Michael Bell wrote:
Ives Steglich wrote:
looks like the verify chain is date-safe:
General Error. The PKCS#7-object signals an error. The signature is not
valid.
PKCS#7-Error 7932039: OpenCA::PKCS7->parseDepth: There is a problem with
the verification of the chain. ( error:10:certificate has expired)
so expired certificates are detected - fine
no changes necessary for this release for this topic - i think ,o)
This is not correct. The errormessage is taken from the OpenSSL library.
It looks like DBM based databases return expired certs as valid ones.
thats not sure - since the signature error is thrown in front of the
certificate checking, so this comes first
the certificate check isn't touched anymore, thats why i defined this as
safe for the moment - codes looks like this (the sign error comes before
the cert is loaded and checked):
libCheckSignature (OBJECT=>$item);
$sigStatus = $errval;
## check signaturestate - explaination:
## $errno gets only set by libCheckSignature in case of real error
## $errval gets always set, also in success by libCheckSignature!
generalError ( $errval ) if $errno;
## get signer certificate
my $tmpCert = libGetSignerCertificateDB( SIGNATURE=>$signer );
if( not $tmpCert ) {
generalError ($errval, $errno);
}
## check validity of signer certificate
if ($tmpCert->getStatus() =~ /revoked/ || $tmpCert->getStatus() =~
/suspended/
|| $tmpCert->getStatus() =~
/expired/ ) {
generalError ( i18nGettext ("Cannot approve request! Invalid
Operator-Certificate detected!").
"<br>\n".$errval, $errno);
}
--
Ives Steglich Email: [EMAIL PROTECTED]
System Administration Tel.: +49 (0)3677 - 69 4382/4383
Fax: +49 (0)3677 - 69 4399
Fraunhofer Institute for Digital Media Technology
Langewiesener Strasse 22
98693 Ilmenau Email (private): [EMAIL PROTECTED]
Germany http://www.openca.org
-------------------------------------------------------
This SF.Net email is sponsored by OSTG. Have you noticed the changes on
Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now,
one more big change to announce. We are now OSTG- Open Source Technology
Group. Come see the changes on the new OSTG site. www.ostg.com
_______________________________________________
OpenCA-Devel mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-devel