[rpstir-devel] [rpstir:tickets] #28 a ROA with EE cert replaced with specially-crafted invalid cert is sort-of accepted in certain circumstances

Wed, 04 Nov 2015 21:39:07 -0800 

- Description has changed:

Diff:

~~~~

--- old
+++ new
@@ -13,4 +13,4 @@
 
     ERR: Add failed: good.roa: error Duplicate signature (-90)
 
-and the `query` utility will report `bad.roa` and `good.roa.cet` as accepted.  
It should accept `good.roa`, not `bad.roa` (the two are identical, however, 
when you ignore the EE cert).
+and the `query` utility will report `bad.roa` and `good.roa.cer` as accepted.  
It should accept `good.roa`, not `bad.roa` (the two are identical, however, 
when you ignore the EE cert).

~~~~




---

** [tickets:#28] a ROA with EE cert replaced with specially-crafted invalid 
cert is sort-of accepted in certain circumstances**

**Status:** accepted
**Created:** Thu Nov 05, 2015 05:30 AM UTC by Richard Hansen
**Last Updated:** Thu Nov 05, 2015 05:37 AM UTC
**Owner:** Richard Hansen


WIth the following sequence of events:

  1. empty the RPSTIR database
  2. get/generate a valid ROA file and call it `good.roa`
  3. extract the EE certificate
  4. invalidate the extracted EE certificate in some way that's not immediately 
detectable by RPSTIR without additional information (e.g., re-issue the same EE 
cert from different CA that doesn't hold the resources in the EE cert)
  5. put the bad certificate back in the ROA and call the resulting file 
`bad.roa`
  6. add `bad.roa` into the RPSTIR database
  7. add the original `good.roa` into the database
  8. add all of the relevant CA certificates

RPSTIR will print the following error message when adding `good.roa`:

    ERR: Add failed: good.roa: error Duplicate signature (-90)

and the `query` utility will report `bad.roa` and `good.roa.cer` as accepted.  
It should accept `good.roa`, not `bad.roa` (the two are identical, however, 
when you ignore the EE cert).


---

Sent from sourceforge.net because rpstir-devel@lists.sourceforge.net is 
subscribed to https://sourceforge.net/p/rpstir/tickets/

To unsubscribe from further messages, a project admin can change settings at 
https://sourceforge.net/p/rpstir/admin/tickets/options.  Or, if this is a 
mailing list, you can unsubscribe from the mailing list.
------------------------------------------------------------------------------

_______________________________________________
rpstir-devel mailing list
rpstir-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rpstir-devel

Reply via email to