[openssl] master update

dev at ddvo.net dev at ddvo.net
Sat Mar 13 10:16:46 UTC 2021


The branch master has been updated
       via  f62846b703d163265176fe960ec7d087b4c3fa96 (commit)
       via  c89fd035d54f8c80cd0bbd26b9a90fcff385cbb5 (commit)
      from  234261f3a1a4fc88d51fde2007852c0a45e7ce8a (commit)


- Log -----------------------------------------------------------------
commit f62846b703d163265176fe960ec7d087b4c3fa96
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date:   Wed Mar 10 17:27:13 2021 +0100

    apps/ts.c: Allow -untrusted arg to refer to multiple sources
    
    This requires moving generally useful functions from apps/cmp.c to apps/lib/apps.c
    
    Reviewed-by: Tomas Mraz <tomas at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/14504)

commit c89fd035d54f8c80cd0bbd26b9a90fcff385cbb5
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date:   Wed Mar 10 17:21:37 2021 +0100

    TS ESS: Let TS_RESP_verify_signature() make use of untrusted certs also from token response
    
    Reviewed-by: Tomas Mraz <tomas at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/14504)

-----------------------------------------------------------------------

Summary of changes:
 apps/cmp.c                 | 174 +++------------------------------------------
 apps/include/apps.h        |   9 +++
 apps/lib/apps.c            | 158 ++++++++++++++++++++++++++++++++++++++++
 apps/ts.c                  |  31 ++++----
 crypto/ts/ts_rsp_verify.c  |  10 ++-
 doc/man1/openssl-ts.pod.in |  15 ++--
 test/recipes/80-test_tsa.t |  56 +++++++--------
 7 files changed, 242 insertions(+), 211 deletions(-)

diff --git a/apps/cmp.c b/apps/cmp.c
index 519e0bc2a5..2112df0186 100644
--- a/apps/cmp.c
+++ b/apps/cmp.c
@@ -618,25 +618,6 @@ static int set_verbosity(int level)
     return 1;
 }
 
-static char *next_item(char *opt) /* in list separated by comma and/or space */
-{
-    /* advance to separator (comma or whitespace), if any */
-    while (*opt != ',' && !isspace(*opt) && *opt != '\0') {
-        if (*opt == '\\' && opt[1] != '\0')
-            /* skip and unescape '\' escaped char */
-            memmove(opt, opt + 1, strlen(opt));
-        opt++;
-    }
-    if (*opt != '\0') {
-        /* terminate current item */
-        *opt++ = '\0';
-        /* skip over any whitespace after separator */
-        while (isspace(*opt))
-            opt++;
-    }
-    return *opt == '\0' ? NULL : opt; /* NULL indicates end of input */
-}
-
 static EVP_PKEY *load_key_pwd(const char *uri, int format,
                               const char *pass, ENGINE *eng, const char *desc)
 {
@@ -689,63 +670,6 @@ static X509_REQ *load_csr_autofmt(const char *infile, const char *desc)
     return csr;
 }
 
-static void warn_cert_msg(const char *uri, X509 *cert, const char *msg)
-{
-    char *subj = X509_NAME_oneline(X509_get_subject_name(cert), NULL, 0);
-
-    CMP_warn3("certificate from '%s' with subject '%s' %s", uri, subj, msg);
-    OPENSSL_free(subj);
-}
-
-static void warn_cert(const char *uri, X509 *cert, int warn_EE)
-{
-    uint32_t ex_flags = X509_get_extension_flags(cert);
-    int res = X509_cmp_timeframe(vpm, X509_get0_notBefore(cert),
-                                 X509_get0_notAfter(cert));
-
-    if (res != 0)
-        warn_cert_msg(uri, cert, res > 0 ? "has expired" : "not yet valid");
-    if (warn_EE && (ex_flags & EXFLAG_V1) == 0 && (ex_flags & EXFLAG_CA) == 0)
-        warn_cert_msg(uri, cert, "is not a CA cert");
-}
-
-static void warn_certs(const char *uri, STACK_OF(X509) *certs, int warn_EE)
-{
-    int i;
-
-    for (i = 0; i < sk_X509_num(certs); i++)
-        warn_cert(uri, sk_X509_value(certs, i), warn_EE);
-}
-
-/* TODO potentially move this and related functions to apps/lib/apps.c */
-static int load_cert_certs(const char *uri,
-                           X509 **pcert, STACK_OF(X509) **pcerts,
-                           int exclude_http, const char *pass, const char *desc)
-{
-    int ret = 0;
-    char *pass_string;
-
-    if (exclude_http && (strncasecmp(uri, "http://", 7) == 0
-                         || strncasecmp(uri, "https://", 8) == 0)) {
-        BIO_printf(bio_err, "error: HTTP retrieval not allowed for %s\n", desc);
-        return ret;
-    }
-    pass_string = get_passwd(pass, desc);
-    ret = load_key_certs_crls(uri, 0, pass_string, desc, NULL, NULL, NULL,
-                              pcert, pcerts, NULL, NULL);
-    clear_free(pass_string);
-
-    if (ret) {
-        if (pcert != NULL)
-            warn_cert(uri, *pcert, 0);
-        warn_certs(uri, *pcerts, 1);
-    } else {
-        sk_X509_pop_free(*pcerts, X509_free);
-        *pcerts = NULL;
-    }
-    return ret;
-}
-
 /* set expected host name/IP addr and clears the email addr in the given ts */
 static int truststore_set_host_etc(X509_STORE *ts, char *host)
 {
@@ -763,24 +687,6 @@ static int truststore_set_host_etc(X509_STORE *ts, char *host)
         || X509_VERIFY_PARAM_set1_host(ts_vpm, host, 0);
 }
 
