diff options
| author | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2022-07-30 20:53:44 +0200 |
|---|---|---|
| committer | Dr. David von Oheimb <dev@ddvo.net> | 2022-09-01 11:04:46 +0200 |
| commit | 2b44565476d9d6d86f5af0ec736a7bf6f77a839e (patch) | |
| tree | b7fb5785ef1d45f6ade076a591a6ce83b7618c37 /crypto/pkcs7 | |
| parent | 3d623896eb50f5b15d3ef8f53b9f1e5c7546695a (diff) | |
PKCS7_dataVerify(): fix missing use of CRLs in PKCS#7 message
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/18913)
Diffstat (limited to 'crypto/pkcs7')
| -rw-r--r-- | crypto/pkcs7/pk7_doit.c | 28 |
1 files changed, 17 insertions, 11 deletions
diff --git a/crypto/pkcs7/pk7_doit.c b/crypto/pkcs7/pk7_doit.c index e68aaca466..13a820345e 100644 --- a/crypto/pkcs7/pk7_doit.c +++ b/crypto/pkcs7/pk7_doit.c @@ -949,13 +949,15 @@ int PKCS7_SIGNER_INFO_sign(PKCS7_SIGNER_INFO *si) return 0; } +/* This partly overlaps with PKCS7_verify(). It does not support flags. */ int PKCS7_dataVerify(X509_STORE *cert_store, X509_STORE_CTX *ctx, BIO *bio, PKCS7 *p7, PKCS7_SIGNER_INFO *si) { PKCS7_ISSUER_AND_SERIAL *ias; int ret = 0, i; - STACK_OF(X509) *cert; - X509 *x509; + STACK_OF(X509) *untrusted; + STACK_OF(X509_CRL) *crls; + X509 *signer; if (p7 == NULL) { ERR_raise(ERR_LIB_PKCS7, PKCS7_R_INVALID_NULL_POINTER); @@ -968,26 +970,30 @@ int PKCS7_dataVerify(X509_STORE *cert_store, X509_STORE_CTX *ctx, BIO *bio, } if (PKCS7_type_is_signed(p7)) { - cert = p7->d.sign->cert; + untrusted = p7->d.sign->cert; + crls = p7->d.sign->crl; } else if (PKCS7_type_is_signedAndEnveloped(p7)) { - cert = p7->d.signed_and_enveloped->cert; + untrusted = p7->d.signed_and_enveloped->cert; + crls = p7->d.signed_and_enveloped->crl; } else { ERR_raise(ERR_LIB_PKCS7, PKCS7_R_WRONG_PKCS7_TYPE); goto err; } + X509_STORE_CTX_set0_crls(ctx, crls); + /* XXXXXXXXXXXXXXXXXXXXXXX */ ias = si->issuer_and_serial; - x509 = X509_find_by_issuer_and_serial(cert, ias->issuer, ias->serial); + signer = X509_find_by_issuer_and_serial(untrusted, ias->issuer, ias->serial); - /* were we able to find the cert in passed to us */ - if (x509 == NULL) { + /* Were we able to find the signer certificate in passed to us? */ + if (signer == NULL) { ERR_raise(ERR_LIB_PKCS7, PKCS7_R_UNABLE_TO_FIND_CERTIFICATE); goto err; } /* Lets verify */ - if (!X509_STORE_CTX_init(ctx, cert_store, x509, cert)) { + if (!X509_STORE_CTX_init(ctx, cert_store, signer, untrusted)) { ERR_raise(ERR_LIB_PKCS7, ERR_R_X509_LIB); goto err; } @@ -998,13 +1004,13 @@ int PKCS7_dataVerify(X509_STORE *cert_store, X509_STORE_CTX *ctx, BIO *bio, goto err; } - return PKCS7_signatureVerify(bio, p7, si, x509); + return PKCS7_signatureVerify(bio, p7, si, signer); err: return ret; } int PKCS7_signatureVerify(BIO *bio, PKCS7 *p7, PKCS7_SIGNER_INFO *si, - X509 *x509) + X509 *signer) { ASN1_OCTET_STRING *os; EVP_MD_CTX *mdc_tmp, *mdc; @@ -1111,7 +1117,7 @@ int PKCS7_signatureVerify(BIO *bio, PKCS7 *p7, PKCS7_SIGNER_INFO *si, } os = si->enc_digest; - pkey = X509_get0_pubkey(x509); + pkey = X509_get0_pubkey(signer); if (pkey == NULL) { ret = -1; goto err; |