ts_check_signing_certs(): Make sure both ESSCertID and ESSCertIDv2 are checked

Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14503)
2025-02-17 14:32:04 +08:00 · 2021-03-12 15:54:34 +01:00 · 2021-03-12 15:54:34 +01:00 · bef876f97e
commit bef876f97e
parent 6b937ae3a7
2 changed files with 4 additions and 5 deletions
--- a/CHANGES.md
+++ b/CHANGES.md
@ -60,6 +60,7 @@ OpenSSL 3.0

 * Improved adherence to Enhanced Security Services (ESS, RFC 2634 and RFC 5035)
   for the TSP implementation.
+   As required by RFC 5035 check both ESSCertID and ESSCertIDv2 if both present.
   Correct the semantics of checking the validation chain in case ESSCertID{,v2}
   contains more than one certificate identifier: This means that all
   certificates referenced there MUST be part of the validation chain.
--- a/crypto/ts/ts_rsp_verify.c
+++ b/crypto/ts/ts_rsp_verify.c
@ -214,23 +214,21 @@ static int ts_check_signing_certs(PKCS7_SIGNER_INFO *si,
     * Check if first ESSCertIDs matches signer cert
     * and each further ESSCertIDs matches any cert in the chain.
     */
-    if (ss != NULL) {
+    if (ss != NULL)
        for (i = 0; i < sk_ESS_CERT_ID_num(ss->cert_ids); i++) {
            j = ossl_ess_find_cid(chain, sk_ESS_CERT_ID_value(ss->cert_ids, i),
                                  NULL);
            if (j < 0 || (i == 0 && j != 0))
                goto err;
        }
-        ret = 1;
-    } else if (ssv2 != NULL) {
+    if (ssv2 != NULL)
        for (i = 0; i < sk_ESS_CERT_ID_V2_num(ssv2->cert_ids); i++) {
            j = ossl_ess_find_cid(chain, NULL,
                                  sk_ESS_CERT_ID_V2_value(ssv2->cert_ids, i));
            if (j < 0 || (i == 0 && j != 0))
                goto err;
        }
-        ret = 1;
-    }
+    ret = 1;

 err:
    if (!ret)