From 63b64f19c13d59d68dc2e525f454aea62a739842 Mon Sep 17 00:00:00 2001 From: "Dr. David von Oheimb" Date: Fri, 12 Mar 2021 19:45:40 +0100 Subject: TS and CMS CAdES-BES: Refactor check_signing_certs() funcs into common ESS func Also constify related CMS/PKCS7 functions and improve error codes thrown. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14503) --- crypto/cms/cms_att.c | 3 +- crypto/cms/cms_err.c | 2 - crypto/cms/cms_ess.c | 63 ++----------------- crypto/cms/cms_local.h | 3 +- crypto/cms/cms_smime.c | 2 +- crypto/err/openssl.txt | 10 +++- crypto/ess/ess_asn1.c | 4 +- crypto/ess/ess_err.c | 14 ++++- crypto/ess/ess_lib.c | 150 ++++++++++++++++++++-------------------------- crypto/pkcs7/pk7_doit.c | 8 +-- crypto/ts/ts_rsp_verify.c | 38 +++--------- 11 files changed, 109 insertions(+), 188 deletions(-) (limited to 'crypto') diff --git a/crypto/cms/cms_att.c b/crypto/cms/cms_att.c index a9ef0357e5..2ac118b9e6 100644 --- a/crypto/cms/cms_att.c +++ b/crypto/cms/cms_att.c @@ -125,7 +125,8 @@ int CMS_signed_add1_attr_by_txt(CMS_SignerInfo *si, return 0; } -void *CMS_signed_get0_data_by_OBJ(CMS_SignerInfo *si, const ASN1_OBJECT *oid, +void *CMS_signed_get0_data_by_OBJ(const CMS_SignerInfo *si, + const ASN1_OBJECT *oid, int lastpos, int type) { return X509at_get0_data_by_OBJ(si->signedAttrs, oid, lastpos, type); diff --git a/crypto/cms/cms_err.c b/crypto/cms/cms_err.c index 173e1596f6..81249ce689 100644 --- a/crypto/cms/cms_err.c +++ b/crypto/cms/cms_err.c @@ -59,8 +59,6 @@ static const ERR_STRING_DATA CMS_str_reasons[] = { {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_ERROR_SETTING_KEY), "error setting key"}, {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_ERROR_SETTING_RECIPIENTINFO), "error setting recipientinfo"}, - {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_ESS_NO_SIGNING_CERTID_ATTRIBUTE), - "ess no signing certid attribute"}, {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_ESS_SIGNING_CERTID_MISMATCH_ERROR), "ess signing certid mismatch error"}, {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_INVALID_ENCRYPTED_KEY_LENGTH), diff --git a/crypto/cms/cms_ess.c b/crypto/cms/cms_ess.c index b8b0076e03..5982035c45 100644 --- a/crypto/cms/cms_ess.c +++ b/crypto/cms/cms_ess.c @@ -46,67 +46,14 @@ int CMS_get1_ReceiptRequest(CMS_SignerInfo *si, CMS_ReceiptRequest **prr) return 1; } -/* - First, get the ESS_SIGNING_CERT(V2) signed attribute from |si|. - Then check matching of each cert of trust |chain| with one of - the |cert_ids|(Hash+IssuerID) list from this ESS_SIGNING_CERT. - Derived from ts_check_signing_certs() -*/ -int ossl_ess_check_signing_certs(CMS_SignerInfo *si, STACK_OF(X509) *chain) +int