Sorry to ask, but i'm a bit lazy now. It seems to me that in crypto-utils.lib, the function loops through the certificates-chain contained in the signature. Nobody can prevent me to send an valid certificate-chain from another CA. Is the first issuer (the CA cert ) verified also in other places? Am I missing something? Do you verify ehe cahin in the function or elsewhere?
The PKCS#7 module verifies with the chain in var/crypto/chain. If the signature object will be created then one parameter to OpenCA::PKCS7 is this chain directory. Nevertheless it is a security bug. Perhaps I should prepare an advisory.
Michael -- ------------------------------------------------------------------- Michael Bell Email: [EMAIL PROTECTED] ZE Computer- und Medienservice Tel.: +49 (0)30-2093 2482 (Computing Centre) Fax: +49 (0)30-2093 2704 Humboldt-University of Berlin Unter den Linden 6 10099 Berlin Email (private): [EMAIL PROTECTED] Germany http://www.openca.org
------------------------------------------------------- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html _______________________________________________ OpenCA-Devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-devel