Add fix suggested in sros2 bug report.

As stated in: OpenDDS/OpenDDS#3992 (comment) "Implement the suggestion in ros2/sros2#282. Specifically, use PKCS7_NOINTERN to not accept any signatures in the signed document. This, in turn, requires the use of the certs parameter to PKCS7_verify. PKCS7_NOVERIFY is used since the permissions CA certificate will not be chain verified." Fixes: #1546 Related to: ros2/sros2#282 Signed-off-by: James Pace <[email protected]>
eclipse-cyclonedds · Feb 2, 2023 · de27a11 · de27a11
1 parent 8b82dc5
commit de27a11
Showing 1 changed file with 6 additions and 6 deletions.
diff --git a/src/security/builtin_plugins/access_control/src/access_control_utils.c b/src/security/builtin_plugins/access_control/src/access_control_utils.c
@@ -234,7 +234,7 @@ static bool PKCS7_document_from_data(const char *data, size_t len, PKCS7 **p7, B
 static bool PKCS7_document_verify(PKCS7 *p7, X509 *cert, BIO *inbio, BIO **outbio, DDS_Security_SecurityException *ex)
 {
   bool result = false;
-  X509_STORE *store = NULL;
+  STACK_OF(X509) *certStack = NULL;
 
   assert(p7);
   assert(cert);
@@ -243,18 +243,18 @@ static bool PKCS7_document_verify(PKCS7 *p7, X509 *cert, BIO *inbio, BIO **outbi
 
   if ((*outbio = BIO_new(BIO_s_mem())) == NULL)
     DDS_Security_Exception_set_with_openssl_error(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_ALLOCATION_FAILED_CODE, 0, DDS_SECURITY_ERR_ALLOCATION_FAILED_MESSAGE ": ");
-  else if ((store = X509_STORE_new()) == NULL)
+  else if ((certStack = sk_X509_new_null()) == NULL)
     DDS_Security_Exception_set_with_openssl_error(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_ALLOCATION_FAILED_CODE, 0, DDS_SECURITY_ERR_ALLOCATION_FAILED_MESSAGE ": ");
   else
   {
-    X509_STORE_add_cert(store, cert);
-    if (PKCS7_verify(p7, NULL, store, inbio, *outbio, PKCS7_TEXT) != 1)
+    sk_X509_push(certStack, cert);
+    if (PKCS7_verify(p7, certStack, NULL, inbio, *outbio, PKCS7_TEXT | PKCS7_NOVERIFY | PKCS7_NOINTERN) != 1)
       DDS_Security_Exception_set_with_openssl_error(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_SMIME_DOCUMENT_CODE, 0, DDS_SECURITY_ERR_INVALID_SMIME_DOCUMENT_MESSAGE ": ");
     else
       result = true;
   }
-  if (store)
-    X509_STORE_free(store);
+  if (certStack)
+      sk_X509_free(certStack);
   if (!result && *outbio)
   {
     BIO_free(*outbio);