[OpenCA-Devel] Signature verification with OpenCA::PKCS7?

Mon, 01 Aug 2005 05:37:25 -0700 

Hi,

if I instantiate an OpenCA::PKCS7 object in order to verify a signature,
the object can return a number of error codes that indicate that something
went wrong.

Now I *do* expect a certain error, "unsupported certificate purpose",
during verification(*), i. e. the key usage bit for Digital Signature
may not be present in the signer certificate.
However, if the signature is otherwise correct, including verification
of the certificate chain up to the root, I want to interpret the
validation as successful.

When reading the code it seems to me that the module only returns
the *last* error given by openca-sv. So there might be a pathologic
case where *first* a signature validation error is reported and after
this the "unsupported certificate purpose" error.

In this case the minor, expected error would mask the severe
validation error. If processing now continues, this might lead to
a security compromise.

Question: can I expect OpenCA::PKCS7 and openca-sv to always report
minor errors first and major errors last?
Is there a clean way to handle this, or is it necessary to extend
the verification code?

(*)
What I want to achieve is a signature verification of a PKCS#7 structure
with embedded content info. The signer certificate may not have the
necessary key usage flags for signature, so there is an expected
error during signature validation.
Yes, I know that Digital Signatures are invalid from certs without
the proper key usage flags, but the latest SCEP draft specifies exactly
this kind of authorization of a new SCEP request (using the existing
certificate).

Cheers

Martin



-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id492&op=click
_______________________________________________
OpenCA-Devel mailing list
OpenCA-Devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openca-devel

Reply via email to