-static X509_STORE *sk_X509_to_store(X509_STORE *store /* may be NULL */,
-                                    const STACK_OF(X509) *certs /* may NULL */)
-{
-    int i;
-
-    if (store == NULL)
-        store = X509_STORE_new();
-    if (store == NULL)
-        return NULL;
-    for (i = 0; i < sk_X509_num(certs); i++) {
-        if (!X509_STORE_add_cert(store, sk_X509_value(certs, i))) {
-            X509_STORE_free(store);
-            return NULL;
-        }
-    }
-    return store;
-}
-
 /* write OSSL_CMP_MSG DER-encoded to the specified file name item */
 static int write_PKIMESSAGE(const OSSL_CMP_MSG *msg, char **filenames)
 {
@@ -952,37 +858,9 @@ static int set_gennames(OSSL_CMP_CTX *ctx, char *names, const char *desc)
     return 1;
 }
 
-/* TODO potentially move to apps/lib/apps.c */
-/*
- * create cert store structure with certificates read from given file(s)
- * returns pointer to created X509_STORE on success, NULL on error
- */
-static X509_STORE *load_certstore(char *input, const char *desc)
-{
-    X509_STORE *store = NULL;
-    STACK_OF(X509) *certs = NULL;
-
-    while (input != NULL) {
-        char *next = next_item(input);
-        int ok;
-
-        if (!load_cert_certs(input, NULL, &certs, 1, opt_otherpass, desc)) {
-            X509_STORE_free(store);
-            return NULL;
-        }
-        ok = (store = sk_X509_to_store(store, certs)) != NULL;
-        sk_X509_pop_free(certs, X509_free);
-        certs = NULL;
-        if (!ok)
-            return NULL;
-        input = next;
-    }
-    return store;
-}
-
 static X509_STORE *load_trusted(char *input, int for_new_cert, const char *desc)
 {
-    X509_STORE *ts = load_certstore(input, desc);
+    X509_STORE *ts = load_certstore(input, opt_otherpass, desc, vpm);
 
     if (ts == NULL)
         return NULL;
@@ -998,40 +876,6 @@ static X509_STORE *load_trusted(char *input, int for_new_cert, const char *desc)
     return NULL;
 }
 
-/* TODO potentially move to apps/lib/apps.c */
-static STACK_OF(X509) *load_certs_multifile(char *files,
-                                            const char *pass, const char *desc)
-{
-    STACK_OF(X509) *certs = NULL;
-    STACK_OF(X509) *result = sk_X509_new_null();
-
-    if (files == NULL)
-        goto err;
-    if (result == NULL)
-        goto oom;
-
-    while (files != NULL) {
-        char *next = next_item(files);
-
-        if (!load_cert_certs(files, NULL, &certs, 0, pass, desc))
-            goto err;
-        if (!X509_add_certs(result, certs,
-                            X509_ADD_FLAG_UP_REF | X509_ADD_FLAG_NO_DUP))
-            goto oom;
-        sk_X509_pop_free(certs, X509_free);
-        certs = NULL;
-        files = next;
-    }
-    return result;
-
- oom:
-    BIO_printf(bio_err, "out of memory\n");
- err:
-    sk_X509_pop_free(certs, X509_free);
-    sk_X509_pop_free(result, X509_free);
-    return NULL;
-}
-
 typedef int (*add_X509_stack_fn_t)(void *ctx, const STACK_OF(X509) *certs);
 
