Alexandru Matei wrote:

Sorry to ask, but i'm a bit lazy now. It seems to me that in crypto-utils.lib, the function loops through the certificates-chain contained in the signature. Nobody can prevent me to send an valid certificate-chain from another CA. Is the first issuer (the CA cert ) verified also in other places? Am I missing something? Do you verify ehe cahin in the function or elsewhere?

The PKCS#7 module verifies with the chain in var/crypto/chain. If the signature object will be created then one parameter to OpenCA::PKCS7 is this chain directory. Nevertheless it is a security bug. Perhaps I should prepare an advisory.


Michael
--
-------------------------------------------------------------------
Michael Bell                   Email: [EMAIL PROTECTED]
ZE Computer- und Medienservice            Tel.: +49 (0)30-2093 2482
(Computing Centre)                        Fax:  +49 (0)30-2093 2704
Humboldt-University of Berlin
Unter den Linden 6
10099 Berlin                   Email (private): [EMAIL PROTECTED]
Germany                                       http://www.openca.org



-------------------------------------------------------
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
_______________________________________________
OpenCA-Devel mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-devel

Reply via email to