EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Not including ASN1 DEFAULT elements

Also by EldoS: CallbackRegistry
A component to monitor and control Windows registry access and create virtual registry keys.
#30342
Posted: 08/14/2014 06:22:34
by Eugene Mayevski (EldoS Corp.)

Quote
Andy Calvert wrote:
Their software recalculates the signature over the fields which they believe should be present (excluding the default ones),


This is wrong approach - the signature should be verified using the binary of the certificate, not using the reconstructed something generated in an unknown way.


Sincerely yours
Eugene Mayevski
#30344
Posted: 08/14/2014 06:28:38
by Andy Calvert (Standard support level)
Joined: 11/07/2007
Posts: 16

Appendix B of RFC5280 also states that

"
Implementers should note that the DER encoding of SET or SEQUENCE
components whose value is the DEFAULT omit the component from the
encoded certificate or CRL. For example, a BasicConstraints
extension whose cA"

Andy
#30345
Posted: 08/14/2014 06:31:10
by Eugene Mayevski (EldoS Corp.)

Quote
Andy Calvert wrote:
DER encoding of SET or SEQUENCE components whose value is the DEFAULT


That is about SET or SEQUENCE and not about their fields.

Indeed I was looking into 4.2 and didn't check 4.1 in regards to the declaration.


Sincerely yours
Eugene Mayevski
#30346
Posted: 08/14/2014 06:32:35
by Andy Calvert (Standard support level)
Joined: 11/07/2007
Posts: 16

I agree that their re-interpreting of the fields when checking signatures is frankly bizarre, but to repeat my warning - they are a huge multi-national supplier of security kit, and this is going to happen again and again now as more of their customers upgrade their equipment.

The description is on their web page:


http://publib.boulder.ibm.com/httpserv/ihsdiag/gather_certificate_doc.html
#30347
Posted: 08/14/2014 06:34:05
by Andy Calvert (Standard support level)
Joined: 11/07/2007
Posts: 16

Search for Certificate validation failures with GSKit 7.0.4.1
#30348
Posted: 08/14/2014 06:35:25
by Eugene Mayevski (EldoS Corp.)

Ok, we'll deal with them as they come.


Sincerely yours
Eugene Mayevski
Also by EldoS: MsgConnect
Cross-platform protocol-independent communication framework for building peer-to-peer and client-server applications and middleware components.

Reply

Statistics

Topic viewed 1268 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!