Hello,
Dne 11.3.2013 17:33, Dr. Stephen Henson napsal(a):
As to the OP query. I'm not that familiar with the timestamping code. OpenSSL
doesn't support attribute certificates and adding support is not trivial.
The attribute certificates are common possible in CMS, not just in TS =>
attr. cert. (in the SigningCertificate->certs) will kill any CMS
verification.
The TAC ESSCertId I thing makes the verification impossible in OpenSSL
while OpenSSL (without attr. cert. support) only applies the first
sentence in RFC2634 page 47:
"If more than one certificate is present in the sequence of
ESSCertIDs, the certificates after the first one limit the set of
authorization certificates that are used during signature validation."
But the TAC is not part of verify chain => these 2 ESSCertId-s:
1. are not correct and
2. do not build whole cert. chain
within the meaning of that first sentence.
That is the point.
However full suppor isn't always required: the CMS code just treats and it
finds as an opaque blob which it keeps in encoded form. That means it can
parse messages containing attribute certificates without choking.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Parsing is one thing and verification another one.
If the verification fails - is it one of greatest possible problems.
As I know, the attr. certs are not very necessary => that is why I mean,
that temporary solution would be to ignore them in verification process.
At least in TS it would solve the problem.
--kapetr
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
