Hi, I have "weakend" the Esscertid logic a bit. Only the signer certficate is checked and it must be in the first Esscertid.
This resolves issues when TSAs add attribute certs etc. Since RFC 3161 does not require a client to check anything else than the presence of the signer cert (and even is is badly written), I think the verification of a "chain" in the ess was not appropriate logic. regards
*** openssl-SNAP-20130313/crypto/ts/ts_rsp_verify.c 2013-01-11 15:13:43.000000000 +0100 --- openssl-SNAP-20130313-ps/crypto/ts/ts_rsp_verify.c 2013-03-13 14:49:32.047821036 +0100 *************** static int TS_check_signing_certs(PKCS7_ *** 274,280 **** if (TS_find_cert(cert_ids, cert) != 0) goto err; /* Check the other certificates of the chain if there are more ! than one certificate ids in cert_ids. */ if (sk_ESS_CERT_ID_num(cert_ids) > 1) { /* All the certificates of the chain must be in cert_ids. */ --- 274,282 ---- if (TS_find_cert(cert_ids, cert) != 0) goto err; /* Check the other certificates of the chain if there are more ! than one certificate ids in cert_ids. */*/ ! /*no they don't */ ! #if 0 if (sk_ESS_CERT_ID_num(cert_ids) > 1) { /* All the certificates of the chain must be in cert_ids. */ *************** static int TS_check_signing_certs(PKCS7_ *** 284,289 **** --- 286,292 ---- if (TS_find_cert(cert_ids, cert) < 0) goto err; } } + #endif ret = 1; err: if (!ret) *************** static int TS_find_cert(STACK_OF(ESS_CER *** 315,322 **** X509_check_purpose(cert, -1, 0); /* Look for cert in the cert_ids vector. */ ! for (i = 0; i < sk_ESS_CERT_ID_num(cert_ids); ++i) ! { ESS_CERT_ID *cid = sk_ESS_CERT_ID_value(cert_ids, i); /* Check the SHA-1 hash first. */ --- 318,325 ---- X509_check_purpose(cert, -1, 0); /* Look for cert in the cert_ids vector. */ ! /* for (i = 0; i < sk_ESS_CERT_ID_num(cert_ids); ++i) */ ! { int i = 0; /*check only the first one */ ESS_CERT_ID *cid = sk_ESS_CERT_ID_value(cert_ids, i); /* Check the SHA-1 hash first. */