OpenCA多个签名验证漏洞

漏洞信息详情

OpenCA多个签名验证漏洞

• CNNVD编号：CNNVD-200312-029
• 危害等级： 高危
  
  
• CVE编号：
  CVE-2003-0960
  
• 漏洞类型：
  
  
  未知
  
• 发布时间：
  
  2003-11-28
  
• 威胁类型：
  
  
  远程
  
• 更新时间：
  
  2005-10-20
  
• 厂        商：
  
  openca
• 漏洞来源：
  OpenCA Security Ad…

OpenCA是一款提供PKI架构和相关项目开发的项目实现。
OpenCA存在多个漏洞，可导致修改的或过期的证书被接受。
具体问题如下：
1、OpenCA有一个通用加密操作的库-crypto-utils.lib，这个库包含一个函数判断用于建立PKCS＃7签名的证书序列，函数使用这个序列装载和返回证书。不过这个函数错误的使用OpenCA：：PKCS7接口。
2、加密库crypto-utils.lib使用所有包含签名的证书来建议签名者证书的X.509对象，结果是来自证书链之一的证书建立的对象可以是任意的。
3、OpenCA：：PKCS7包含一个错误规则表达式用于判断证书链的解析。
4、在OpenCA：：PKCS7中证书链中的序列被错误的规则表达式解析，一些大写字符如A，C，B，D，E和F会被忽略。

临时解决方法：
如果您不能立刻安装补丁或者升级，CNNVD建议您采取以下措施以降低威胁：

— openca-0.9.1.3/src/modules/openca-pkcs7/PKCS7.pm 2002-09-10 16:42:02.000000000 +0200

+++ openca-0.9.1.4/src/modules/openca-pkcs7/PKCS7.pm 2003-11-26 15:54:08.000000000 +0100

@@ -69,7 +69,7 @@

our ($errno, $errval);

-($OpenCA::PKCS7::VERSION = ‘$Revision: 1.12 $’ )=~ s/(?:^.*: (\d+))|(?:\s+\$$)/defined $1?”0\.9″:””/eg;

+($OpenCA::PKCS7::VERSION = ‘$Revision: 1.12.2.1 $’ )=~ s/(?:^.*: (\d+))|(?:\s+\$$)/defined $1?”0\.9″:””/eg;

my %params = (

inFile => undef,

@@ -167,6 +167,8 @@

my ( $ret, $tmp );

+ return $self->{parsed} if ($self->{parsed});

+

$tmp = $self->{backend}->verify( SIGNATURE=>$self->{signature},

DATA_FILE=>$self->{dataFile},

CA_CERT=>$self->{caCert},

@@ -292,10 +294,10 @@

($self->{status}) = ( $line =~ /^\s*error:([^:]*):/ );

}

– next if( $line != /^depth/i );

+ next if( $line !~ /^depth/i );

( $currentDepth, $serial, $dn ) =

– ( $line =~ /depth:([\d]+) serial:([a-f\d]+) subject:(.*)/ );

+ ( $line =~ /depth:([\d]+) serial:([a-fA-F\d]+) subject:(.*)/ );

$ret->{$currentDepth}->{SERIAL} = hex ($serial) ;

$ret->{$currentDepth}->{DN} = $dn;

— openca-0.9.1.3/src/common/lib/functions/crypto-utils.lib 2002-12-22 13:08:19.000000000 +0100

+++ openca-0.9.1.4/src/common/lib/functions/crypto-utils.lib 2003-11-26 13:04:50.000000000 +0100

@@ -176,19 +176,36 @@

return undef;

}

– ## Get signer certificate from the pkcs7 structure

– $sigCert = new OpenCA::X509 ( SHELL => $cryptoShell,

– DATA => $sig->getSigner()->{CERTIFICATE});

–

– if( not $sigCert ) {

– $errno = 6103;

– $errval = i18nGettext (“Signer’s certificate is corrupt!\nOpenCA::X509 returns errorcode __ERRNO__ (__ERRVAL__).”,

– “__ERRNO__”, $OpenCA::X509::errno,

– “__ERRVAL__”, $OpenCA::X509::errval);

– return undef;

+ ## Get signer certificate chain from the pkcs7 structure

+ my @chain = split /—–END CERTIFICATE—–/,

+ $sig->getSigner()->{CERTIFICATE};

+ for (my $i=0; $i < scalar @chain; $i++)

+ {

+ if (not $chain[$i])

+ {

+ delete $chain[$i];

+ next;

+ }

+ $chain[$i] .= “—–END CERTIFICATE—–“;

+ $chain[$i] =~ s/^.*—–BEGIN CERTIFICATE—–/—–BEGIN CERTIFICATE—–/s;

+ }

+ $sigCert = undef;

+ for (my $i=0; $i < scalar @chain; $i++)

+ {

+ $sigCert = new OpenCA::X509 ( SHELL => $cryptoShell,

+ DATA => $chain[$i]);

+ if( not $sigCert ) {

+ $errno = 6103;

+ $errval = i18nGettext (“Signer’s certificate is corrupt!\nOpenCA::X509 returns errorcode __ERRNO__ (__ERRVAL__).”,

+ “__ERRNO__”, $OpenCA::X509::errno,

+ “__ERRVAL__”, $OpenCA::X509::errval);

+ return undef;

+ }

+ last if ( $tmpCert->getSerial() eq $sigCert->getSerial() );

+ $sigCert = undef;

}

– if( $tmpCert->getSerial() ne $sigCert->getSerial() ) {

+ if( not $sigCert ) {

$errno = 6104;

$errval = gettext (“Signer’s Certificate and DB’s Certificate do not match”);

return undef;

@@ -281,19 +298,8 @@

return undef;

}

– my $sigCert = new OpenCA::X509 ( SHELL => $cryptoShell,

– DATA => $sig->getSigner()->{CERTIFICATE});

–

– if (not $sigCert) {

– $errno = 6302;

– $errval = i18nGettext (“Cannot create X509-object from the certificate of the signer! OpenCA::X509 returns errorcode __ERRNO__ (__ERRVAL__).”,

– “__ERRNO__”, $OpenCA::X509::errno,

– “__ERRVAL__”, $OpenCA::X509::errval);

– return undef;

– }

–

my $db_cert = $db->getItem( DATATYPE => ‘CERTIFICATE’,

– &n

来源: BUGTRAQ
名称: 20031128 [OpenCA Advisory] Vulnerabilities in signature verification
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=107003609308765&w=2