EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Not including ASN1 DEFAULT elements

Also by EldoS: CallbackRegistry
A component to monitor and control Windows registry access and create virtual registry keys.
#30342
Posted: 08/14/2014 06:22:34
by Eugene Mayevski (EldoS Corp.)

Quote
Andy Calvert wrote:
Their software recalculates the signature over the fields which they believe should be present (excluding the default ones),


This is wrong approach - the signature should be verified using the binary of the certificate, not using the reconstructed something generated in an unknown way.


Sincerely yours
Eugene Mayevski
#30344
Posted: 08/14/2014 06:28:38
by Andy Calvert (Standard support level)
Joined: 11/07/2007
Posts: 16

Appendix B of RFC5280 also states that

"
Implementers should note that the DER encoding of SET or SEQUENCE
components whose value is the DEFAULT omit the component from the
encoded certificate or CRL. For example, a BasicConstraints
extension whose cA"

Andy
#30345
Posted: 08/14/2014 06:31:10
by Eugene Mayevski (EldoS Corp.)

Quote
Andy Calvert wrote:
DER encoding of SET or SEQUENCE components whose value is the DEFAULT


That is about SET or SEQUENCE and not about their fields.

Indeed I was looking into 4.2 and didn't check 4.1 in regards to the declaration.


Sincerely yours
Eugene Mayevski
#30346
Posted: 08/14/2014 06:32:35
by Andy Calvert (Standard support level)
Joined: 11/07/2007
Posts: 16

I agree that their re-interpreting of the fields when checking signatures is frankly bizarre, but to repeat my warning - they are a huge multi-national supplier of security kit, and this is going to happen again and again now as more of their customers upgrade their equipment.

The description is on their web page:


http://publib.boulder.ibm.com/httpserv/ihsdiag/gather_certificate_doc.html
#30347
Posted: 08/14/2014 06:34:05
by Andy Calvert (Standard support level)
Joined: 11/07/2007
Posts: 16

Search for Certificate validation failures with GSKit 7.0.4.1
#30348
Posted: 08/14/2014 06:35:25
by Eugene Mayevski (EldoS Corp.)

Ok, we'll deal with them as they come.


Sincerely yours
Eugene Mayevski
Also by EldoS: Callback File System
Create virtual file systems and disks, expose and manage remote data as if they were files on the local disk.

Reply

Statistics

Topic viewed 1269 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!