ossl_cms_check_signing_certs(const CMS_SignerInfo *si, + const STACK_OF(X509) *chain) { ESS_SIGNING_CERT *ss = NULL; ESS_SIGNING_CERT_V2 *ssv2 = NULL; - X509 *cert; - int i = 0, ret = 0; - - if (ossl_cms_signerinfo_get_signing_cert(si, &ss) > 0 - && ss->cert_ids != NULL) { - STACK_OF(ESS_CERT_ID) *cert_ids = ss->cert_ids; - - cert = sk_X509_value(chain, 0); - if (ossl_ess_find_cert(cert_ids, cert) != 0) - goto err; - - /* - * Check the other certificates of the chain. - * Fail if no signing certificate ids found for each certificate. - */ - if (sk_ESS_CERT_ID_num(cert_ids) > 1) { - /* for each chain cert, try to find its cert id */ - for (i = 1; i < sk_X509_num(chain); ++i) { - cert = sk_X509_value(chain, i); - if (ossl_ess_find_cert(cert_ids, cert) < 0) - goto err; - } - } - } else if (ossl_cms_signerinfo_get_signing_cert_v2(si, &ssv2) > 0 - && ssv2->cert_ids!= NULL) { - STACK_OF(ESS_CERT_ID_V2) *cert_ids_v2 = ssv2->cert_ids; - - cert = sk_X509_value(chain, 0); - if (ossl_ess_find_cert_v2(cert_ids_v2, cert) != 0) - goto err; - - /* - * Check the other certificates of the chain. - * Fail if no signing certificate ids found for each certificate. - */ - if (sk_ESS_CERT_ID_V2_num(cert_ids_v2) > 1) { - /* for each chain cert, try to find its cert id */ - for (i = 1; i < sk_X509_num(chain); ++i) { - cert = sk_X509_value(chain, i); - if (ossl_ess_find_cert_v2(cert_ids_v2, cert) < 0) - goto err; - } - } - } else { - ERR_raise(ERR_LIB_CMS, CMS_R_ESS_NO_SIGNING_CERTID_ATTRIBUTE); - return 0; - } - ret = 1; - err: - if (!ret) - ERR_raise(ERR_LIB_CMS, CMS_R_ESS_SIGNING_CERTID_MISMATCH_ERROR); + int ret = ossl_cms_signerinfo_get_signing_cert(si, &ss) >= 0 + && ossl_cms_signerinfo_get_signing_cert_v2(si, &ssv2) >= 0 + && ossl_ess_check_signing_certs(ss, ssv2, chain, 1); ESS_SIGNING_CERT_free(ss); ESS_SIGNING_CERT_V2_free(ssv2); diff --git a/crypto/cms/cms_local.h b/crypto/cms/cms_local.h index 2429202fa8..0827c55a1c 100644 --- a/crypto/cms/cms_local.h +++ b/crypto/cms/cms_local.h @@ -473,7 +473,8 @@ void ossl_cms_SignerInfos_set_cmsctx(CMS_ContentInfo *cms); /* ESS routines */ -int ossl_ess_check_signing_certs(CMS_SignerInfo *si, STACK_OF(X509) *chain); +int ossl_cms_check_signing_certs(const CMS_SignerInfo *si, + const STACK_OF(X509) *chain); int ossl_cms_dh_envelope(CMS_RecipientInfo *ri, int decrypt); int ossl_cms_ecdh_envelope(CMS_RecipientInfo *ri, int decrypt); diff --git a/crypto/cms/cms_smime.c b/crypto/cms/cms_smime.c index ac4ad2d490..3ab4cd2e6f 100644 --- a/crypto/cms/cms_smime.c +++ b/crypto/cms/cms_smime.c @@ -381,7 +381,7 @@ int CMS_verify(CMS_ContentInfo *cms, STACK_OF(X509) *certs, if (cadesVerify) { STACK_OF(X509) *si_chain = si_chains ? si_chains[i] : NULL; - if (ossl_ess_check_signing_certs(si, si_chain) <= 0) + if (ossl_cms_check_signing_certs(si, si_chain) <= 0) goto err; } } diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt index 53e8c4cd39..68c2ea8aa3 100644 --- a/crypto/err/openssl.txt +++ b/crypto/err/openssl.txt @@ -299,7 +299,6 @@ CMS_R_ERROR_READING_MESSAGEDIGEST_ATTRIBUTE:114:\ error reading messagedigest attribute CMS_R_ERROR_SETTING_KEY:115:error setting key CMS_R_ERROR_SETTING_RECIPIENTINFO:116:error setting recipientinfo -CMS_R_ESS_NO_SIGNING_CERTID_ATTRIBUTE:182:ess no signing certid attribute CMS_R_ESS_SIGNING_CERTID_MISMATCH_ERROR:183:ess signing certid mismatch error CMS_R_INVALID_ENCRYPTED_KEY_LENGTH:117:invalid encrypted key length CMS_R_INVALID_KEY_ENCRYPTION_PARAMETER:176:invalid key encryption parameter @@ -629,9 +628,16 @@ ENGINE_R_UNIMPLEMENTED_CIPHER:146:unimplemented cipher ENGINE_R_UNIMPLEMENTED_DIGEST:147:unimplemented digest ENGINE_R_UNIMPLEMENTED_PUBLIC_KEY_METHOD:101:unimplemented public key method ENGINE_R_VERSION_INCOMPATIBILITY:145:version incompatibility +ESS_R_EMPTY_ESS_CERT_ID_LIST:107:empty ess cert id list +ESS_R_ESS_CERT_DIGEST_ERROR:103:ess cert digest error +ESS_R_ESS_CERT_ID_NOT_FOUND:104:ess cert id not found +ESS_R_ESS_CERT_ID_WRONG_ORDER:105:ess cert id wrong order +ESS_R_ESS_DIGEST_ALG_UNKNOWN:106:ess digest alg unknown ESS_R_ESS_SIGNING_CERTIFICATE_ERROR:102:ess signing certificate error ESS_R_ESS_SIGNING_CERT_ADD_ERROR:100:ess signing cert add error ESS_R_ESS_SIGNING_CERT_V2_ADD_ERROR:101:ess signing cert v2 add error +ESS_R_MISSING_SIGNING_CERTIFICATE_ATTRIBUTE:108:\ + missing signing certificate attribute EVP_R_AES_KEY_SETUP_FAILED:143:aes key setup failed EVP_R_ARIA_KEY_SETUP_FAILED:176:aria key setup failed EVP_R_BAD_ALGORITHM_NAME:200:bad algorithm name @@ -706,9 +712,9 @@ EVP_R_NO_KEY_SET:154:no key set EVP_R_NO_OPERATION_SET:149:no operation set EVP_R_NULL_MAC_PKEY_CTX:208:null mac pkey ctx EVP_R_ONLY_ONESHOT_SUPPORTED:177:only oneshot supported +EVP_R_OPERATION_NOT_INITIALIZED:151:operation not initialized EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE:150:\ operation not supported for this keytype -EVP_R_OPERATION_NOT_INITIALIZED:151:operation not initialized EVP_R_OUTPUT_WOULD_OVERFLOW:202:output would overflow EVP_R_PARAMETER_TOO_LARGE:187:parameter too large EVP_R_PARTIALLY_OVERLAPPING:162:partially overlapping buffers diff --git a/crypto/ess/ess_asn1.c b/crypto/ess/ess_asn1.c index 37bac4e707..08a0be8cc4 100644 --- a/crypto/ess/ess_asn1.c +++ b/crypto/ess/ess_asn1.c @@ -65,7 +65,7 @@ IMPLEMENT_ASN1_DUP_FUNCTION(ESS_SIGNING_CERT_V2) * Returns < 0 if attribute is not found, 1 if found, or * -1 on attribute parsing failure. */ -int ossl_cms_signerinfo_get_signing_cert_v2(CMS_SignerInfo *si, +int ossl_cms_signerinfo_get_signing_cert_v2(const CMS_SignerInfo *si, ESS_SIGNING_CERT_V2 **psc) { ASN1_STRING *str; @@ -92,7 +92,7 @@ int ossl_cms_signerinfo_get_signing_cert_v2(CMS_SignerInfo *si, * Returns < 0 if attribute is not found, 1 if found, or * -1 on attribute parsing failure. */ -int ossl_cms_signerinfo_get_signing_cert(CMS_SignerInfo *si, +int ossl_cms_signerinfo_get_signing_cert(const CMS_SignerInfo *si, ESS_SIGNING_CERT **psc) { ASN1_STRING *str; diff --git a/crypto/ess/ess_err.c b/crypto/ess/ess_err.c index 450c07edac..2ece3443bd 100644 --- a/crypto/ess/ess_err.c +++ b/crypto/ess/ess_err.c @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -15,12 +15,24 @@ #ifndef OPENSSL_NO_ERR static const ERR_STRING_DATA ESS_str_reasons[] = { + {ERR_PACK(ERR_LIB_ESS, 0, ESS_R_EMPTY_ESS_CERT_ID_LIST), + "empty ess cert id list"}, + {ERR_PACK(ERR_LIB_ESS, 0, ESS_R_ESS_CERT_DIGEST_ERROR), + "ess cert digest error"}, + {ERR_PACK(ERR_LIB_ESS, 0, ESS_R_ESS_CERT_ID_NOT_FOUND), + "ess cert id not found"}, + {ERR_PACK(ERR_LIB_ESS, 0, ESS_R_ESS_CERT_ID_WRONG_ORDER), + "ess cert id wrong order"}, + {ERR_PACK(ERR_LIB_ESS, 0, ESS_R_ESS_DIGEST_ALG_UNKNOWN), + "ess digest alg unknown"}, {ERR_PACK(ERR_LIB_ESS, 0, ESS_R_ESS_SIGNING_CERTIFICATE_ERROR), "ess signing certificate error"}, {ERR_PACK(ERR_LIB_ESS, 0, ESS_R_ESS_SIGNING_CERT_ADD_ERROR), "ess signing cert add error"}, {ERR_PACK(ERR_LIB_ESS, 0, ESS_R_ESS_SIGNING_CERT_V2_ADD_ERROR), "ess signing cert v2 add error"}, + {ERR_PACK(ERR_LIB_ESS, 0, ESS_R_MISSING_SIGNING_CERTIFICATE_ATTRIBUTE), + "missing signing certificate attribute"}, {0, NULL} }; diff --git a/crypto/ess/ess_lib.c b/crypto/ess/ess_lib.c index 7dda6adc98..ec1de943e4 100644 --- a/crypto/ess/ess_lib.c +++ b/crypto/ess/ess_lib.c @@ -192,7 +192,7 @@ static ESS_CERT_ID_V2 *ESS_CERT_ID_V2_new_init(const EVP_MD *hash_alg, return NULL; } -ESS_SIGNING_CERT *ossl_ess_signing_cert_get(PKCS7_SIGNER_INFO *si) +ESS_SIGNING_CERT *ossl_ess_get_signing_cert(const PKCS7_SIGNER_INFO *si) { ASN1_TYPE *attr; const unsigned char *p; @@ -204,7 +204,7 @@ ESS_SIGNING_CERT *ossl_ess_signing_cert_get(PKCS7_SIGNER_INFO *si) return d2i_ESS_SIGNING_CERT(NULL, &p, attr->value.sequence->length); } -ESS_SIGNING_CERT_V2 *ossl_ess_signing_cert_v2_get(PKCS7_SIGNER_INFO *si) +ESS_SIGNING_CERT_V2 *ossl_ess_get_signing_cert_v2(const PKCS7_SIGNER_INFO *si) { ASN1_TYPE *attr; const unsigned char *p; @@ -289,112 +289,92 @@ static int ess_issuer_serial_cmp(const ESS_ISSUER_SERIAL *is, const X509 *cert) return ASN1_INTEGER_cmp(is->serial, X509_get0_serialNumber(cert)); } -/* Returns < 0 if certificate is not found, certificate