diff options
Diffstat (limited to 'crypto/openssl/doc/internal/man3/ossl_cmp_msg_check_update.pod')
| -rw-r--r-- | crypto/openssl/doc/internal/man3/ossl_cmp_msg_check_update.pod | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/crypto/openssl/doc/internal/man3/ossl_cmp_msg_check_update.pod b/crypto/openssl/doc/internal/man3/ossl_cmp_msg_check_update.pod index d1513bf34f0c..4643be69b77b 100644 --- a/crypto/openssl/doc/internal/man3/ossl_cmp_msg_check_update.pod +++ b/crypto/openssl/doc/internal/man3/ossl_cmp_msg_check_update.pod @@ -51,6 +51,7 @@ The callback is passed also the arguments B<ctx>, B<msg>, and <cb_arg> The callback should return 1 on acceptance, 0 on rejection, or -1 on error. It should not put an error on the error stack since this could be misleading. +Unless the B<OSSL_CMP_OPT_NO_CACHE_EXTRACERTS> is set in the B<ctx>, ossl_cmp_msg_check_update() adds all extraCerts contained in the <msg> to the list of untrusted certificates in B<ctx> such that they are already usable for OSSL_CMP_validate_msg(), which is called internally, and for future use. @@ -58,13 +59,13 @@ Thus they are available also to the certificate confirmation callback, and the peer does not need to send them again (at least not in the same transaction). Note that it does not help validating the message before storing the extraCerts because they are not part of the protected portion of the message anyway. -For efficiency, the extraCerts are prepended to the list so they get used first. +For efficiency, the extraCerts being cached are prepended to the list so they get used first. If all checks pass then ossl_cmp_msg_check_update() records in B<ctx> the senderNonce of the received message as the new recipNonce and learns the transaction ID if none is currently present in B<ctx>. -Moreover, according to RFC 4210 section 5.3.2, if the message protection is +Moreover, according to RFC 9810 section 5.3.2, if the message protection is PBM-based then any certificates in the caPubs field are added to the list of trusted certificates (if set via L<OSSL_CMP_CTX_set0_trusted(3)>). This way these certs are available for validating subsequent messages in the @@ -85,7 +86,7 @@ The OpenSSL CMP support was added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2007-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2007-2026 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy |