OSSL_CMP_validate_msg(): fix check such that OSSL_CMP_OPT_PERMIT_TA_I…

…N_EXTRACERTS_FOR_IR becomes usable again Fixes openssl#23706 Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Neil Horman <[email protected]> (Merged from openssl#23814) (cherry picked from commit b893cee)
siemens · Jun 17, 2024 · 9283c2b · 9283c2b
1 parent 85e3067
commit 9283c2b
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/crypto/cmp/cmp_vfy.c b/crypto/cmp/cmp_vfy.c
@@ -632,7 +632,7 @@ int OSSL_CMP_validate_msg(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *msg)
     default:
         scrt = ctx->srvCert;
         if (scrt == NULL) {
-            if (ctx->trusted == NULL) {
+            if (ctx->trusted == NULL && ctx->secretValue != NULL) {
                 ossl_cmp_info(ctx, "no trust store nor pinned server cert available for verifying signature-based CMP message protection");
                 ERR_raise(ERR_LIB_CMP, CMP_R_MISSING_TRUST_ANCHOR);
                 return 0;