Add fix suggested in sros2 bug report.

As stated in: OpenDDS/OpenDDS#3992 (comment) "Implement the suggestion in ros2/sros2#282. Specifically, use PKCS7_NOINTERN to not accept any signatures in the signed document. This, in turn, requires the use of the certs parameter to PKCS7_verify. PKCS7_NOVERIFY is used since the permissions CA certificate will not be chain verified." Fixes: eclipse-cyclonedds#1546 Related to: ros2/sros2#282 Signed-off-by: James Pace <[email protected]>
jpace121 · Jan 27, 2023 · 8f2da42 · 8f2da42
1 parent 16928eb
commit 8f2da42
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/src/security/builtin_plugins/access_control/src/access_control_utils.c b/src/security/builtin_plugins/access_control/src/access_control_utils.c
@@ -248,7 +248,7 @@ static bool PKCS7_document_verify(PKCS7 *p7, X509 *cert, BIO *inbio, BIO **outbi
   else
   {
     X509_STORE_add_cert(store, cert);
-    if (PKCS7_verify(p7, NULL, store, inbio, *outbio, PKCS7_TEXT) != 1)
+    if (PKCS7_verify(p7, NULL, store, inbio, *outbio, PKCS7_TEXT | PKCS7_NOVERIFY | PKCS7_NOINTERN) != 1)
       DDS_Security_Exception_set_with_openssl_error(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_SMIME_DOCUMENT_CODE, 0, DDS_SECURITY_ERR_INVALID_SMIME_DOCUMENT_MESSAGE ": ");
     else
       result = true;