security: safely handle missing certificate in StraightVerifyService

khevessy · Nov 14, 2024 · 08ec1b7 · 08ec1b7
1 parent 992d15f
commit 08ec1b7
Showing 1 changed file with 7 additions and 4 deletions.
diff --git a/vanetza/security/straight_verify_service.cpp b/vanetza/security/straight_verify_service.cpp
@@ -469,17 +469,20 @@ VerifyConfirm StraightVerifyService::verify(const v3::SecuredMessage& msg)
     }
 
     const v3::asn1::Certificate* certificate = boost::apply_visitor(certificate_lookup_visitor, signer_identifier);
-    if (!certificate && maybe_digest) {
-        if (msg.its_aid() == aid::CA && m_context_v3.m_sign_policy) {
+    if (!certificate) {
+        if (msg.its_aid() == aid::CA && m_context_v3.m_sign_policy && maybe_digest) {
             // for received CAMs (having digest as signer identifier) with unknown AT we request the full AT certificate
             m_context_v3.m_sign_policy->request_unrecognized_certificate(*maybe_digest);
         }
         confirm.report = VerificationReport::Signer_Certificate_Not_Found;
         return confirm;
     }
 
+    // code below can safely dereference certificate
+    assert(certificate != nullptr);
+
     // check AT certificate's validity
-    if (certificate && m_context_v3.m_cert_validator) {
+    if (m_context_v3.m_cert_validator) {
         auto verdict = m_context_v3.m_cert_validator->valid_for_signing(v3::CertificateView { certificate }, msg.its_aid());
         if (verdict != v3::CertificateValidator::Verdict::Valid) {
             confirm.report = VerificationReport::Invalid_Certificate;
@@ -538,7 +541,7 @@ VerifyConfirm StraightVerifyService::verify(const v3::SecuredMessage& msg)
         }
 
         // update certificate cache with received certificate
-        if (certificate && v3::contains_certificate(signer_identifier)) {
+        if (v3::contains_certificate(signer_identifier)) {
             cache.store(v3::Certificate { *certificate });
         }
     }