index otherwise. */ -int ossl_ess_find_cert(const STACK_OF(ESS_CERT_ID) *cert_ids, X509 *cert) -{ - int i; - unsigned char cert_sha1[SHA_DIGEST_LENGTH]; - - if (cert_ids == NULL || cert == NULL) - return -1; - - /* Recompute SHA1 hash of certificate if necessary (side effect). */ - if (!x509v3_cache_extensions(cert)) - return -1; - - /* TODO(3.0): fetch sha1 algorithm from providers */ - if (!X509_digest(cert, EVP_sha1(), cert_sha1, NULL)) - return -1; - - /* Look for cert in the cert_ids vector. */ - for (i = 0; i < sk_ESS_CERT_ID_num(cert_ids); ++i) { - const ESS_CERT_ID *cid = sk_ESS_CERT_ID_value(cert_ids, i); - - if (cid->hash->length == SHA_DIGEST_LENGTH - && memcmp(cid->hash->data, cert_sha1, SHA_DIGEST_LENGTH) == 0) { - const ESS_ISSUER_SERIAL *is = cid->issuer_serial; - - if (is == NULL || ess_issuer_serial_cmp(is, cert) == 0) - return i; - } - } - - return -1; -} - -/* Returns < 0 if certificate is not found, certificate index otherwise. */ -int ossl_ess_find_cert_v2(const STACK_OF(ESS_CERT_ID_V2) *cert_ids, - const X509 *cert) -{ - int i; - unsigned char cert_digest[EVP_MAX_MD_SIZE]; - unsigned int len; - - /* Look for cert in the cert_ids vector. */ - for (i = 0; i < sk_ESS_CERT_ID_V2_num(cert_ids); ++i) { - const ESS_CERT_ID_V2 *cid = sk_ESS_CERT_ID_V2_value(cert_ids, i); - const EVP_MD *md; - - if (cid == NULL) - return -1; - if (cid->hash_alg != NULL) - md = EVP_get_digestbyobj(cid->hash_alg->algorithm); - else - md = EVP_sha256(); - - /* TODO(3.0): fetch sha1 algorithm from providers */ - if (!X509_digest(cert, md, cert_digest, &len)) - return -1; - - if (cid->hash->length != (int)len) - return -1; - - if (memcmp(cid->hash->data, cert_digest, cid->hash->length) == 0) { - const ESS_ISSUER_SERIAL *is = cid->issuer_serial; - - if (is == NULL || ess_issuer_serial_cmp(is, cert) == 0) - return i; - } - } - - return -1; -} - -/* Returns < 0 if certificate is not found, certificate index otherwise. */ -int ossl_ess_find_cid(const STACK_OF(X509) *certs, - ESS_CERT_ID *cid, ESS_CERT_ID_V2 *cid_v2) +/* + * Find cert referenced by |cid| (if not NULL, else |cidv2|) in |certs|. + * If the cid{,v2} index is 0, the cert must be in the first in |certs| list. + * Return 0 on not found, -1 on error, else 1 + the position in |certs|. + */ +static int find(const ESS_CERT_ID *cid, const ESS_CERT_ID_V2 *cid_v2, + int index, const STACK_OF(X509) *certs) { + const X509 *cert; + const EVP_MD *md; unsigned char cert_digest[EVP_MAX_MD_SIZE]; unsigned int len, cid_hash_len; - int i; const ESS_ISSUER_SERIAL *is; + int i; - if (certs == NULL || (cid == NULL && cid_v2 == NULL)) + if (cid == NULL && cid_v2 == NULL) { + ERR_raise(ERR_LIB_ESS, ERR_R_PASSED_INVALID_ARGUMENT); return -1; + } /* Look for cert with cid in the certs. */ for (i = 0; i < sk_X509_num(certs); ++i) { - const X509 *cert = sk_X509_value(certs, i); - const EVP_MD *md; + cert = sk_X509_value(certs, i); - /* TODO(3.0): fetch sha algorithm from providers */ if (cid != NULL) md = EVP_sha1(); else md = cid_v2->hash_alg == NULL ? EVP_sha256() : EVP_get_digestbyobj(cid_v2->hash_alg->algorithm); + if (md == NULL) { + ERR_raise(ERR_LIB_ESS, ESS_R_ESS_DIGEST_ALG_UNKNOWN); + return -1; + } + cid_hash_len = cid != NULL ? cid->hash->length : cid_v2->hash->length; if (!X509_digest(cert, md, cert_digest, &len) - || cid_hash_len != len) + || cid_hash_len != len) { + ERR_raise(ERR_LIB_ESS, ESS_R_ESS_CERT_DIGEST_ERROR); return -1; + } if (memcmp(cid != NULL ? cid->hash->data : cid_v2->hash->data, cert_digest, len) == 0) { is = cid != NULL ? cid->issuer_serial : cid_v2->issuer_serial; - if (is == NULL || ess_issuer_serial_cmp(is, cert) == 0) - return i; + /* Well, it's not really required to match the serial numbers. */ + if (is == NULL || ess_issuer_serial_cmp(is, cert) == 0) { + if ((i == 0) == (index == 0)) + return i + 1; + ERR_raise(ERR_LIB_ESS, ESS_R_ESS_CERT_ID_WRONG_ORDER); + return -1; + } } } - return -1; + ERR_raise(ERR_LIB_ESS, ESS_R_ESS_CERT_ID_NOT_FOUND); + return 0; +} + +/* + * If ESSCertID and/or ESSCertIDv2 exist, which must be non-empty if given, + * check if their first ID entry matches the signer cert first in chain + * and each further ID entry matches any further cert in the chain. + */ +int ossl_ess_check_signing_certs(const ESS_SIGNING_CERT *ss, + const ESS_SIGNING_CERT_V2 *ssv2, + const STACK_OF(X509) *chain, + int require_signing_cert) +{ + int n_v1 = ss == NULL ? -1 : sk_ESS_CERT_ID_num(ss->cert_ids); + int n_v2 = ssv2 == NULL ? -1 : sk_ESS_CERT_ID_V2_num(ssv2->cert_ids); + int i; + + if (require_signing_cert && ss == NULL && ssv2 == NULL) { + ERR_raise(ERR_LIB_CMS, ESS_R_MISSING_SIGNING_CERTIFICATE_ATTRIBUTE); + return 0; + } + if (n_v1 == 0 || n_v2 == 0) { + ERR_raise(ERR_LIB_ESS, ESS_R_EMPTY_ESS_CERT_ID_LIST); + return 0; + } + /* If both ss and ssv2 exist, as required evaluate them independently. */ + for (i = 0; i < n_v1; i++) + if (find(sk_ESS_CERT_ID_value(ss->cert_ids, i), NULL, i, chain) <= 0) + return 0; + for (i = 0; i < n_v2; i++) + if (find(NULL, sk_ESS_CERT_ID_V2_value(ssv2->cert_ids, i), i, chain) <= 0) + return 0; + return 1; } diff --git a/crypto/pkcs7/pk7_doit.c b/crypto/pkcs7/pk7_doit.c index c9e4d719aa..c7a50ff57e 100644 --- a/crypto/pkcs7/pk7_doit.c +++ b/crypto/pkcs7/pk7_doit.c @@ -18,7 +18,7 @@ static int add_attribute(STACK_OF(X509_ATTRIBUTE) **sk, int nid, int atrtype, void *value); -static ASN1_TYPE *get_attribute(STACK_OF(X509_ATTRIBUTE) *sk, int nid); +static ASN1_TYPE *get_attribute(const STACK_OF(X509_ATTRIBUTE) *sk, int nid); int PKCS7_type_is_other(PKCS7 *p7) { @@ -1209,17 +1209,17 @@ PKCS7_ISSUER_AND_SERIAL *PKCS7_get_issuer_and_serial(PKCS7 *p7, int idx) return ri->issuer_and_serial; } -ASN1_TYPE *PKCS7_get_signed_attribute(PKCS7_SIGNER_INFO *si, int nid) +ASN1_TYPE *PKCS7_get_signed_attribute(const PKCS7_SIGNER_INFO *si, int nid) { return get_attribute(si->auth_attr, nid); } -ASN1_TYPE *PKCS7_get_attribute(PKCS7_SIGNER_INFO *si, int nid) +ASN1_TYPE *PKCS7_get_attribute(const PKCS7_SIGNER_INFO *si, int nid) { return get_attribute(si->unauth_attr, nid); } -static ASN1_TYPE *get_attribute(STACK_OF(X509_ATTRIBUTE) *sk, int nid) +static ASN1_TYPE *get_attribute(const STACK_OF(X509_ATTRIBUTE) *sk, int nid) { int idx; X509_ATTRIBUTE *xa; diff --git a/crypto/ts/ts_rsp_verify.c b/crypto/ts/ts_rsp_verify.c index 6798fc8263..4660647ffc 100644 --- a/crypto/ts/ts_rsp_verify.c +++ b/crypto/ts/ts_rsp_verify.c @@ -17,8 +17,8 @@ static int ts_verify_cert(X509_STORE *store, STACK_OF(X509) *untrusted, X509 *signer, STACK_OF(X509) **chain); -static int ts_check_signing_certs(PKCS7_SIGNER_INFO *si, - STACK_OF(X509) *chain); +static int ts_check_signing_certs(const PKCS7_SIGNER_INFO *si, + const STACK_OF(X509) *chain); static int int_ts_RESP_verify_token(TS_VERIFY_CTX *ctx, PKCS7 *token, TS_TST_INFO *tst_info); @@ -202,37 +202,13 @@ end: return ret; } -static int ts_check_signing_certs(PKCS7_SIGNER_INFO *si, - STACK_OF(X509) *chain) +static int ts_check_signing_certs(const PKCS7_SIGNER_INFO *si, + const STACK_OF(X509) *chain) { - ESS_SIGNING_CERT *ss = ossl_ess_signing_cert_get(si); - ESS_SIGNING_CERT_V2 *ssv2 = ossl_ess_signing_cert_v2_get(si); - int i, j; - int ret = 0; + ESS_SIGNING_CERT *ss = ossl_ess_get_signing_cert(si); + ESS_SIGNING_CERT_V2 *ssv2 = ossl_ess_get_signing_cert_v2(si); + int ret = ossl_ess_check_signing_certs(ss, ssv2, chain, 1); - /* - * Check if first ESSCertIDs matches signer cert - * and each further ESSCertIDs matches any cert in the chain. - */ - if (ss != NULL) - for (i = 0; i < sk_ESS_CERT_ID_num(ss->cert_ids); i++) { - j = ossl_ess_find_cid(chain, sk_ESS_CERT_ID_value(ss->cert_ids, i), - NULL); - if (j < 0 || (i == 0 && j != 0)) - goto err; - } - if (ssv2 != NULL) - for (i = 0; i < sk_ESS_CERT_ID_V2_num(ssv2->cert_ids); i++) { - j = ossl_ess_find_cid(chain, NULL, - sk_ESS_CERT_ID_V2_value(ssv2->cert_ids, i)); - if (j < 0 || (i == 0 && j != 0)) - goto err; - } - ret = 1; - - err: - if (!ret) - ERR_raise(ERR_LIB_TS, TS_R_ESS_SIGNING_CERTIFICATE_ERROR); ESS_SIGNING_CERT_free(ss); ESS_SIGNING_CERT_V2_free(ssv2); return ret; -- cgit v1.2.1