Fix CVE-2025-24807

Adds verification of CA certificates when loading them, thus disabling the usage of expired CA certificates.
It also enables the usage of an intermediate CA for signing governance and permissions documents.

* Added expired CA files for regression tests.
* Added chained CA files for regression tests.
* Added regression tests.
* Verify CA certificates in `FileProvider::load_ca`.
* Allow chained permissions CA.

Signed-off-by: Miguel Company <[email protected]>
Signed-off-by: RookieCLY <[email protected]>

Author: MiguelCompany

src/cpp/security/accesscontrol/Permissions.cpp

@@ -380,9 +380,9 @@ static BIO* load_and_verify_document(
             }
         }
 
-        if (1 != sk_X509_num(stack))
+        if (0 == sk_X509_num(stack))
         {
-            exception = _SecurityException_("Certificate store should have exactly one certificate");
+            exception = _SecurityException_("Certificate store should have at least one certificate");
 
             sk_X509_free(stack);
             stack = nullptr;

src/cpp/security/artifact_providers/FileProvider.cpp

@@ -53,6 +53,7 @@ X509_STORE* FileProvider::load_ca(
             if (BIO_read_filename(in, ca.substr(7).c_str()) > 0)
             {
                 STACK_OF(X509_INFO) * inf = PEM_X509_INFO_read_bio(in, NULL, NULL, NULL);
+                X509* ca_cert = nullptr;
 
                 if (inf != nullptr)
                 {
@@ -65,6 +66,11 @@ X509_STORE* FileProvider::load_ca(
 
                         if (itmp->x509)
                         {
+                            if (nullptr == ca_cert)
+                            {
+                                ca_cert = itmp->x509;
+                            }
+
                             // Retrieve subject name for future use.
                             if (ca_sn.empty())
                             {
@@ -102,9 +108,34 @@ X509_STORE* FileProvider::load_ca(
 
                     if (count > 0)
                     {
-                        BIO_free(in);
+                        // Verify CA certificate.
+                        unsigned long flags = 0;
+                        flags |= X509_V_FLAG_CHECK_SS_SIGNATURE | X509_V_FLAG_POLICY_CHECK;
+                        flags |= X509_V_FLAG_X509_STRICT;
+                        X509_STORE_CTX* ctx = X509_STORE_CTX_new();
+                        if (nullptr != ctx)
+                        {
+                            X509_STORE_CTX_init(ctx, store, ca_cert, NULL);
+                            X509_STORE_CTX_set_flags(ctx, flags);
+                            if (X509_verify_cert(ctx) == 1)
+                            {
+                                X509_STORE_CTX_free(ctx);
+                                BIO_free(in);
+                                return store;
+                            }
+
+                            int error_code = X509_STORE_CTX_get_error(ctx);
+                            const char* error_msg = X509_verify_cert_error_string(error_code);
 
-                        return store;
+                            exception = _SecurityException_(
+                                    "Error '" + std::to_string(error_code) + "' verifying CA certificate for " +
+                                    ca_sn + ": " + error_msg);
+                            X509_STORE_CTX_free(ctx);
+                        }
+                        else
+                        {
+                            exception = _SecurityException_("Error creating X509 store context");
+                        }
                     }
                 }
                 else

test/certs/chainedcacert.pem

@@ -0,0 +1,32 @@
+-----BEGIN CERTIFICATE-----
+MIICXzCCAgWgAwIBAgICEAAwCgYIKoZIzj0EAwIwgaAxCzAJBgNVBAYTAkVTMQsw
+CQYDVQQIDAJNQTEUMBIGA1UEBwwLVHJlcyBDYW50b3MxETAPBgNVBAoMCGVQcm9z
+aW1hMREwDwYDVQQLDAhlUHJvc2ltYTEeMBwGA1UEAwwVZVByb3NpbWEgVGVzdCBS
+b290IENBMSgwJgYJKoZIhvcNAQkBFhl0ZXN0X3Jvb3RfY2FAZXByb3NpbWEuY29t
+MB4XDTI1MDExNTEwMTExNVoXDTM1MDExMzEwMTExNVowaDELMAkGA1UEBhMCRVMx
+CzAJBgNVBAgMAk1BMREwDwYDVQQKDAhlUHJvc2ltYTERMA8GA1UECwwIZVByb3Np
+bWExJjAkBgNVBAMMHWVQcm9zaW1hIFRlc3QgSW50ZXJtZWRpYXRlIENBMFkwEwYH
+KoZIzj0CAQYIKoZIzj0DAQcDQgAE8bIZuec3pCV3hEHXEFn82NKnjSKEB3lkRSOu
++bTXBMZ5fwe6oQTv9hDNfT+XTKSnom0Embbg//S7bb+fb5JlA6NmMGQwHQYDVR0O
+BBYEFOvgxNzYB2Rxz4HDRCkUderCDcpHMB8GA1UdIwQYMBaAFKaSeSIbLAgxD7zm
+QNxLEY4kICzTMBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgGGMAoG
+CCqGSM49BAMCA0gAMEUCIC9diVLvZMCC6hKoPJzn9fZ0KEHzFk1C91FNjUmwpkVZ
+AiEAqAqmu2WdMFUMsNmsSQIzt2HYnqrVn7N2lvlprkUjMjM=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIICpzCCAk2gAwIBAgIUJQFIA2lEJY+/PTqIux/axqQ1F2UwCgYIKoZIzj0EAwIw
+gaAxCzAJBgNVBAYTAkVTMQswCQYDVQQIDAJNQTEUMBIGA1UEBwwLVHJlcyBDYW50
+b3MxETAPBgNVBAoMCGVQcm9zaW1hMREwDwYDVQQLDAhlUHJvc2ltYTEeMBwGA1UE
+AwwVZVByb3NpbWEgVGVzdCBSb290IENBMSgwJgYJKoZIhvcNAQkBFhl0ZXN0X3Jv
+b3RfY2FAZXByb3NpbWEuY29tMB4XDTI1MDExNTA5MjMzNFoXDTQ1MDExMDA5MjMz
+NFowgaAxCzAJBgNVBAYTAkVTMQswCQYDVQQIDAJNQTEUMBIGA1UEBwwLVHJlcyBD
+YW50b3MxETAPBgNVBAoMCGVQcm9zaW1hMREwDwYDVQQLDAhlUHJvc2ltYTEeMBwG
+A1UEAwwVZVByb3NpbWEgVGVzdCBSb290IENBMSgwJgYJKoZIhvcNAQkBFhl0ZXN0
+X3Jvb3RfY2FAZXByb3NpbWEuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE
+2lYCGPFtW774ZgMgNOKQ6qdocJyiIFfiEwS58tF1uBdkxPsh1kfGFB7fHFOtwNPh
+CnSOPGgo1EVqBp3cEipD06NjMGEwHQYDVR0OBBYEFKaSeSIbLAgxD7zmQNxLEY4k
+ICzTMB8GA1UdIwQYMBaAFKaSeSIbLAgxD7zmQNxLEY4kICzTMA8GA1UdEwEB/wQF
+MAMBAf8wDgYDVR0PAQH/BAQDAgEGMAoGCCqGSM49BAMCA0gAMEUCIE9qvbOVyQwo
+nGOObUbUE+/OGG22/axZI6q7C3ttnTxqAiEAymMnYLr1evO4E0TaEhbSC0LNDP/j
+OR+xBiuCUbXq1is=
+-----END CERTIFICATE-----

test/certs/expired_ca_cert.pem

@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICZzCCAg2gAwIBAgIUZGCfUDVyxQhCHFIbIM42sFnAwKswCgYIKoZIzj0EAwIw
+gZoxCzAJBgNVBAYTAkVTMQswCQYDVQQIDAJNQTEUMBIGA1UEBwwLVHJlcyBDYW50
+b3MxETAPBgNVBAoMCGVQcm9zaW1hMREwDwYDVQQLDAhlUHJvc2ltYTEeMBwGA1UE
+AwwVZVByb3NpbWEgTWFpbiBUZXN0IENBMSIwIAYJKoZIhvcNAQkBFhNtYWluY2FA
+ZXByb3NpbWEuY29tMB4XDTI1MDExMDE2MDAwMFoXDTI1MDExMTE2MDAwMFowgZox
+CzAJBgNVBAYTAkVTMQswCQYDVQQIDAJNQTEUMBIGA1UEBwwLVHJlcyBDYW50b3Mx
+ETAPBgNVBAoMCGVQcm9zaW1hMREwDwYDVQQLDAhlUHJvc2ltYTEeMBwGA1UEAwwV
+ZVByb3NpbWEgTWFpbiBUZXN0IENBMSIwIAYJKoZIhvcNAQkBFhNtYWluY2FAZXBy
+b3NpbWEuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE3roiCZVhjBQTsP3z
+4gth7UNQlrAnGwI0M1FvwmFZMPaGoaWt+4JCyPqL//OH9CgDz5THK0kUyrEesPwA
+L4k3C6MvMC0wDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUPEHc5miSwb+mZtS6HgT6
+im4YoDswCgYIKoZIzj0EAwIDSAAwRQIhAM42l2crii8qFHznr8x1Z9h6KmLAYb+Z
+6waTU2feHUgwAiAsMS+BzAhMVCXNp5d3nP949CeIlxSpOLFUtRZ6US35mw==
+-----END CERTIFICATE-----

test/certs/expired_ca_key.pem

@@ -0,0 +1,5 @@
+-----BEGIN PRIVATE KEY-----
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgX6/M7Gc6IM0qIVee
+zsCwTDHZTN1vcJkhWPw0YiqvFiihRANCAATeuiIJlWGMFBOw/fPiC2HtQ1CWsCcb
+AjQzUW/CYVkw9oahpa37gkLI+ov/84f0KAPPlMcrSRTKsR6w/AAviTcL
+-----END PRIVATE KEY-----