 static int setup_certs(char *files, const char *desc, void *ctx,
@@ -1042,7 +886,7 @@ static int setup_certs(char *files, const char *desc, void *ctx,
 
     if (files == NULL)
         return 1;
-    if ((certs = load_certs_multifile(files, opt_otherpass, desc)) == NULL)
+    if ((certs = load_certs_multifile(files, opt_otherpass, desc, vpm)) == NULL)
         return 0;
     ok = (*set1_fn)(ctx, certs);
     sk_X509_pop_free(certs, X509_free);
@@ -1350,8 +1194,9 @@ static SSL_CTX *setup_ssl_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
     SSL_CTX_set_mode(ssl_ctx, SSL_MODE_AUTO_RETRY);
 
     if (opt_tls_trusted != NULL) {
-        if ((trust_store = load_certstore(opt_tls_trusted,
-                                          "trusted TLS certificates")) == NULL)
+        trust_store = load_certstore(opt_tls_trusted, opt_otherpass,
+                                     "trusted TLS certificates", vpm);
+        if (trust_store == NULL)
             goto err;
         SSL_CTX_set_cert_store(ssl_ctx, trust_store);
         /* for improved diagnostics on SSL_CTX_build_cert_chain() errors: */
@@ -1364,7 +1209,8 @@ static SSL_CTX *setup_ssl_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
         int ok;
 
         if (!load_cert_certs(opt_tls_cert, &cert, &certs, 0, opt_tls_keypass,
-                             "TLS client certificate (optionally with chain)"))
+                             "TLS client certificate (optionally with chain)",
+                             vpm))
             /* need opt_tls_keypass if opt_tls_cert is encrypted PKCS#12 file */
             goto err;
 
@@ -1418,7 +1264,8 @@ static SSL_CTX *setup_ssl_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
         if (opt_tls_extra != NULL) {
             STACK_OF(X509) *tls_extra = load_certs_multifile(opt_tls_extra,
                                                              opt_otherpass,
-                                                             "extra certificates for TLS");
+                                                             "extra certificates for TLS",
+                                                             vpm);
             int res = 1;
 
             if (tls_extra == NULL)
@@ -1541,7 +1388,8 @@ static int setup_protection_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
         int ok;
 
         if (!load_cert_certs(opt_cert, &cert, &certs, 0, opt_keypass,
-                             "CMP client certificate (optionally with chain)"))
+                             "CMP client certificate (optionally with chain)",
+                             vpm))
             /* opt_keypass is needed if opt_cert is an encrypted PKCS#12 file */
             return 0;
         ok = OSSL_CMP_CTX_set1_cert(ctx, cert);
diff --git a/apps/include/apps.h b/apps/include/apps.h
index 8c365c44bd..416e1d2568 100644
--- a/apps/include/apps.h
+++ b/apps/include/apps.h
@@ -120,6 +120,15 @@ EVP_PKEY *load_pubkey(const char *uri, int format, int maybe_stdin,
                       const char *pass, ENGINE *e, const char *desc);
 EVP_PKEY *load_keyparams(const char *uri, int maybe_stdin, const char *keytype,
                          const char *desc);
+char *next_item(char *opt); /* in list separated by comma and/or space */
+int load_cert_certs(const char *uri,
+                    X509 **pcert, STACK_OF(X509) **pcerts,
+                    int exclude_http, const char *pass, const char *desc,
+                    X509_VERIFY_PARAM *vpm);
+STACK_OF(X509) *load_certs_multifile(char *files, const char *pass,
+                                     const char *desc, X509_VERIFY_PARAM *vpm);
+X509_STORE *load_certstore(char *input, const char *pass, const char *desc,
+                           X509_VERIFY_PARAM *vpm);
 int load_certs(const char *uri, STACK_OF(X509) **certs,
                const char *pass, const char *desc);
 int load_crls(const char *uri, STACK_OF(X509_CRL) **crls,
diff --git a/apps/lib/apps.c b/apps/lib/apps.c
index 2938e91620..f114f0b10c 100644
--- a/apps/lib/apps.c
+++ b/apps/lib/apps.c
@@ -638,6 +638,164 @@ void* app_malloc(int sz, const char *what)
     return vp;
 }
 
