I just watch in crypto-utils.lib and I noticed that the actual verification function (sub libCheckSignature ) only checks these:
1/ if you get an valid signature object
2/get signer certificate according to serial of the certificate
3/loop through the certificate chain in signature until find an certificate with the same serial number
The actual verification is concluded ok if in the pkcs7 chain exists (at least) one certificate with the same serial number as the serial of the certificate???
In other terms, if I have a certificate with serial say 03 signed by another CA I can submit CRR for any existent certificate, and for RA operator it will present an "valid signature" since, probably, in the certificate database there would be an certificate with the same serial number.
I think that besides the serial, the CN and the issuer should be verified also (at least). The best could be an complete compare of the two certificates.
Alex
------------------------------------------------------- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html _______________________________________________ OpenCA-Devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-devel
