search

SCS-CBU-CED-IAM / AIS

Swisscom All-in Signing Service: Sample Scripts
Apache License 2.0
9 stars 7 forks source link

ais-verify.sh: Wrong signer info due to unsorted cert-chain in timestamp response #1

Closed phaupt closed 10 years ago

phaupt commented 10 years ago

The verification of a timestamp token in ais-verify.sh shows a wrong Signer information:

[ phaupt@cartel:~/AIS/shell ] $ rm myfile.p7s; ./ais-timestamp.sh myfile.txt SHA256 myfile.p7s; ./ais-verify.sh -v myfile.txt myfile.p7s
OK on myfile.p7s with following details:
 Signer       : subject= C=ch,O=Swisscom,OU=Digital Certificate Services,CN=Swisscom Root CA 2
                issuer= C=ch,O=Swisscom,OU=Digital Certificate Services,CN=Swisscom Root CA 2
                validity= notBefore=Jun 24 08:38:14 2011 GMT notAfter=Jun 25 07:38:14 2031 GMT
                OCSP check= No OCSP information found in the signers certificate
 Embedded OCSP: No
 Embedded TSA : No

The reason is related to a misorder in the certificate chain of the timestamp response. Currently, level1 and level2 are swapped:

$ openssl x509 -noout -in /tmp/_tmp.xKWIVS.certs.level0.pem -issuer
issuer= /C=ch/O=Swisscom/OU=Digital Certificate Services/CN=Swisscom Root CA 2
$ openssl x509 -noout -in /tmp/_tmp.xKWIVS.certs.level0.pem -subject
subject= /C=ch/O=Swisscom/OU=Digital Certificate Services/CN=Swisscom Root CA 2

$ openssl x509 -noout -in /tmp/_tmp.xKWIVS.certs.level1.pem -issuer
issuer= /C=ch/O=Swisscom/OU=Digital Certificate Services/CN=Swisscom TSS CA 2
$ openssl x509 -noout -in /tmp/_tmp.xKWIVS.certs.level1.pem -subject
subject= /C=ch/O=Swisscom/OU=Digital Certificate Service/CN=Swisscom TSA 3

$ openssl x509 -noout -in /tmp/_tmp.xKWIVS.certs.level2.pem -issuer
issuer= /C=ch/O=Swisscom/OU=Digital Certificate Services/CN=Swisscom Root CA 2
$ openssl x509 -noout -in /tmp/_tmp.xKWIVS.certs.level2.pem -subject
subject= /C=ch/O=Swisscom/OU=Digital Certificate Services/CN=Swisscom TSS CA 2

This will be fixed on Swisscom AIS side. It shall always provide a correct order of the certificate chain in all responses.

FreddyKaiser commented 10 years ago

With workaround:

./ais-verify.sh -v myfile.txt myfile.t7s
OK on myfile.t7s with following details:
 Signer       : subject= C=ch,O=Swisscom,OU=Digital Certificate Service,CN=Swisscom TSA 3
                issuer= C=ch,O=Swisscom,OU=Digital Certificate Services,CN=Swisscom TSS CA 2
                validity= notBefore=Aug  7 12:23:58 2012 GMT notAfter=Jan 11 09:55:58 2022 GMT
                OCSP check= good
 Embedded OCSP: No
 Embedded TSA : No