diff options
author | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2021-03-12 19:45:40 +0100 |
---|---|---|
committer | Dr. David von Oheimb <dev@ddvo.net> | 2021-03-18 07:03:53 +0100 |
commit | 63b64f19c13d59d68dc2e525f454aea62a739842 (patch) | |
tree | a0eb5a23182f4d056dcb435dadf4c96fb50e76c1 /crypto/cms/cms_ess.c | |
parent | bef876f97e26309ccd20f916cf1e5e305735ee98 (diff) | |
download | openssl-new-63b64f19c13d59d68dc2e525f454aea62a739842.tar.gz |
TS and CMS CAdES-BES: Refactor check_signing_certs() funcs into common ESS func
Also constify related CMS/PKCS7 functions and improve error codes thrown.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14503)
Diffstat (limited to 'crypto/cms/cms_ess.c')
-rw-r--r-- | crypto/cms/cms_ess.c | 63 |
1 files changed, 5 insertions, 58 deletions
diff --git a/crypto/cms/cms_ess.c b/crypto/cms/cms_ess.c index b8b0076e03..5982035c45 100644 --- a/crypto/cms/cms_ess.c +++ b/crypto/cms/cms_ess.c @@ -46,67 +46,14 @@ int CMS_get1_ReceiptRequest(CMS_SignerInfo *si, CMS_ReceiptRequest **prr) return 1; } -/* - First, get the ESS_SIGNING_CERT(V2) signed attribute from |si|. - Then check matching of each cert of trust |chain| with one of - the |cert_ids|(Hash+IssuerID) list from this ESS_SIGNING_CERT. - Derived from ts_check_signing_certs() -*/ -int ossl_ess_check_signing_certs(CMS_SignerInfo *si, STACK_OF(X509) *chain) +int ossl_cms_check_signing_certs(const CMS_SignerInfo *si, + const STACK_OF(X509) *chain) { ESS_SIGNING_CERT *ss = NULL; ESS_SIGNING_CERT_V2 *ssv2 = NULL; - X509 *cert; - int i = 0, ret = 0; - - if (ossl_cms_signerinfo_get_signing_cert(si, &ss) > 0 - && ss->cert_ids != NULL) { - STACK_OF(ESS_CERT_ID) *cert_ids = ss->cert_ids; - - cert = sk_X509_value(chain, 0); - if (ossl_ess_find_cert(cert_ids, cert) != 0) - goto err; - - /* - * Check the other certificates of the chain. - * Fail if no signing certificate ids found for each certificate. - */ - if (sk_ESS_CERT_ID_num(cert_ids) > 1) { - /* for each chain cert, try to find its cert id */ - for (i = 1; i < sk_X509_num(chain); ++i) { - cert = sk_X509_value(chain, i); - if (ossl_ess_find_cert(cert_ids, cert) < 0) - goto err; - } - } - } else if (ossl_cms_signerinfo_get_signing_cert_v2(si, &ssv2) > 0 - && ssv2->cert_ids!= NULL) { - STACK_OF(ESS_CERT_ID_V2) *cert_ids_v2 = ssv2->cert_ids; - - cert = sk_X509_value(chain, 0); - if (ossl_ess_find_cert_v2(cert_ids_v2, cert) != 0) - goto err; - - /* - * Check the other certificates of the chain. - * Fail if no signing certificate ids found for each certificate. - */ - if (sk_ESS_CERT_ID_V2_num(cert_ids_v2) > 1) { - /* for each chain cert, try to find its cert id */ - for (i = 1; i < sk_X509_num(chain); ++i) { - cert = sk_X509_value(chain, i); - if (ossl_ess_find_cert_v2(cert_ids_v2, cert) < 0) - goto err; - } - } - } else { - ERR_raise(ERR_LIB_CMS, CMS_R_ESS_NO_SIGNING_CERTID_ATTRIBUTE); - return 0; - } - ret = 1; - err: - if (!ret) - ERR_raise(ERR_LIB_CMS, CMS_R_ESS_SIGNING_CERTID_MISMATCH_ERROR); + int ret = ossl_cms_signerinfo_get_signing_cert(si, &ss) >= 0 + && ossl_cms_signerinfo_get_signing_cert_v2(si, &ssv2) >= 0 + && ossl_ess_check_signing_certs(ss, ssv2, chain, 1); ESS_SIGNING_CERT_free(ss); ESS_SIGNING_CERT_V2_free(ssv2); |