diff options
author | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2021-03-12 15:54:34 +0100 |
---|---|---|
committer | Dr. David von Oheimb <dev@ddvo.net> | 2021-03-18 07:03:53 +0100 |
commit | bef876f97e26309ccd20f916cf1e5e305735ee98 (patch) | |
tree | 56ba499d239e2d3c642e51458fb53839a1751663 | |
parent | 6b937ae3a7a2dfac55d25a18bd6d5a084c24e3d5 (diff) |
ts_check_signing_certs(): Make sure both ESSCertID and ESSCertIDv2 are checked
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14503)
-rw-r--r-- | CHANGES.md | 1 | ||||
-rw-r--r-- | crypto/ts/ts_rsp_verify.c | 8 |
2 files changed, 4 insertions, 5 deletions
diff --git a/CHANGES.md b/CHANGES.md index ad6b7edd29..cb074f2ff0 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -60,6 +60,7 @@ OpenSSL 3.0 * Improved adherence to Enhanced Security Services (ESS, RFC 2634 and RFC 5035) for the TSP implementation. + As required by RFC 5035 check both ESSCertID and ESSCertIDv2 if both present. Correct the semantics of checking the validation chain in case ESSCertID{,v2} contains more than one certificate identifier: This means that all certificates referenced there MUST be part of the validation chain. diff --git a/crypto/ts/ts_rsp_verify.c b/crypto/ts/ts_rsp_verify.c index 6884360869..6798fc8263 100644 --- a/crypto/ts/ts_rsp_verify.c +++ b/crypto/ts/ts_rsp_verify.c @@ -214,23 +214,21 @@ static int ts_check_signing_certs(PKCS7_SIGNER_INFO *si, * Check if first ESSCertIDs matches signer cert * and each further ESSCertIDs matches any cert in the chain. */ - if (ss != NULL) { + if (ss != NULL) for (i = 0; i < sk_ESS_CERT_ID_num(ss->cert_ids); i++) { j = ossl_ess_find_cid(chain, sk_ESS_CERT_ID_value(ss->cert_ids, i), NULL); if (j < 0 || (i == 0 && j != 0)) goto err; } - ret = 1; - } else if (ssv2 != NULL) { + if (ssv2 != NULL) for (i = 0; i < sk_ESS_CERT_ID_V2_num(ssv2->cert_ids); i++) { j = ossl_ess_find_cid(chain, NULL, sk_ESS_CERT_ID_V2_value(ssv2->cert_ids, i)); if (j < 0 || (i == 0 && j != 0)) goto err; } - ret = 1; - } + ret = 1; err: if (!ret) |