(xmlsec-mscng, xmlsec-mscrypto) Support multiple trusted certs with t…

…he same subject (#827)

src/mscng/x509vfy.c

@@ -455,32 +455,33 @@ xmlSecMSCngX509StoreContainsCert(HCERTSTORE store, CERT_NAME_BLOB* name,
     xmlSecAssert2(name != NULL, -1);
     xmlSecAssert2(cert != NULL, -1);
 
-    storeCert = CertFindCertificateInStore(store,
-        X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
-        0,
-        CERT_FIND_SUBJECT_NAME,
-        name,
-        NULL);
-    if (storeCert == NULL) {
-        return (0);
-    }
+    while (TRUE) {
+        storeCert = CertFindCertificateInStore(store,
+            X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
+            0,
+            CERT_FIND_SUBJECT_NAME,
+            name,
+            storeCert);
+        if (storeCert == NULL) {
+            return (0);
+        }
 
-    ret = xmlSecMSCngX509StoreVerifySubject(cert, storeCert);
-    if (ret < 0) {
-        xmlSecInternalError("xmlSecMSCngX509StoreVerifySubject", NULL);
-        CertFreeCertificateContext(storeCert);
-        return(-1);
-    } else if (ret == 0) {
-        xmlSecOtherError(XMLSEC_ERRORS_R_CERT_VERIFY_FAILED,
-            NULL,
-            "xmlSecMSCngX509StoreVerifySubject");
+        ret = xmlSecMSCngX509StoreVerifySubject(cert, storeCert);
+        if (ret < 0) {
+            xmlSecInternalError("xmlSecMSCngX509StoreVerifySubject", NULL);
+            continue; /* storeCert will be released in the next CertFindCertificateInStore() call */
+        } else if (ret == 0) {
+            xmlSecOtherError(XMLSEC_ERRORS_R_CERT_VERIFY_FAILED, NULL, "xmlSecMSCngX509StoreVerifySubject");
+            continue; /* storeCert will be released in the next CertFindCertificateInStore() call */
+        }
+
+        /* success */
         CertFreeCertificateContext(storeCert);
-        return(-1);
+        return(1);
     }
 
-    /* success */
-    CertFreeCertificateContext(storeCert);
-    return(1);
+    /* no luck */
+    return (0);
 }
 
 static int

src/mscrypto/x509vfy.c

@@ -364,32 +364,35 @@ xmlSecMSCryptoX509StoreContainsCert(HCERTSTORE store, CERT_NAME_BLOB* name,
     xmlSecAssert2(cert != NULL, -1);
     xmlSecAssert2(keyDataStore != NULL, -1);
 
-    storeCert = CertFindCertificateInStore(store,
-        X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
-        0,
-        CERT_FIND_SUBJECT_NAME,
-        name,
-        NULL);
-    if (storeCert == NULL) {
-        return (0);
-    }
+    while (TRUE) {
+        storeCert = CertFindCertificateInStore(store,
+            X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
+            0,
+            CERT_FIND_SUBJECT_NAME,
+            name,
+            storeCert);
+        if (storeCert == NULL) {
+            return (0);
+        }
 
-    ret = xmlSecMSCryptoX509StoreVerifySubject(keyDataStore, cert, storeCert);
-    if (ret < 0) {
-        xmlSecInternalError("xmlSecMSCryptoX509StoreVerifySubject", NULL);
-        CertFreeCertificateContext(storeCert);
-        return(-1);
-    } else if (ret == 0) {
-        xmlSecOtherError(XMLSEC_ERRORS_R_CERT_VERIFY_FAILED,
-            NULL,
-            "xmlSecMSCryptoX509StoreVerifySubject");
+        ret = xmlSecMSCryptoX509StoreVerifySubject(keyDataStore, cert, storeCert);
+        if (ret < 0) {
+            xmlSecInternalError("xmlSecMSCryptoX509StoreVerifySubject", NULL);
+            continue; /* storeCert will be released in the next CertFindCertificateInStore() call */
+        } else if (ret == 0) {
+            xmlSecOtherError(XMLSEC_ERRORS_R_CERT_VERIFY_FAILED,
+                NULL,
+                "xmlSecMSCryptoX509StoreVerifySubject");
+            continue; /* storeCert will be released in the next CertFindCertificateInStore() call */
+        }
+
+        /* success */
         CertFreeCertificateContext(storeCert);
-        return(-1);
+        return(1);
     }
 
-    /* success */
-    CertFreeCertificateContext(storeCert);
-    return(1);
+    /* no luck */
+    return (0);
 }
 
 

tests/testDSig.sh

@@ -1172,16 +1172,17 @@ execDSigTest $res_success \
 
 # Test was created using the following command:
 # xmlsec.exe sign --crypto openssl  --lax-key-search --privkey-pem tests/keys/same-subj-key1.pem,tests/keys/same-subj-cert1.pem tests/aleksey-xmldsig-01/enveloped-x509-same-subj-cert.tmpl
-# this should succeeed with both intermidiate and trusted certs provided
-extra_message="Cert chaing is good"
+
+# this should succeeed with good cert
+extra_message="Cert chain is good"
 execDSigTest $res_success \
     "" \
     "aleksey-xmldsig-01/enveloped-x509-same-subj-cert" \
     "sha256 rsa-sha256" \
     "x509" \
     "--trusted-$cert_format $topfolder/keys/same-subj-cert1.$cert_format --enabled-key-data x509"
 
-# this should fail: missing intermidiate cert (ca2cert)
+# this should fail: Same subject but wrong cert
 extra_message="Negative test: Same subject but wrong cert"
 execDSigTest $res_fail \
     "" \
@@ -1190,6 +1191,24 @@ execDSigTest $res_fail \
     "x509" \
     "--trusted-$cert_format $topfolder/keys/same-subj-cert2.$cert_format --enabled-key-data x509"
 
+# this should succeeed with both good (cert1) and bad (cert2) certs present (simulating key rotation)
+extra_message="Cert chain is good: both good (cert1) and bad (cert2) certs present"
+execDSigTest $res_success \
+    "" \
+    "aleksey-xmldsig-01/enveloped-x509-same-subj-cert" \
+    "sha256 rsa-sha256" \
+    "x509" \
+    "--trusted-$cert_format $topfolder/keys/same-subj-cert1.$cert_format --trusted-$cert_format $topfolder/keys/same-subj-cert2.$cert_format --enabled-key-data x509"
+
+# this should succeeed with both bad (cert2) and good (cert1) certs present (simulating key rotation)
+extra_message="Cert chain is good: both bad (cert2) and good (cert1) certs present"
+execDSigTest $res_success \
+    "" \
+    "aleksey-xmldsig-01/enveloped-x509-same-subj-cert" \
+    "sha256 rsa-sha256" \
+    "x509" \
+    "--trusted-$cert_format $topfolder/keys/same-subj-cert2.$cert_format --trusted-$cert_format $topfolder/keys/same-subj-cert1.$cert_format --enabled-key-data x509"
+
 
 # Test was created using the following command:
 # xmlsec1 sign --lax-key-search --privkey-pem tests/keys/rsakey.pem,tests/keys/rsacert.pem tests/aleksey-xmldsig-01/enveloped-x509-missing-cert.tmpl