OSSL_CMP_validate_msg(): fix check such that OSSL_CMP_OPT_PERMIT_TA_IN_EXTRACERTS_FOR_IR becomes usable again

Fixes #23706 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23814)
author: Dr. David von Oheimb <dev@ddvo.net> 2024-03-11 12:48:26 +0100
committer: Dr. David von Oheimb <dev@ddvo.net> 2024-06-17 10:54:03 +0200
commit: b893ceef2feb6b64504446f984ee5a57d2b69d1f (patch)
tree: 39687888880fcd1aebc31398e93807f0e8c32dde /crypto
parent: 80-test_cmp_http_data/test_connection.csv: disable localhost test as not supp... (diff)
download: openssl-b893ceef2feb6b64504446f984ee5a57d2b69d1f.tar.xz
openssl-b893ceef2feb6b64504446f984ee5a57d2b69d1f.zip
1 files changed, 1 insertions, 1 deletions
diff --git a/crypto/cmp/cmp_vfy.c b/crypto/cmp/cmp_vfy.c
index ec99ab7fe5..47bf38b2af 100644
--- a/crypto/cmp/cmp_vfy.c
+++ b/crypto/cmp/cmp_vfy.c
@@ -632,7 +632,7 @@ int OSSL_CMP_validate_msg(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *msg)
     default:
         scrt = ctx->srvCert;
         if (scrt == NULL) {
-            if (ctx->trusted == NULL) {
+            if (ctx->trusted == NULL && ctx->secretValue != NULL) {
                 ossl_cmp_info(ctx, "no trust store nor pinned server cert available for verifying signature-based CMP message protection");
                 ERR_raise(ERR_LIB_CMP, CMP_R_MISSING_TRUST_ANCHOR);
                 return 0;
author	Dr. David von Oheimb <dev@ddvo.net>	2024-03-11 12:48:26 +0100
committer	Dr. David von Oheimb <dev@ddvo.net>	2024-06-17 10:54:03 +0200
commit	b893ceef2feb6b64504446f984ee5a57d2b69d1f (patch)
tree	39687888880fcd1aebc31398e93807f0e8c32dde /crypto
parent	80-test_cmp_http_data/test_connection.csv: disable localhost test as not supp... (diff)
download	openssl-b893ceef2feb6b64504446f984ee5a57d2b69d1f.tar.xz openssl-b893ceef2feb6b64504446f984ee5a57d2b69d1f.zip