openssl-new-6b58f498b3f5d8e4c9197c3c5228fb450e33aaaf.tar.gz