TS ESS: Invert the search logic of ts_check_signing_certs() to correctly cover cert ID list

Fixes #14190 Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14503)
author: Dr. David von Oheimb <David.von.Oheimb@siemens.com> 2021-03-10 17:21:37 +0100
committer: Dr. David von Oheimb <dev@ddvo.net> 2021-03-18 07:03:52 +0100
commit: 6b937ae3a7a2dfac55d25a18bd6d5a084c24e3d5 (patch)
tree: cdf56802cdf79a6010c98509a2117f8294cb109b /crypto/ts
parent: 49f07be43d031f0407db8ae1b8cdf6452a79e558 (diff)
1 files changed, 17 insertions, 37 deletions
diff --git a/crypto/ts/ts_rsp_verify.c b/crypto/ts/ts_rsp_verify.c
index b45ca28b5d..6884360869 100644
--- a/crypto/ts/ts_rsp_verify.c
+++ b/crypto/ts/ts_rsp_verify.c
@@ -206,52 +206,32 @@ static int ts_check_signing_certs(PKCS7_SIGNER_INFO *si,
                                   STACK_OF(X509) *chain)
 {
     ESS_SIGNING_CERT *ss = ossl_ess_signing_cert_get(si);
-    STACK_OF(ESS_CERT_ID) *cert_ids = NULL;
     ESS_SIGNING_CERT_V2 *ssv2 = ossl_ess_signing_cert_v2_get(si);
-    STACK_OF(ESS_CERT_ID_V2) *cert_ids_v2 = NULL;
-    X509 *cert;
-    int i = 0;
+    int i, j;
     int ret = 0;
 
+    /*
+     * Check if first ESSCertIDs matches signer cert
+     * and each further ESSCertIDs matches any cert in the chain.
+     */
     if (ss != NULL) {
-        cert_ids = ss->cert_ids;
-        cert = sk_X509_value(chain, 0);
-        if (ossl_ess_find_cert(cert_ids, cert) != 0)
-            goto err;
-
-        /*
-         * Check the other certificates of the chain if there are more than one
-         * certificate ids in cert_ids.
-         */
-        if (sk_ESS_CERT_ID_num(cert_ids) > 1) {
-            for (i = 1; i < sk_X509_num(chain); ++i) {
-                cert = sk_X509_value(chain, i);
-                if (ossl_ess_find_cert(cert_ids, cert) < 0)
-                    goto err;
-            }
+        for (i = 0; i < sk_ESS_CERT_ID_num(ss->cert_ids); i++) {
+            j = ossl_ess_find_cid(chain, sk_ESS_CERT_ID_value(ss->cert_ids, i),
+                                  NULL);
+            if (j < 0 || (i == 0 && j != 0))
+                goto err;
         }
+        ret = 1;
     } else if (ssv2 != NULL) {
-        cert_ids_v2 = ssv2->cert_ids;
-        cert = sk_X509_value(chain, 0);
-        if (ossl_ess_find_cert_v2(cert_ids_v2, cert) != 0)
-            goto err;
-
-        /*
-         * Check the other certificates of the chain if there are more than one
-         * certificate ids in cert_ids.
-         */
-        if (sk_ESS_CERT_ID_V2_num(cert_ids_v2) > 1) {
-            for (i = 1; i < sk_X509_num(chain); ++i) {
-                cert = sk_X509_value(chain, i);
-                if (ossl_ess_find_cert_v2(cert_ids_v2, cert) < 0)
-                    goto err;
-            }
+        for (i = 0; i < sk_ESS_CERT_ID_V2_num(ssv2->cert_ids); i++) {
+            j = ossl_ess_find_cid(chain, NULL,
+                                  sk_ESS_CERT_ID_V2_value(ssv2->cert_ids, i));
+            if (j < 0 || (i == 0 && j != 0))
+                goto err;
         }
-    } else {
-        goto err;
+        ret = 1;
     }
 
-    ret = 1;
  err:
     if (!ret)
         ERR_raise(ERR_LIB_TS, TS_R_ESS_SIGNING_CERTIFICATE_ERROR);
author	Dr. David von Oheimb <David.von.Oheimb@siemens.com>	2021-03-10 17:21:37 +0100
committer	Dr. David von Oheimb <dev@ddvo.net>	2021-03-18 07:03:52 +0100
commit	6b937ae3a7a2dfac55d25a18bd6d5a084c24e3d5 (patch)
tree	cdf56802cdf79a6010c98509a2117f8294cb109b /crypto/ts
parent	49f07be43d031f0407db8ae1b8cdf6452a79e558 (diff)