OSSL_CMP_validate_msg(): fix check such that OSSL_CMP_OPT_PERMIT_TA_IN_EXTRACERTS_FOR_IR becomes usable again

Fixes #23706

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23814)
This commit is contained in:
Dr. David von Oheimb 2024-03-11 12:48:26 +01:00
parent f8acb534e4
commit b893ceef2f

View File

@ -632,7 +632,7 @@ int OSSL_CMP_validate_msg(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *msg)
default:
scrt = ctx->srvCert;
if (scrt == NULL) {
if (ctx->trusted == NULL) {
if (ctx->trusted == NULL && ctx->secretValue != NULL) {
ossl_cmp_info(ctx, "no trust store nor pinned server cert available for verifying signature-based CMP message protection");
ERR_raise(ERR_LIB_CMP, CMP_R_MISSING_TRUST_ANCHOR);
return 0;