+char *next_item(char *opt) /* in list separated by comma and/or space */
+{
+    /* advance to separator (comma or whitespace), if any */
+    while (*opt != ',' && !isspace(*opt) && *opt != '\0') {
+        if (*opt == '\\' && opt[1] != '\0')
+            /* skip and unescape '\' escaped char */
+            memmove(opt, opt + 1, strlen(opt));
+        opt++;
+    }
+    if (*opt != '\0') {
+        /* terminate current item */
+        *opt++ = '\0';
+        /* skip over any whitespace after separator */
+        while (isspace(*opt))
+            opt++;
+    }
+    return *opt == '\0' ? NULL : opt; /* NULL indicates end of input */
+}
+
+static void warn_cert_msg(const char *uri, X509 *cert, const char *msg)
+{
+    char *subj = X509_NAME_oneline(X509_get_subject_name(cert), NULL, 0);
+
+    BIO_printf(bio_err, "Warning: certificate from '%s' with subject '%s' %s",
+               uri, subj, msg);
+    OPENSSL_free(subj);
+}
+
+static void warn_cert(const char *uri, X509 *cert, int warn_EE,
+                      X509_VERIFY_PARAM *vpm)
+{
+    uint32_t ex_flags = X509_get_extension_flags(cert);
+    int res = X509_cmp_timeframe(vpm, X509_get0_notBefore(cert),
+                                 X509_get0_notAfter(cert));
+
+    if (res != 0)
+        warn_cert_msg(uri, cert, res > 0 ? "has expired" : "not yet valid");
+    if (warn_EE && (ex_flags & EXFLAG_V1) == 0 && (ex_flags & EXFLAG_CA) == 0)
+        warn_cert_msg(uri, cert, "is not a CA cert");
+}
+
+static void warn_certs(const char *uri, STACK_OF(X509) *certs, int warn_EE,
+                       X509_VERIFY_PARAM *vpm)
+{
+    int i;
+
+    for (i = 0; i < sk_X509_num(certs); i++)
+        warn_cert(uri, sk_X509_value(certs, i), warn_EE, vpm);
+}
+
+int load_cert_certs(const char *uri,
+                    X509 **pcert, STACK_OF(X509) **pcerts,
+                    int exclude_http, const char *pass, const char *desc,
+                    X509_VERIFY_PARAM *vpm)
+{
+    int ret = 0;
+    char *pass_string;
+
+    if (exclude_http && (strncasecmp(uri, "http://", 7) == 0
+                         || strncasecmp(uri, "https://", 8) == 0)) {
+        BIO_printf(bio_err, "error: HTTP retrieval not allowed for %s\n", desc);
+        return ret;
+    }
+    pass_string = get_passwd(pass, desc);
+    ret = load_key_certs_crls(uri, 0, pass_string, desc, NULL, NULL, NULL,
+                              pcert, pcerts, NULL, NULL);
+    clear_free(pass_string);
+
+    if (ret) {
+        if (pcert != NULL)
+            warn_cert(uri, *pcert, 0, vpm);
+        warn_certs(uri, *pcerts, 1, vpm);
+    } else {
+        sk_X509_pop_free(*pcerts, X509_free);
+        *pcerts = NULL;
+    }
+    return ret;
+}
+
+STACK_OF(X509) *load_certs_multifile(char *files, const char *pass,
+                                     const char *desc, X509_VERIFY_PARAM *vpm)
+{
+    STACK_OF(X509) *certs = NULL;
+    STACK_OF(X509) *result = sk_X509_new_null();
+
+    if (files == NULL)
+        goto err;
+    if (result == NULL)
+        goto oom;
+
+    while (files != NULL) {
+        char *next = next_item(files);
+
+        if (!load_cert_certs(files, NULL, &certs, 0, pass, desc, vpm))
+            goto err;
+        if (!X509_add_certs(result, certs,
+                            X509_ADD_FLAG_UP_REF | X509_ADD_FLAG_NO_DUP))
+            goto oom;
+        sk_X509_pop_free(certs, X509_free);
+        certs = NULL;
+        files = next;
+    }
+    return result;
+
+ oom:
+    BIO_printf(bio_err, "out of memory\n");
+ err:
+    sk_X509_pop_free(certs, X509_free);
+    sk_X509_pop_free(result, X509_free);
+    return NULL;
+}
+
+static X509_STORE *sk_X509_to_store(X509_STORE *store /* may be NULL */,
+                                    const STACK_OF(X509) *certs /* may NULL */)
+{
+    int i;
+
+    if (store == NULL)
+        store = X509_STORE_new();
+    if (store == NULL)
+        return NULL;
+    for (i = 0; i < sk_X509_num(certs); i++) {
+        if (!X509_STORE_add_cert(store, sk_X509_value(certs, i))) {
+            X509_STORE_free(store);
+            return NULL;
+        }
+    }
+    return store;
+}
+
+/*
+ * Create cert store structure with certificates read from given file(s).
+ * Returns pointer to created X509_STORE on success, NULL on error.
+ */
+X509_STORE *load_certstore(char *input, const char *pass, const char *desc,
+                           X509_VERIFY_PARAM *vpm)
+{
+    X509_STORE *store = NULL;
+    STACK_OF(X509) *certs = NULL;
+
+    while (input != NULL) {
+        char *next = next_item(input);
+        int ok;
+
+        if (!load_cert_certs(input, NULL, &certs, 1, pass, desc, vpm)) {
+            X509_STORE_free(store);
+            return NULL;
+        }
+        ok = (store = sk_X509_to_store(store, certs)) != NULL;
+        sk_X509_pop_free(certs, X509_free);
+        certs = NULL;
+        if (!ok)
+            return NULL;
+        input = next;
+    }
+    return store;
+}
+
 /*
  * Initialize or extend, if *certs != NULL, a certificate stack.
  * The caller is responsible for freeing *certs if its value is left not NULL.
diff --git a/apps/ts.c b/apps/ts.c
index 62afe7560d..cc69a7de72 100644
--- a/apps/ts.c
+++ b/apps/ts.c
@@ -65,12 +65,12 @@ static int verify_command(const char *data, const char *digest, const char *quer
                           const char *in, int token_in,
                           const char *CApath, const char *CAfile,
                           const char *CAstore,
-                          const char *untrusted, X509_VERIFY_PARAM *vpm);
+                          char *untrusted, X509_VERIFY_PARAM *vpm);
 static TS_VERIFY_CTX *create_verify_ctx(const char *data, const char *digest,
                                         const char *queryfile,
                                         const char *CApath, const char *CAfile,
                                         const char *CAstore,
-                                        const char *untrusted,
+                                        char *untrusted,
                                         X509_VERIFY_PARAM *vpm);
 static X509_STORE *create_cert_store(const char *CApath, const char *CAfile,
                                      const char *CAstore, X509_VERIFY_PARAM *vpm);
@@ -100,7 +100,7 @@ const OPTIONS ts_options[] = {
     {"CAfile", OPT_CAFILE, '<', "File with trusted CA certs"},
     {"CApath", OPT_CAPATH, '/', "Path to trusted CA files"},
     {"CAstore", OPT_CASTORE, ':', "URI to trusted CA store"},
-    {"untrusted", OPT_UNTRUSTED, '<', "File with untrusted certs"},
+    {"untrusted", OPT_UNTRUSTED, '<', "Extra untrusted certs"},
     {"token_in", OPT_TOKEN_IN, '-', "Input is a PKCS#7 file"},
     {"token_out", OPT_TOKEN_OUT, '-', "Output is a PKCS#7 file"},
     {"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
@@ -149,16 +149,17 @@ static char* opt_helplist[] = {
     "    [-text]",
 #endif
     "",
-    " openssl ts -verify -CApath dir -CAfile file.pem -CAstore uri",
-    "   -untrusted file.pem [-data file] [-digest hexstring]",
-    "    [-queryfile file] -in file [-token_in] ...",
+    " openssl ts -verify -CApath dir -CAfile root-cert.pem -CAstore uri",
+    "   -untrusted extra-certs.pem [-data file] [-digest hexstring]",
+    "    [-queryfile request.tsq] -in response.tsr [-token_in] ...",
     NULL,
 };
 
