From: Dr. David von Oheimb Date: Fri, 12 Mar 2021 14:54:34 +0000 (+0100) Subject: ts_check_signing_certs(): Make sure both ESSCertID and ESSCertIDv2 are checked X-Git-Tag: openssl-3.0.0-alpha14~247 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=bef876f97e26309ccd20f916cf1e5e305735ee98;p=thirdparty%2Fopenssl.git ts_check_signing_certs(): Make sure both ESSCertID and ESSCertIDv2 are checked Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14503) --- diff --git a/CHANGES.md b/CHANGES.md index ad6b7edd29e..cb074f2ff0c 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -60,6 +60,7 @@ OpenSSL 3.0 * Improved adherence to Enhanced Security Services (ESS, RFC 2634 and RFC 5035) for the TSP implementation. + As required by RFC 5035 check both ESSCertID and ESSCertIDv2 if both present. Correct the semantics of checking the validation chain in case ESSCertID{,v2} contains more than one certificate identifier: This means that all certificates referenced there MUST be part of the validation chain. diff --git a/crypto/ts/ts_rsp_verify.c b/crypto/ts/ts_rsp_verify.c index 6884360869a..6798fc8263b 100644 --- a/crypto/ts/ts_rsp_verify.c +++ b/crypto/ts/ts_rsp_verify.c @@ -214,23 +214,21 @@ static int ts_check_signing_certs(PKCS7_SIGNER_INFO *si, * Check if first ESSCertIDs matches signer cert * and each further ESSCertIDs matches any cert in the chain. */ - if (ss != NULL) { + if (ss != NULL) for (i = 0; i < sk_ESS_CERT_ID_num(ss->cert_ids); i++) { j = ossl_ess_find_cid(chain, sk_ESS_CERT_ID_value(ss->cert_ids, i), NULL); if (j < 0 || (i == 0 && j != 0)) goto err; } - ret = 1; - } else if (ssv2 != NULL) { + if (ssv2 != NULL) for (i = 0; i < sk_ESS_CERT_ID_V2_num(ssv2->cert_ids); i++) { j = ossl_ess_find_cid(chain, NULL, sk_ESS_CERT_ID_V2_value(ssv2->cert_ids, i)); if (j < 0 || (i == 0 && j != 0)) goto err; } - ret = 1; - } + ret = 1; err: if (!ret)