but also the form with ->getPEM() should work ok
Alex
Michael Bell wrote:
Alexandru Matei wrote:
Hi all,
I just watch in crypto-utils.lib and I noticed that the actual verification function (sub libCheckSignature ) only checks these:
1/ if you get an valid signature object
2/get signer certificate according to serial of the certificate
3/loop through the certificate chain in signature until find an certificate with the same serial number
The actual verification is concluded ok if in the pkcs7 chain exists (at least) one certificate with the same serial number as the serial of the certificate???
In other terms, if I have a certificate with serial say 03 signed by another CA I can submit CRR for any existent certificate, and for RA operator it will present an "valid signature" since, probably, in the certificate database there would be an certificate with the same serial number.
First there is a bug. Second it is security relevant. Third I think it is not so dangerous. The certificate chain is only valid if it is in OpenCA's chain directory. So the certificate is from a trusted source but this means only that there is perhaps a trusted intruder. There is a line like this:
last if ( $tmpCert->getSerial() eq $sigCert->getSerial() );
Can you replace this line with:
last if ( $tmpCert->getPEM() eq $sigCert->getPEM() );
If this works then we can easily fix the problem.
Michael
------------------------------------------------------- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html _______________________________________________ OpenCA-Devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-devel