 int ts_main(int argc, char **argv)
 {
     CONF *conf = NULL;
-    const char *CAfile = NULL, *untrusted = NULL, *prog;
+    const char *CAfile = NULL, *prog;
+    char *untrusted = NULL;
     const char *configfile = default_config_file, *engine = NULL;
     const char *section = NULL, *digestname = NULL;
     char **helpp;
@@ -842,7 +843,7 @@ static int save_ts_serial(const char *serialfile, ASN1_INTEGER *serial)
 static int verify_command(const char *data, const char *digest, const char *queryfile,
                           const char *in, int token_in,
                           const char *CApath, const char *CAfile,
-                          const char *CAstore, const char *untrusted,
+                          const char *CAstore, char *untrusted,
                           X509_VERIFY_PARAM *vpm)
 {
     BIO *in_bio = NULL;
@@ -890,10 +891,11 @@ static TS_VERIFY_CTX *create_verify_ctx(const char *data, const char *digest,
                                         const char *queryfile,
                                         const char *CApath, const char *CAfile,
                                         const char *CAstore,
-                                        const char *untrusted,
+                                        char *untrusted,
                                         X509_VERIFY_PARAM *vpm)
 {
     TS_VERIFY_CTX *ctx = NULL;
+    STACK_OF(X509) *certs;
     BIO *input = NULL;
     TS_REQ *request = NULL;
     int ret = 0;
@@ -943,10 +945,13 @@ static TS_VERIFY_CTX *create_verify_ctx(const char *data, const char *digest,
             == NULL)
         goto err;
 
