add issuer check and generate warning

apps/cmp.c

@@ -3173,6 +3173,7 @@ static int do_genm(OSSL_CMP_CTX *ctx)
     } else if (opt_infotype == NID_id_it_crlStatusList) {
         X509_CRL *oldcrl = NULL, *crl = NULL;
         int res = 0;
+        const char *desc = "CRL from genp of type 'crls'";
 
         if (opt_oldcrl == NULL && opt_oldcert == NULL) {
             CMP_err("Missing -oldcrl and no -oldcert given for -infotype crlStatusList");
@@ -3191,10 +3192,18 @@ static int do_genm(OSSL_CMP_CTX *ctx)
             if (oldcrl == NULL)
                 goto end_crlupd;
         }
+
+        if (opt_oldcrl != NULL && opt_oldcert != NULL)
+        {
+            if (X509_NAME_cmp(X509_CRL_get_issuer(oldcrl),
+                              X509_get_issuer_name(OSSL_CMP_CTX_get0_oldCert(ctx)))
+                != 0)
+                CMP_warn("-oldcrl and -oldcert have different issuer");
+        }
+
         if (!OSSL_CMP_get1_crlUpdate(ctx, oldcrl, &crl))
             goto end_crlupd;
 
-        const char *desc = "CRL from genp of type 'crls'";
         if (crl == NULL) {
             CMP_info("no CRL update available");
             if (!delete_file(opt_crlout, desc))

apps/lib/cmp_mock_srv.c

@@ -426,6 +426,17 @@ static int check_client_crl(const STACK_OF(OSSL_CMP_CRLSTATUS) *crlStatusList,
     if (thisupd != NULL
         && ASN1_TIME_compare(thisupd, X509_CRL_get0_lastUpdate(crl)) >= 0)
         return 0;
+    if (gen != NULL) {
+        GENERAL_NAME *gn = sk_GENERAL_NAME_value(gen, 0);
+
+        if (gn != NULL && gn->type == GEN_DIRNAME) {
+            X509_NAME *gen_name = gn->d.dirn;
+
+            if (X509_NAME_cmp(gen_name, X509_CRL_get_issuer(crl)) != 0) {
+                return 0;
+            }
+        }
+    }
 
     return 1;
 }

crypto/cmp/cmp_genm.c

@@ -386,8 +386,10 @@ int OSSL_CMP_get1_crlUpdate(OSSL_CMP_CTX *ctx, const X509_CRL *last_crl,
     if (!OSSL_CMP_ITAV_get0_crls(itav, &crls))
         goto end;
 
-    if (crls == NULL) /* no CRL update available */
+    if (crls == NULL) { /* no CRL update available */
+        res = 1;
         goto end;
+    }
     if (sk_X509_CRL_num(crls) != 1) {
         ERR_raise_data(ERR_LIB_CMP, CMP_R_INVALID_GENP,
                        "Unexpected number of CRLs in genp: %d",

test/recipes/80-test_cmp_http_data/test_commands.csv

@@ -89,9 +89,10 @@ expected,description, -section,val, -cmd,val,val2, -cacertsout,val,val2, -infoty
 1,genm crlStatusList with oldcert        , -section,, -cmd,genm,, BLANK,,, -infotype,crlStatusList,, -oldcert, signer_only.crt,,,,, -crlout, _RESULT_DIR/test.crlout.pem
 1,genm crlStatusList with old crl        , -section,, -cmd,genm,, BLANK,,, -infotype,crlStatusList,, -oldcrl, oldcrl.pem,,,,, -crlout, _RESULT_DIR/test.crlout.pem
 1,genm crlStatusList with oldcert and old crl , -section,, -cmd,genm,, BLANK,,, -infotype,crlStatusList,, -oldcert, signer_only.crt, -oldcrl, oldcrl.pem,,, -crlout, _RESULT_DIR/test.crlout.pem
-0,genm crlStatusList with latest crl     , -section,, -cmd,genm,, BLANK,,, -infotype,crlStatusList,, -oldcrl, newcrl.pem,,,,, -crlout, _RESULT_DIR/test.crlout.pem
+1,genm crlStatusList with latest crl     , -section,, -cmd,genm,, BLANK,,, -infotype,crlStatusList,, -oldcrl, newcrl.pem,,,,, -crlout, _RESULT_DIR/test.crlout.pem
 0,genm crlStatusList with -oldcert missing, -section,, -cmd,genm,, BLANK,,, -infotype,crlStatusList,, -oldcert, idontexist,,,,, -crlout, _RESULT_DIR/test.crlout.pem
 0,genm crlStatusList with -oldcrl missing, -section,, -cmd,genm,, BLANK,,, -infotype,crlStatusList,, -oldcrl, idontexist,,,,, -crlout, _RESULT_DIR/test.crlout.pem
+1,genm crlStatusList with wrong issuer, -section,, -cmd,genm,, BLANK,,, -infotype,crlStatusList,, -oldcert, server.crt,,,,, -crlout, _RESULT_DIR/test.crlout.pem
 ,,,,,,,,,,,,,,,,,,,,,,
 1,profile, -section,, -cmd,cr,, -cert,signer.crt, -key,signer.p12, -keypass,pass:12345,BLANK,, -profile,profile1,BLANK,,BLANK,
 0,profile wrong value, -section,, -cmd,cr,, -cert,signer.crt, -key,signer.p12, -keypass,pass:12345,BLANK,, -profile,profile2,BLANK,,BLANK,