test/certs/governance_signed_by_chained_ca.smime

@@ -0,0 +1,73 @@
+MIME-Version: 1.0
+Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----D68F40C4737C759E420C091F6D85ECB8"
+
+This is an S/MIME signed message
+
+------D68F40C4737C759E420C091F6D85ECB8
+Content-Type: text/plain
+
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="omg_shared_ca_domain_governance.xsd">
+    <domain_access_rules>
+        <domain_rule>
+            <domains>
+                <id_range>
+                    <min>0</min>
+                    <max>230</max>
+                </id_range>
+            </domains>
+            <allow_unauthenticated_participants>false</allow_unauthenticated_participants>
+            <enable_join_access_control>true</enable_join_access_control>
+            <discovery_protection_kind>ENCRYPT</discovery_protection_kind>
+            <liveliness_protection_kind>ENCRYPT</liveliness_protection_kind>
+            <rtps_protection_kind>ENCRYPT</rtps_protection_kind>
+            <topic_access_rules>
+                <topic_rule>
+                    <topic_expression>HelloWorldTopic_*</topic_expression>
+                    <enable_discovery_protection>true</enable_discovery_protection>
+                    <enable_liveliness_protection>true</enable_liveliness_protection>
+                    <enable_read_access_control>true</enable_read_access_control>
+                    <enable_write_access_control>true</enable_write_access_control>
+                    <metadata_protection_kind>ENCRYPT</metadata_protection_kind>
+                    <data_protection_kind>ENCRYPT</data_protection_kind>
+                </topic_rule>
+            </topic_access_rules>
+        </domain_rule>
+    </domain_access_rules>
+</dds>
+
+
+------D68F40C4737C759E420C091F6D85ECB8
+Content-Type: application/x-pkcs7-signature; name="smime.p7s"
+Content-Transfer-Encoding: base64
+Content-Disposition: attachment; filename="smime.p7s"
+
+MIIEmgYJKoZIhvcNAQcCoIIEizCCBIcCAQExDzANBglghkgBZQMEAgEFADALBgkq
+hkiG9w0BBwGgggJjMIICXzCCAgWgAwIBAgICEAAwCgYIKoZIzj0EAwIwgaAxCzAJ
+BgNVBAYTAkVTMQswCQYDVQQIDAJNQTEUMBIGA1UEBwwLVHJlcyBDYW50b3MxETAP
+BgNVBAoMCGVQcm9zaW1hMREwDwYDVQQLDAhlUHJvc2ltYTEeMBwGA1UEAwwVZVBy
+b3NpbWEgVGVzdCBSb290IENBMSgwJgYJKoZIhvcNAQkBFhl0ZXN0X3Jvb3RfY2FA
+ZXByb3NpbWEuY29tMB4XDTI1MDExNTEwMTExNVoXDTM1MDExMzEwMTExNVowaDEL
+MAkGA1UEBhMCRVMxCzAJBgNVBAgMAk1BMREwDwYDVQQKDAhlUHJvc2ltYTERMA8G
+A1UECwwIZVByb3NpbWExJjAkBgNVBAMMHWVQcm9zaW1hIFRlc3QgSW50ZXJtZWRp
+YXRlIENBMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8bIZuec3pCV3hEHXEFn8
+2NKnjSKEB3lkRSOu+bTXBMZ5fwe6oQTv9hDNfT+XTKSnom0Embbg//S7bb+fb5Jl
+A6NmMGQwHQYDVR0OBBYEFOvgxNzYB2Rxz4HDRCkUderCDcpHMB8GA1UdIwQYMBaA
+FKaSeSIbLAgxD7zmQNxLEY4kICzTMBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0P
+AQH/BAQDAgGGMAoGCCqGSM49BAMCA0gAMEUCIC9diVLvZMCC6hKoPJzn9fZ0KEHz
+Fk1C91FNjUmwpkVZAiEAqAqmu2WdMFUMsNmsSQIzt2HYnqrVn7N2lvlprkUjMjMx
+ggH7MIIB9wIBATCBpzCBoDELMAkGA1UEBhMCRVMxCzAJBgNVBAgMAk1BMRQwEgYD
+VQQHDAtUcmVzIENhbnRvczERMA8GA1UECgwIZVByb3NpbWExETAPBgNVBAsMCGVQ
+cm9zaW1hMR4wHAYDVQQDDBVlUHJvc2ltYSBUZXN0IFJvb3QgQ0ExKDAmBgkqhkiG
+9w0BCQEWGXRlc3Rfcm9vdF9jYUBlcHJvc2ltYS5jb20CAhAAMA0GCWCGSAFlAwQC
+AQUAoIHkMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8X
+DTI1MDExNTEwMzMzMFowLwYJKoZIhvcNAQkEMSIEIEX4h64CzxuL+TR7vnsit4e0
+bEtA1800Dwo4I4sCOjfmMHkGCSqGSIb3DQEJDzFsMGowCwYJYIZIAWUDBAEqMAsG
+CWCGSAFlAwQBFjALBglghkgBZQMEAQIwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwIC
+AgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMAoGCCqG
+SM49BAMCBEYwRAIgHrwDKsTipUhve5U+fRAhOGC1LcljM7it+bEVZ4aXEtMCIDcU
+hO+nIoZds6f32lg79mSRHO5y+FlMLmNwt7C3Hc9A
+
+------D68F40C4737C759E420C091F6D85ECB8--
+