-    /* Loading untrusted certificates. */
-    if (untrusted
-        && TS_VERIFY_CTX_set_certs(ctx, TS_CONF_load_certs(untrusted)) == NULL)
-        goto err;
+    /* Loading any extra untrusted certificates. */
+    if (untrusted != NULL) {
+        certs = load_certs_multifile(untrusted, NULL, "extra untrusted certs",
+                                     vpm);
+        if (certs == NULL || TS_VERIFY_CTX_set_certs(ctx, certs) == NULL)
+            goto err;
+    }
     ret = 1;
 
  err:
diff --git a/crypto/ts/ts_rsp_verify.c b/crypto/ts/ts_rsp_verify.c
index 3aea4f4dfb..b45ca28b5d 100644
--- a/crypto/ts/ts_rsp_verify.c
+++ b/crypto/ts/ts_rsp_verify.c
@@ -89,6 +89,7 @@ int TS_RESP_verify_signature(PKCS7 *token, STACK_OF(X509) *certs,
 {
     STACK_OF(PKCS7_SIGNER_INFO) *sinfos = NULL;
     PKCS7_SIGNER_INFO *si;
+    STACK_OF(X509) *untrusted = NULL;
     STACK_OF(X509) *signers = NULL;
     X509 *signer;
     STACK_OF(X509) *chain = NULL;
@@ -125,7 +126,13 @@ int TS_RESP_verify_signature(PKCS7 *token, STACK_OF(X509) *certs,
         goto err;
     signer = sk_X509_value(signers, 0);
 
-    if (!ts_verify_cert(store, certs, signer, &chain))
+    untrusted = sk_X509_new_reserve(NULL, sk_X509_num(certs)
+                                    + sk_X509_num(token->d.sign->cert));
+    if (untrusted == NULL
+            || !X509_add_certs(untrusted, certs, 0)
+            || !X509_add_certs(untrusted, token->d.sign->cert, 0))
+        goto err;
+    if (!ts_verify_cert(store, untrusted, signer, &chain))
         goto err;
     if (!ts_check_signing_certs(si, chain))
         goto err;
@@ -149,6 +156,7 @@ int TS_RESP_verify_signature(PKCS7 *token, STACK_OF(X509) *certs,
 
  err:
     BIO_free_all(p7bio);
+    sk_X509_free(untrusted);
     sk_X509_pop_free(chain, X509_free);
     sk_X509_free(signers);
 
diff --git a/doc/man1/openssl-ts.pod.in b/doc/man1/openssl-ts.pod.in
index d91d06f0fd..402a7a879a 100644
--- a/doc/man1/openssl-ts.pod.in
+++ b/doc/man1/openssl-ts.pod.in
@@ -50,7 +50,7 @@ B<-verify>
 [B<-queryfile> I<request.tsq>]
 [B<-in> I<response.tsr>]
 [B<-token_in>]
-[B<-untrusted> I<file>]
+[B<-untrusted> I<files>|I<uris>]
 [B<-CAfile> I<file>]
 [B<-CApath> I<dir>]
 [B<-CAstore> I<uri>]
@@ -326,14 +326,17 @@ This flag can be used together with the B<-in> option and indicates
 that the input is a DER encoded timestamp token (ContentInfo) instead
 of a timestamp response (TimeStampResp). (Optional)
 
-=item B<-untrusted> I<cert_file.pem>
+=item B<-untrusted> I<files>|I<uris>
 
-Set of additional untrusted certificates in PEM format which may be
-needed when building the certificate chain for the TSA's signing
-certificate. This file must contain the TSA signing certificate and
-all intermediate CA certificates unless the response includes them.
+A set of additional untrusted certificates which may be
+needed when building the certificate chain for the TSA's signing certificate.
+These do not need to contain the TSA signing certificate and intermediate CA
+certificates as far as the response already includes them.
 (Optional)
 
