From 253a380bdbc6fb8d0f051196dca58b26ddb00067 Mon Sep 17 00:00:00 2001 From: "Dr. David von Oheimb" Date: Wed, 26 Feb 2025 09:17:25 +0100 Subject: [PATCH] doc/, CHANGES, NEWS: add missing entries and fix existing ones when which CMP feature was added Reviewed-by: Tomas Mraz Reviewed-by: Tim Hudson Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/26908) --- CHANGES.md | 18 ++++++++++-------- NEWS.md | 6 +++++- doc/man1/openssl-cmp.pod.in | 10 ++++++++-- doc/man3/OSSL_CMP_CTX_new.pod | 3 +++ 4 files changed, 26 insertions(+), 11 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index 9aeed1bd44..67d97e9e6d 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -402,7 +402,9 @@ OpenSSL 3.4 *Rajeev Ranjan* - * Added support for requesting CRL in CMP. + * Added support for retrieving certificate request templates and CRLs in CMP, + with the respective CLI options `-template`, + `-crlcert`, `-oldcrl`, `-crlout`, `-crlform>`, and `-rsp_crl`. This work was sponsored by Siemens AG. @@ -608,6 +610,8 @@ OpenSSL 3.3 - `certProfile` request message header and respective `-profile` CLI option - support for delayed delivery of all types of response messages + This work was sponsored by Siemens AG. + *David von Oheimb* * The build of exporters (such as `.pc` files for pkg-config) cleaned up to @@ -913,11 +917,6 @@ OpenSSL 3.2 *Fergus Dall* - * Added support for securely getting root CA certificate update in - CMP. - - *David von Oheimb* - * Improved contention on global write locks by using more read locks where appropriate. @@ -1183,8 +1182,11 @@ OpenSSL 3.2 *David von Oheimb* * Various fixes and extensions to the CMP+CRMF implementation and the `cmp` app - in particular supporting requests for central key generation, generalized - polling, and various types of genm/genp exchanges defined in CMP Updates. + in particular supporting various types of genm/genp exchanges such as getting + CA certificates and root CA cert updates defined in CMP Updates [RFC 9480], + as well as the `-srvcertout` and `-serial` CLI options. + + This work was sponsored by Siemens AG. *David von Oheimb* diff --git a/NEWS.md b/NEWS.md index aa14f7873e..f597e1b57a 100644 --- a/NEWS.md +++ b/NEWS.md @@ -46,6 +46,8 @@ This release adds the following new features: FIPS compliance can be claimed. Enable this using the configuration option `enable-fips-jitter`. + * Support for central key generation in CMP + OpenSSL 3.4 ----------- @@ -115,7 +117,7 @@ This release adds the following new features: * Support for integrity-only cipher suites TLS_SHA256_SHA256 and TLS_SHA384_SHA384 in TLS 1.3, as defined in RFC 9150 - * Support for requesting CRL in CMP + * Support for retrieving certificate request templates and CRLs in CMP * Support for additional X.509v3 extensions related to Attribute Certificates @@ -227,6 +229,8 @@ This release adds the following new features: * Added X509_STORE_get1_objects to avoid issues with the existing X509_STORE_get0_objects API in multi-threaded applications. + * Support for using certificate profiles and extened delayed delivery in CMP + This release incorporates the following potentially significant or incompatible changes: diff --git a/doc/man1/openssl-cmp.pod.in b/doc/man1/openssl-cmp.pod.in index 5fd0cb6915..4505283e58 100644 --- a/doc/man1/openssl-cmp.pod.in +++ b/doc/man1/openssl-cmp.pod.in @@ -1517,9 +1517,15 @@ The B application was added in OpenSSL 3.0. The B<-engine> option was deprecated in OpenSSL 3.0. -The B<-profile> option was added in OpenSSL 3.3. +The B<-oldwithold>, B<-newwithnew>, B<-newwithold>, B<-oldwithnew>, +The B<-srvcertout>, and B<-serial> option were added in OpenSSL 3.2, as well +as an extension of B<-cacertsout> to use when getting CA certificates. +Since then, the B<-issuer> may be used also for certificates to be revoked. -B<-crlcert>, B<-oldcrl>, B<-crlout>, B<-crlform> +The B<-profile> and B<-no_cache_extracerts> options were added in OpenSSL 3.3, +as well as support for delayed delivery of all types of response messages. + +The B<-template>, B<-crlcert>, B<-oldcrl>, B<-crlout>, B<-crlform> and B<-rsp_crl> options were added in OpenSSL 3.4. B<-centralkeygen>, b<-newkeyout>, B<-rsp_key> and diff --git a/doc/man3/OSSL_CMP_CTX_new.pod b/doc/man3/OSSL_CMP_CTX_new.pod index 58540e73cc..18ff5be837 100644 --- a/doc/man3/OSSL_CMP_CTX_new.pod +++ b/doc/man3/OSSL_CMP_CTX_new.pod @@ -879,6 +879,9 @@ OSSL_CMP_CTX_get0_validatedSrvCert() were added in OpenSSL 3.2. OSSL_CMP_CTX_get0_geninfo_ITAVs() was added in OpenSSL 3.3. +Support for central key generation, requested via B, +was added in OpenSSL 3.5. + =head1 COPYRIGHT Copyright 2007-2024 The OpenSSL Project Authors. All Rights Reserved.