Michael Bell wrote:
Alexandru Matei wrote:
Hi all,
I just watch in crypto-utils.lib and I noticed that the actual verification function (sub libCheckSignature ) only checks these:
1/ if you get an valid signature object
2/get signer certificate according to serial of the certificate
3/loop through the certificate chain in signature until find an certificate with the same serial number
The actual verification is concluded ok if in the pkcs7 chain exists (at least) one certificate with the same serial number as the serial of the certificate???
In other terms, if I have a certificate with serial say 03 signed by another CA I can submit CRR for any existent certificate, and for RA operator it will present an "valid signature" since, probably, in the certificate database there would be an certificate with the same serial number.
First there is a bug. Second it is security relevant. Third I think it is not so dangerous. The certificate chain is only valid if it is in OpenCA's chain directory.
Sorry to ask, but i'm a bit lazy now. It seems to me that in crypto-utils.lib, the function loops through the certificates-chain contained in the signature. Nobody can prevent me to send an valid certificate-chain from another CA. Is the first issuer (the CA cert ) verified also in other places? Am I missing something? Do you verify ehe cahin in the function or elsewhere?
Thanks,
Alex
So the certificate is from a trusted source but this means only that there is perhaps a trusted intruder. There is a line like this:
last if ( $tmpCert->getSerial() eq $sigCert->getSerial() );
Can you replace this line with:
last if ( $tmpCert->getPEM() eq $sigCert->getPEM() );
If this works then we can easily fix the problem.
Michael
------------------------------------------------------- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html _______________________________________________ OpenCA-Devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-devel
