Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

General discussion

Vulnerabilities in OpenCA signature validation

Nov 29, 2003 2:19AM PST

Security-Corporation ID : SC-0801
URL : http://www.security-corporation.com/articles-20031129-002.html
Author : Michael Bell
Product : OpenCA
Source Message Contents :

OpenCA Security Advisory [28 November 2003]

Vulnerabilities in signature validation
=======================================

Multiple flaws in OpenCA before version 0.9.1.4 could cause OpenCA to
use an incorrect certificate in the chain to determine the serial being
checked which could lead to certificates that are revoked or expired
being incorrectly accepted.

Chris Covell and Gottfried Scheckenbach performed tests with OpenCA and
CA hierarchies. They had problems to verify signatures with some
functions in OpenCA which test the signer's certificate.

Michael Bell of the OpenCA core team identified and fixed the problems
for OpenCA 0.9.1 and the CVS HEAD.

Vulnerabilities
-----------------

1. OpenCA has a library for common crypto operations - crypto-utils.lib.
This library includes a function to determine the serial of the
certificate which somebody used to create a PKCS#7 signature. The
function uses this serial to load and return the certificate. The
function used the interface of OpenCA:SillyKCS7 (the OpenCA PKCS#7
module) in a wrong way.

2. The crypto library crypto-utils.lib uses all certificates which were
included into the signature to create the X.509 object of the
signer's certificate. The result is a object which was created from
one of the certificates of the certificate chain. This means that
the result is haphazard.

3. OpenCA:SillyKCS7 includes a wrong regular expression to detect lines
which have nothing to do with the parsing of the certificate chain.

4. The serial in the certificate chain were parsed with a wrong regular
expression in OpenCA:SillyKCS7. Big letters like A, C, B, D, E and F
were ignored.

Who is affected?
------------------

All version of OpenCA including 0.9.1.3. A security risk is present for
people who are using digital signatures to secure approved requests
or role based access control (RBAC).

Recommendations
-----------------

Upgrade to 0.9.1.4 and use newer snapshots than
openca-0.9-SNAP-20031125.tar.gz. You can fix the problem by yourself too
with the included patches. The original files which we used to create
the diffs are from OpenCA 0.9.1.3.

Discussion is locked

- Collapse -
Re:Vulnerabilities in OpenCA signature validation
Nov 29, 2003 4:50AM PST

CA stands for what?

- Collapse -
Re:Re:Vulnerabilities in OpenCA signature validation
Nov 29, 2003 9:26PM PST
- Collapse -
NA Thank you Donna
Nov 30, 2003 4:18AM PST

.