From 8f2da424a999224f73cd55149dba81449aa5aa5b Mon Sep 17 00:00:00 2001 From: James Pace Date: Fri, 27 Jan 2023 02:23:40 +0000 Subject: [PATCH] Add fix suggested in sros2 bug report. As stated in: https://github.com/OpenDDS/OpenDDS/pull/3992#issue-1548228907 "Implement the suggestion in ros2/sros2#282. Specifically, use PKCS7_NOINTERN to not accept any signatures in the signed document. This, in turn, requires the use of the certs parameter to PKCS7_verify. PKCS7_NOVERIFY is used since the permissions CA certificate will not be chain verified." Fixes: https://github.com/eclipse-cyclonedds/cyclonedds/issues/1546 Related to: https://github.com/ros2/sros2/issues/282 Signed-off-by: James Pace --- .../builtin_plugins/access_control/src/access_control_utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/security/builtin_plugins/access_control/src/access_control_utils.c b/src/security/builtin_plugins/access_control/src/access_control_utils.c index d9819d25db..2fae0a3449 100644 --- a/src/security/builtin_plugins/access_control/src/access_control_utils.c +++ b/src/security/builtin_plugins/access_control/src/access_control_utils.c @@ -248,7 +248,7 @@ static bool PKCS7_document_verify(PKCS7 *p7, X509 *cert, BIO *inbio, BIO **outbi else { X509_STORE_add_cert(store, cert); - if (PKCS7_verify(p7, NULL, store, inbio, *outbio, PKCS7_TEXT) != 1) + if (PKCS7_verify(p7, NULL, store, inbio, *outbio, PKCS7_TEXT | PKCS7_NOVERIFY | PKCS7_NOINTERN) != 1) DDS_Security_Exception_set_with_openssl_error(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_SMIME_DOCUMENT_CODE, 0, DDS_SECURITY_ERR_INVALID_SMIME_DOCUMENT_MESSAGE ": "); else result = true;