Hi,
I have "weakend" the Esscertid logic a bit. Only the signer certficate is
checked and it must be in the first Esscertid.
This resolves issues when TSAs add attribute certs etc.
Since RFC 3161 does not require a client to check anything
else than the presence of the signer cert (and even is is badly written),
I think the verification of a "chain" in the ess was not appropriate
logic.
regards
*** openssl-SNAP-20130313/crypto/ts/ts_rsp_verify.c 2013-01-11 15:13:43.000000000 +0100
--- openssl-SNAP-20130313-ps/crypto/ts/ts_rsp_verify.c 2013-03-13 14:49:32.047821036 +0100
*************** static int TS_check_signing_certs(PKCS7_
*** 274,280 ****
if (TS_find_cert(cert_ids, cert) != 0) goto err;
/* Check the other certificates of the chain if there are more
! than one certificate ids in cert_ids. */
if (sk_ESS_CERT_ID_num(cert_ids) > 1)
{
/* All the certificates of the chain must be in cert_ids. */
--- 274,282 ----
if (TS_find_cert(cert_ids, cert) != 0) goto err;
/* Check the other certificates of the chain if there are more
! than one certificate ids in cert_ids. */*/
! /*no they don't */
! #if 0
if (sk_ESS_CERT_ID_num(cert_ids) > 1)
{
/* All the certificates of the chain must be in cert_ids. */
*************** static int TS_check_signing_certs(PKCS7_
*** 284,289 ****
--- 286,292 ----
if (TS_find_cert(cert_ids, cert) < 0) goto err;
}
}
+ #endif
ret = 1;
err:
if (!ret)
*************** static int TS_find_cert(STACK_OF(ESS_CER
*** 315,322 ****
X509_check_purpose(cert, -1, 0);
/* Look for cert in the cert_ids vector. */
! for (i = 0; i < sk_ESS_CERT_ID_num(cert_ids); ++i)
! {
ESS_CERT_ID *cid = sk_ESS_CERT_ID_value(cert_ids, i);
/* Check the SHA-1 hash first. */
--- 318,325 ----
X509_check_purpose(cert, -1, 0);
/* Look for cert in the cert_ids vector. */
! /* for (i = 0; i < sk_ESS_CERT_ID_num(cert_ids); ++i) */
! { int i = 0; /*check only the first one */
ESS_CERT_ID *cid = sk_ESS_CERT_ID_value(cert_ids, i);
/* Check the SHA-1 hash first. */
