Re: possible Bug in OpenSSL - rfc 3161 - TSA service

Sat, 16 Mar 2013 04:01:25 -0700 


Dne 15.3.2013 22:34, Peter Sylvester napsal(a):

for those who don't read openssl-dev


Thanks - I did not know that it is discussed there too.


I have no experiences with patching, compiling, .. so I have to wait for 
package in repo or PPA.

=>
If you have the updated version, could you please run and test:


openssl ts -verify -queryfile file.txt-nononce-sha256-nocert.tsq -in 
file.txt-nononce-sha256-nocert.postsignum.tsr -CAfile 
postsignum_qca2_root.pem -untrusted postsignum_qca2_sub+tsa_tsu2-newer.pem


Verification: FAILED

139898903938720:error:2F067065:time stamp 
routines:TS_CHECK_SIGNING_CERTS:ess signing certificate 
error:ts_rsp_verify.c:291:


All needed files are in attachment.

The signing cert is the first one ESSCertId in certs in TSR, so it 
should pass now. Does it ?


FYI: it is real (no testTSA) version without "-cert".

--------------------------

The version with included cert in TSR fails already by parsing.
Does it change in patched version ?
(BTW - manual parsing with asn1parse works)


openssl ts -verify -queryfile file.txt-nonce-sha256-cert.tsq -in 
file.txt-nonce-sha256-cert.postsignum.tsr -CAfile 
postsig/postsignum_qca2_root.pem -untrusted 
postsig/postsignum_qca2_sub+tsa_tsu2-newer.pem


Verification: FAILED

139961289148064:error:0D0680A8:asn1 encoding 
routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1319:
139961289148064:error:0D07803A:asn1 encoding 
routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:381:Type=X509
139961289148064:error:0D08303A:asn1 encoding 
routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 
error:tasn_dec.c:711:Field=cert, Type=PKCS7_SIGNED
139961289148064:error:0D08303A:asn1 encoding 
routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:751:
139961289148064:error:0D08403A:asn1 encoding 
routines:ASN1_TEMPLATE_EX_D2I:nested asn1 
error:tasn_dec.c:579:Field=d.sign, Type=PKCS7
139961289148064:error:0D08303A:asn1 encoding 
routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 
error:tasn_dec.c:751:Field=token, Type=TS_RESP



Thanks --kapetr





-------- Original Message --------
Subject:        [openssl.org #3016] openssl ts fix
Date:   Wed, 13 Mar 2013 16:13:31 +0100
From:   Peter Sylvester via RT <r...@openssl.org>
Reply-To:       openssl-...@openssl.org
CC:     openssl-...@openssl.org



Hi,

I have "weakend" the Esscertid logic a bit. Only the signer certficate is
checked and it must be in the first Esscertid.

This resolves issues when TSAs add attribute certs etc.
Since RFC 3161 does not require a client to check anything
else than the presence of the signer cert (and even is is badly written),
I think the verification of a "chain" in the ess was not appropriate
logic.

regards






______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org























					Reply via email to