Closed hackerfactor closed 1 week ago
I found this: https://github.com/contentauth/c2patool/issues/114 As noted by Leszko, the source code is written to explicitly forbid self-signed certs. (https://github.com/contentauth/c2pa-rs/blob/d9b077c8790e172d5bc9f23dc17f13df343160f1/sdk/src/cose_validator.rs#L350)
This contradicts the C2PA specification, which repeatedly mentions the use of self-signed certificates: https://c2pa.org/specifications/specifications/1.2/specs/C2PA_Specification.html#_x_509_certificates E.g.,
If you comment out the check/rejection of self-signed certs in the c2pa-rs code, then it correctly accepts self-signed certs. However, nobody else using c2patool will be able to validate it unless they apply the same patch.
When using the openssl command to create a certificate, the Basic Constraints of the certificate may be set to "CA:TRUE" if the "-extensions v3_ca" option is used. Isn't this likely to cause errors in c2patool?
If you use "usr_cert" instead of "v3_ca" and create a self-signed certificate with the following command, I think the Basic Constraints of the certificate will be set to "CA:FALSE".
$ ./openssl req -new -newkey rsa:4096 \ -sigopt rsa_padding_mode:pss \ -days 3650 \ -extensions usr_cert \ -addext "keyUsage = digitalSignature" \ -addext "extendedKeyUsage = emailProtection" \ -nodes -x509 -sha256 -keyout private3.key -out certs3.pem
In my testing, there are no errors in c2patool (0.6.2) when using this certificate, and it seems to be successful.
Oh! That's the magic command. Thank you. (This really needs to be documented somewhere.)
You must not just supply the signing certificate but also the entire certificate chain up to the root. How to generate that is beyond what is reasonable to document. There are good sources available on the web. If you are just doing testing the c2pa-rs SDK supplies the signing certificates and the appropriate certificate chain for every supported signature type.
c2patool 0.6.2 is supposed to accept a user-specified cert via environment variable or in the manifest. I have been unable to get this to work.
The documentation for c2patool 0.6.2 lacks details: https://docs.rs/crate/c2patool/0.6.2 the link for Creating and using an X.509 certificate does not exist.
An older version (0.1.2; https://docs.rs/crate/c2patool/0.1.2) gives instructions using openssl, but those don't seem to work anymore.
Here are the commands I am using:
My manifest.json contains
(Also tried with es256, but that also fails.)
I can't tell if I'm doing something wrong, or if this part of c2patool no longer works correctly.