+Multiple sources may be given, separated by commas and/or whitespace.
+Each file may contain multiple certificates.
+
 =item B<-CAfile> I<file>, B<-CApath> I<dir>, B<-CAstore> I<uri>
 
 See L<openssl-verification-options(1)/Trusted Certificate Options> for details.
diff --git a/test/recipes/80-test_tsa.t b/test/recipes/80-test_tsa.t
index 1d80b24bac..3cb8399c87 100644
--- a/test/recipes/80-test_tsa.t
+++ b/test/recipes/80-test_tsa.t
@@ -1,5 +1,5 @@
 #! /usr/bin/env perl
-# Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved.
 #
 # Licensed under the Apache License 2.0 (the "License").  You may not use
 # this file except in compliance with the License.  You can obtain a copy
@@ -13,7 +13,7 @@ use warnings;
 use POSIX;
 use File::Spec::Functions qw/splitdir curdir catfile/;
 use File::Compare;
-use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file/;
+use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file data_file/;
 use OpenSSL::Test::Utils;
 
 setup("test_tsa");
@@ -26,7 +26,9 @@ plan skip_all => "TS is not supported by this OpenSSL build"
 my $openssl_conf;
 my $testtsa;
 my $CAtsa;
-my @RUN;
+my @QUERY = ("openssl", "ts", "-query");
+my @REPLY;
+my @VERIFY = ("openssl", "ts", "-verify");
 
 sub create_tsa_cert {
     my $INDEX = shift;
@@ -51,7 +53,7 @@ sub create_time_stamp_response {
     my $outputfile = shift;
     my $datafile = shift;
 
-    ok(run(app([@RUN, "-reply", "-section", "$datafile",
+    ok(run(app([@REPLY, "-section", "$datafile",
                 "-queryfile", "$queryfile", "-out", "$outputfile"])));
 }
 
@@ -60,10 +62,10 @@ sub verify_time_stamp_response {
     my $inputfile = shift;
     my $datafile = shift;
 
-    ok(run(app([@RUN, "-verify", "-queryfile", "$queryfile",
+    ok(run(app([@VERIFY, "-queryfile", "$queryfile",
                 "-in", "$inputfile", "-CAfile", "tsaca.pem",
                 "-untrusted", "tsa_cert1.pem"])));
-    ok(run(app([@RUN, "-verify", "-data", "$datafile",
+    ok(run(app([@VERIFY, "-data", "$datafile",
                 "-in", "$inputfile", "-CAfile", "tsaca.pem",
                 "-untrusted", "tsa_cert1.pem"])));
 }
@@ -72,7 +74,7 @@ sub verify_time_stamp_response_fail {
     my $queryfile = shift;
     my $inputfile = shift;
 
-    ok(!run(app([@RUN, "-verify", "-queryfile", "$queryfile",
+    ok(!run(app([@VERIFY, "-queryfile", "$queryfile",
                  "-in", "$inputfile", "-CAfile", "tsaca.pem",
                  "-untrusted", "tsa_cert1.pem"])));
 }
@@ -87,7 +89,7 @@ indir "tsa" => sub
     $openssl_conf = srctop_file("test", "CAtsa.cnf");
     $testtsa = srctop_file("test", "recipes", "80-test_tsa.t");
     $CAtsa = srctop_file("test", "CAtsa.cnf");
-    @RUN = ("openssl", "ts", "-config", $openssl_conf);
+    @REPLY = ("openssl", "ts", "-config", $openssl_conf, "-reply");
 
     # ../apps/CA.pl needs these
     $ENV{OPENSSL_CONFIG} = "-config $openssl_conf";
@@ -112,19 +114,19 @@ indir "tsa" => sub
      };
 
      skip "failed", 16
-         unless ok(run(app([@RUN, "-query", "-data", $testtsa,
+         unless ok(run(app([@QUERY, "-data", $testtsa,
                             "-tspolicy", "tsa_policy1", "-cert",
                             "-out", "req1.tsq"])),
                    'creating req1.req time stamp request for file testtsa');
 
-     ok(run(app([@RUN, "-query", "-in", "req1.tsq", "-text"])),
+     ok(run(app([@QUERY, "-in", "req1.tsq", "-text"])),
         'printing req1.req');
 
      subtest 'generating valid response for req1.req' => sub {
          create_time_stamp_response("req1.tsq", "resp1.tsr", "tsa_config1")
      };
 
