Michael Bell wrote:

Ives Steglich wrote:

looks like the verify chain is date-safe:

General Error. The PKCS#7-object signals an error. The signature is not
valid.

PKCS#7-Error 7932039: OpenCA::PKCS7->parseDepth: There is a problem with
the verification of the chain. ( error:10:certificate has expired)
so expired certificates are detected - fine
no changes necessary for this release for this topic - i think ,o)


This is not correct. The errormessage is taken from the OpenSSL library. It looks like DBM based databases return expired certs as valid ones.

thats not sure - since the signature error is thrown in front of the
certificate checking, so this comes first

the certificate check isn't touched anymore, thats why i defined this as
safe for the moment - codes looks like this (the sign error comes before
the cert is loaded and checked):


libCheckSignature (OBJECT=>$item); $sigStatus = $errval;

## check signaturestate - explaination:
## $errno gets only set by libCheckSignature in case of real error
## $errval gets always set, also in success by libCheckSignature!
generalError ( $errval ) if $errno;

## get signer certificate
my $tmpCert = libGetSignerCertificateDB( SIGNATURE=>$signer );
if( not $tmpCert ) {
        generalError ($errval, $errno);
}
## check validity of signer certificate
if ($tmpCert->getStatus() =~ /revoked/ || $tmpCert->getStatus() =~
/suspended/
                                       || $tmpCert->getStatus() =~
/expired/ ) {
        generalError ( i18nGettext ("Cannot approve request! Invalid
Operator-Certificate detected!").
                                    "<br>\n".$errval, $errno);
}





--
Ives Steglich                Email: [EMAIL PROTECTED]
System Administration        Tel.:  +49 (0)3677 - 69 4382/4383
                             Fax:   +49 (0)3677 - 69 4399

Fraunhofer Institute for Digital Media Technology
Langewiesener Strasse 22
98693 Ilmenau                Email (private): [EMAIL PROTECTED]
Germany                      http://www.openca.org


------------------------------------------------------- This SF.Net email is sponsored by OSTG. Have you noticed the changes on Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now, one more big change to announce. We are now OSTG- Open Source Technology Group. Come see the changes on the new OSTG site. www.ostg.com _______________________________________________ OpenCA-Devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-devel

Reply via email to