[strongSwan-dev] libstrongswan: possible bug when reading certificates

Germano Veit Michel germanovmichel at aim.com
Thu Apr 12 13:58:28 CEST 2012 

Hello all, just joined the dev mailing list.


I'm going after a bug in scepclient and so far it looks like the problem is not in scepclient code, but in libstrongswan.


When one uses scepclient for certificate enrollment, there are a few parameters, including this particular one: the CA certificate, which was previously obtained.
Scepclient sends a message to the CA in order to request a certificate. This message contains some information about the CA certificate. 


This is the function that gets that information. 

- METHOD(certificate_t, get_encoding, bool, private_x509_cert_t *this, cred_encoding_type_t type, chunk_t *encoding)
What it does in pratice is chunk_clone(this->encoding).


According to the draft, the first part of this information should be:


 certificate {   -- requester self-signed or CA-issued certificate

          version 3
          serialNumber  "the transaction id associated with enrollment"
          signature {pkcs-1 4}  -- md5WithRSAEncryption

                    ..................


My CA certificate, according to openssl, is version 3 and has md5withRSAEncryption signature.
But what is actually cloned by that function for my CA certificate is:



certificate {   -- requester self-signed or CA-issued certificate
          context 0 { 
                     version 3
          }
          version 2
          serialNumber  "the transaction id associated with enrollment"
          signature {pkcs-1 4}  -- sha-1WithRSAEncryption

          ..................



Problem 1) There is this context 0 thing which contains the right version number, and the actual version might be wrong (2).
Problem 2) My certificate is md5WithRSAEncryption, but it read sha-1withRSAEncryption. The former is defined as 92 while the latter as 93. +1 bug somewhere?


Conclusion:
Since get_encoding just copies a chunk from certificate->encoding, it seems that 
- lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509, BUILD_FROM_FILE, path, BUILD_END);
is not doing what it shoud do.


Opinions?


Thanks,

Germano Veit Michel
germanovmichel at aim.com


 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20120412/15de200d/attachment.html>

More information about the Dev mailing list