-     ok(run(app([@RUN, "-reply", "-in", "resp1.tsr", "-text"])),
+     ok(run(app([@REPLY, "-in", "resp1.tsr", "-text"])),
         'printing response');
 
      subtest 'verifying valid response' => sub {
@@ -133,25 +135,23 @@ indir "tsa" => sub
 
      skip "failed", 11
          unless subtest 'verifying valid token' => sub {
-             ok(run(app([@RUN, "-reply", "-in", "resp1.tsr",
+             ok(run(app([@REPLY, "-in", "resp1.tsr",
                          "-out", "resp1.tsr.token", "-token_out"])));
-             ok(run(app([@RUN, "-verify", "-queryfile", "req1.tsq",
+             ok(run(app([@VERIFY, "-queryfile", "req1.tsq",
                          "-in", "resp1.tsr.token", "-token_in",
-                         "-CAfile", "tsaca.pem",
-                         "-untrusted", "tsa_cert1.pem"])));
-             ok(run(app([@RUN, "-verify", "-data", $testtsa,
+                         "-CAfile", "tsaca.pem"])));
+             ok(run(app([@VERIFY, "-data", $testtsa,
                          "-in", "resp1.tsr.token", "-token_in",
-                         "-CAfile", "tsaca.pem",
-                         "-untrusted", "tsa_cert1.pem"])));
+                         "-CAfile", "tsaca.pem"])));
      };
 
      skip "failed", 10
-         unless ok(run(app([@RUN, "-query", "-data", $testtsa,
+         unless ok(run(app([@QUERY, "-data", $testtsa,
                             "-tspolicy", "tsa_policy2", "-no_nonce",
                             "-out", "req2.tsq"])),
                    'creating req2.req time stamp request for file testtsa');
 
-     ok(run(app([@RUN, "-query", "-in", "req2.tsq", "-text"])),
+     ok(run(app([@QUERY, "-in", "req2.tsq", "-text"])),
         'printing req2.req');
 
      skip "failed", 8
@@ -164,20 +164,20 @@ indir "tsa" => sub
              my $RESPONSE2="resp2.tsr.copy.tsr";
              my $TOKEN_DER="resp2.tsr.token.der";
 
-             ok(run(app([@RUN, "-reply", "-in", "resp2.tsr",
+             ok(run(app([@REPLY, "-in", "resp2.tsr",
                          "-out", "$TOKEN_DER", "-token_out"])));
-             ok(run(app([@RUN, "-reply", "-in", "$TOKEN_DER",
+             ok(run(app([@REPLY, "-in", "$TOKEN_DER",
                          "-token_in", "-out", "$RESPONSE2"])));
              is(compare($RESPONSE2, "resp2.tsr"), 0);
-             ok(run(app([@RUN, "-reply", "-in", "resp2.tsr",
+             ok(run(app([@REPLY, "-in", "resp2.tsr",
                          "-text", "-token_out"])));
-             ok(run(app([@RUN, "-reply", "-in", "$TOKEN_DER",
+             ok(run(app([@REPLY, "-in", "$TOKEN_DER",
                          "-token_in", "-text", "-token_out"])));
-             ok(run(app([@RUN, "-reply", "-queryfile", "req2.tsq",
+             ok(run(app([@REPLY, "-queryfile", "req2.tsq",
                          "-text", "-token_out"])));
      };
 
-     ok(run(app([@RUN, "-reply", "-in", "resp2.tsr", "-text"])),
+     ok(run(app([@REPLY, "-in", "resp2.tsr", "-text"])),
         'printing response');
 
      subtest 'verifying valid response' => sub {
@@ -193,11 +193,11 @@ indir "tsa" => sub
      };
 
      skip "failure", 2
-         unless ok(run(app([@RUN, "-query", "-data", $CAtsa,
+         unless ok(run(app([@QUERY, "-data", $CAtsa,
                             "-no_nonce", "-out", "req3.tsq"])),
                    "creating req3.req time stamp request for file CAtsa.cnf");
 
-     ok(run(app([@RUN, "-query", "-in", "req3.tsq", "-text"])),
+     ok(run(app([@QUERY, "-in", "req3.tsq", "-text"])),
         'printing req3.req');
 
      subtest 'verifying response against wrong request, it should fail' => sub {


More information about the openssl-commits mailing list