test/certs/governance_signed_by_expired_ca.smime

@@ -0,0 +1,74 @@
+MIME-Version: 1.0
+Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----3FDCF0E7A3C0A71DB007000D42CFC9B1"
+
+This is an S/MIME signed message
+
+------3FDCF0E7A3C0A71DB007000D42CFC9B1
+Content-Type: text/plain
+
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="omg_shared_ca_domain_governance.xsd">
+    <domain_access_rules>
+        <domain_rule>
+            <domains>
+                <id_range>
+                    <min>0</min>
+                    <max>230</max>
+                </id_range>
+            </domains>
+            <allow_unauthenticated_participants>false</allow_unauthenticated_participants>
+            <enable_join_access_control>true</enable_join_access_control>
+            <discovery_protection_kind>ENCRYPT</discovery_protection_kind>
+            <liveliness_protection_kind>ENCRYPT</liveliness_protection_kind>
+            <rtps_protection_kind>ENCRYPT</rtps_protection_kind>
+            <topic_access_rules>
+                <topic_rule>
+                    <topic_expression>HelloWorldTopic_*</topic_expression>
+                    <enable_discovery_protection>true</enable_discovery_protection>
+                    <enable_liveliness_protection>true</enable_liveliness_protection>
+                    <enable_read_access_control>true</enable_read_access_control>
+                    <enable_write_access_control>true</enable_write_access_control>
+                    <metadata_protection_kind>ENCRYPT</metadata_protection_kind>
+                    <data_protection_kind>ENCRYPT</data_protection_kind>
+                </topic_rule>
+            </topic_access_rules>
+        </domain_rule>
+    </domain_access_rules>
+</dds>
+
+
+------3FDCF0E7A3C0A71DB007000D42CFC9B1
+Content-Type: application/x-pkcs7-signature; name="smime.p7s"
+Content-Transfer-Encoding: base64
+Content-Disposition: attachment; filename="smime.p7s"
+
+MIIErwYJKoZIhvcNAQcCoIIEoDCCBJwCAQExDzANBglghkgBZQMEAgEFADALBgkq
+hkiG9w0BBwGgggJrMIICZzCCAg2gAwIBAgIUZGCfUDVyxQhCHFIbIM42sFnAwKsw
+CgYIKoZIzj0EAwIwgZoxCzAJBgNVBAYTAkVTMQswCQYDVQQIDAJNQTEUMBIGA1UE
+BwwLVHJlcyBDYW50b3MxETAPBgNVBAoMCGVQcm9zaW1hMREwDwYDVQQLDAhlUHJv
+c2ltYTEeMBwGA1UEAwwVZVByb3NpbWEgTWFpbiBUZXN0IENBMSIwIAYJKoZIhvcN
+AQkBFhNtYWluY2FAZXByb3NpbWEuY29tMB4XDTI1MDExMDE2MDAwMFoXDTI1MDEx
+MTE2MDAwMFowgZoxCzAJBgNVBAYTAkVTMQswCQYDVQQIDAJNQTEUMBIGA1UEBwwL
+VHJlcyBDYW50b3MxETAPBgNVBAoMCGVQcm9zaW1hMREwDwYDVQQLDAhlUHJvc2lt
+YTEeMBwGA1UEAwwVZVByb3NpbWEgTWFpbiBUZXN0IENBMSIwIAYJKoZIhvcNAQkB
+FhNtYWluY2FAZXByb3NpbWEuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE
+3roiCZVhjBQTsP3z4gth7UNQlrAnGwI0M1FvwmFZMPaGoaWt+4JCyPqL//OH9CgD
+z5THK0kUyrEesPwAL4k3C6MvMC0wDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUPEHc
+5miSwb+mZtS6HgT6im4YoDswCgYIKoZIzj0EAwIDSAAwRQIhAM42l2crii8qFHzn
+r8x1Z9h6KmLAYb+Z6waTU2feHUgwAiAsMS+BzAhMVCXNp5d3nP949CeIlxSpOLFU
+tRZ6US35mzGCAggwggIEAgEBMIGzMIGaMQswCQYDVQQGEwJFUzELMAkGA1UECAwC
+TUExFDASBgNVBAcMC1RyZXMgQ2FudG9zMREwDwYDVQQKDAhlUHJvc2ltYTERMA8G
+A1UECwwIZVByb3NpbWExHjAcBgNVBAMMFWVQcm9zaW1hIE1haW4gVGVzdCBDQTEi
+MCAGCSqGSIb3DQEJARYTbWFpbmNhQGVwcm9zaW1hLmNvbQIUZGCfUDVyxQhCHFIb
+IM42sFnAwKswDQYJYIZIAWUDBAIBBQCggeQwGAYJKoZIhvcNAQkDMQsGCSqGSIb3
+DQEHATAcBgkqhkiG9w0BCQUxDxcNMjUwMTE0MTE0MTE5WjAvBgkqhkiG9w0BCQQx
+IgQgRfiHrgLPG4v5NHu+eyK3h7RsS0DXzTQPCjgjiwI6N+YweQYJKoZIhvcNAQkP
+MWwwajALBglghkgBZQMEASowCwYJYIZIAWUDBAEWMAsGCWCGSAFlAwQBAjAKBggq
+hkiG9w0DBzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcw
+DQYIKoZIhvcNAwICASgwCgYIKoZIzj0EAwIERzBFAiB5QjEPWjxi8yGjKnWFk/ZO
+fjkUAZHV8hGN9wgSgRTNcQIhAPPkRLwgGL4rCznv5rVCtLn8YIjEOmnW3VAlb2pT
+/qcE
+
+------3FDCF0E7A3C0A71DB007000D42CFC9B1--
+