ts_check_signing_certs(): Make sure both ESSCertID and ESSCertIDv2 are checked

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14503)

2 files changed, 4 insertions, 5 deletions

diff --git a/CHANGES.md b/CHANGES.md
index ad6b7edd29..cb074f2ff0 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -60,6 +60,7 @@ OpenSSL 3.0
 
  * Improved adherence to Enhanced Security Services (ESS, RFC 2634 and RFC 5035)
    for the TSP implementation.
+   As required by RFC 5035 check both ESSCertID and ESSCertIDv2 if both present.
    Correct the semantics of checking the validation chain in case ESSCertID{,v2}
    contains more than one certificate identifier: This means that all
    certificates referenced there MUST be part of the validation chain.
diff --git a/crypto/ts/ts_rsp_verify.c b/crypto/ts/ts_rsp_verify.c
index 6884360869..6798fc8263 100644
--- a/crypto/ts/ts_rsp_verify.c
+++ b/crypto/ts/ts_rsp_verify.c
@@ -214,23 +214,21 @@ static int ts_check_signing_certs(PKCS7_SIGNER_INFO *si,
      * Check if first ESSCertIDs matches signer cert
      * and each further ESSCertIDs matches any cert in the chain.
      */
-    if (ss != NULL) {
+    if (ss != NULL)
         for (i = 0; i < sk_ESS_CERT_ID_num(ss->cert_ids); i++) {
             j = ossl_ess_find_cid(chain, sk_ESS_CERT_ID_value(ss->cert_ids, i),
                                   NULL);
             if (j < 0 || (i == 0 && j != 0))
                 goto err;
         }
-        ret = 1;
-    } else if (ssv2 != NULL) {
+    if (ssv2 != NULL)
         for (i = 0; i < sk_ESS_CERT_ID_V2_num(ssv2->cert_ids); i++) {
             j = ossl_ess_find_cid(chain, NULL,
                                   sk_ESS_CERT_ID_V2_value(ssv2->cert_ids, i));
             if (j < 0 || (i == 0 && j != 0))
                 goto err;
         }
-        ret = 1;
-    }
+    ret = 1;
 
  err:
     if (!ret)