mirror/openssl
2
0
Fork 0
mirror of https://github.com/openssl/openssl.git synced 2025-02-23 14:42:15 +08:00
Code Issues Packages Projects Releases Wiki Activity

ts_check_signing_certs(): Make sure both ESSCertID and ESSCertIDv2 are checked

Browse Source 
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14503)
This commit is contained in:
Dr. David von Oheimb 2021-03-12 15:54:34 +01:00 committed by Dr. David von Oheimb
parent 6b937ae3a7
commit bef876f97e
2 changed files with 4 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
CHANGES.md
View File

@ -60,6 +60,7 @@ OpenSSL 3.0
* Improved adherence to Enhanced Security Services (ESS, RFC 2634 and RFC 5035)
for the TSP implementation.
As required by RFC 5035 check both ESSCertID and ESSCertIDv2 if both present.
Correct the semantics of checking the validation chain in case ESSCertID{,v2}
contains more than one certificate identifier: This means that all
certificates referenced there MUST be part of the validation chain.

8
crypto/ts/ts_rsp_verify.c
View File

@ -214,23 +214,21 @@ static int ts_check_signing_certs(PKCS7_SIGNER_INFO *si,
* Check if first ESSCertIDs matches signer cert
* and each further ESSCertIDs matches any cert in the chain.
*/
if (ss != NULL) {
if (ss != NULL)
for (i = 0; i < sk_ESS_CERT_ID_num(ss->cert_ids); i++) {
j = ossl_ess_find_cid(chain, sk_ESS_CERT_ID_value(ss->cert_ids, i),
NULL);
if (j < 0 || (i == 0 && j != 0))
goto err;
}
ret = 1;
} else if (ssv2 != NULL) {
if (ssv2 != NULL)
for (i = 0; i < sk_ESS_CERT_ID_V2_num(ssv2->cert_ids); i++) {
j = ossl_ess_find_cid(chain, NULL,
sk_ESS_CERT_ID_V2_value(ssv2->cert_ids, i));
if (j < 0 || (i == 0 && j != 0))
goto err;
}
ret = 1;
}
ret = 1;
err:
if (!ret)