Timestamp Verifiation Error due tor expired certificate in chain
I was wondering why I could not open old messages anymore.
It turned out that a certificate in the TSA chain expired last year. Instead of returning “false” this leads to an uncaught PHP error:
PHP Fatal error: Uncaught Exception: Systemcommand failed: Using configuration from /usr/lib/ssl/openssl.cnf, 140642033243456:error:2F06D064:time stamp routines:ts_verify_cert:certificate verify error:../crypto/ts/ts_rsp_verify.c:184:Verify error:certificate has expired, Verification: FAILED in /var/piler/www/system/helper/TrustedTimestamps.php:224\nStack trace:
#0 /var/piler/www/model/search/message.php(389): TrustedTimestamps::validate()
#1 /var/piler/www/model/search/message.php(34): ModelSearchMessage->check_rfc3161_timestamp_for_id()
#2 /var/piler/www/model/search/message.php(65): ModelSearchMessage->verify_message()
#3 /var/piler/www/model/search/message.php(148): ModelSearchMessage->get_raw_message()
#4 /var/piler/www/controller/message/view.php(83): ModelSearchMessage->extract_message()
#5 /var/piler/www/system/front.php(36): ControllerMessageView->index()
#6 /var/piler/www/system/front.php(14): Front->execute()
#7 /var/piler/www/index.php(114): Front->dispatch()
#8 {main}
thrown in /var/piler/www/system/helper/TrustedTimestamps.php on line 224, referer: https://archive.local/search.php
1.) the exception should probably be handled better (e.g. just returning FALSE for the verification process)
2.) this is more philosophical, if you still want to trust the chain although it has expired, adding a -no_check_time might be applicable
$cmd = OPENSSL_BINARY . " ts -verify -digest ".escapeshellarg($hash)." -no_check_time -in ".escapeshellarg($responsefile)." -CAfile ".escapeshellarg($tsa_cert_file)." -untrusted ".escapeshellarg($untrustedfile);
Alex
Comments (5)
-
repo owner -
reporter Thank you, this catches the error properly.
I know there is little documentation about the TSA option (mostly on the mailing list), and I understand that opinions might differ. Nevertheless having the option to do a relaxed signature check might be useful to most users.
From a coding standpoint it would be quite simple to check for TSA_RELAXED_CHECK and insert -no_check_time in the verify command of
system/helper/TrustedTimestamps.php
-
repo owner - changed status to resolved
Fixed
#1281to support relaxed timestamp checkingSigned-off-by: Janos SUTO sj@acts.hu
→ <<cset d75ce865c451>>
-
reporter Thank you once again!
-
reporter - changed status to closed
- error handling in message.php has been fixed
- TSA handling has been extended to support expired certificates
- Log in to comment
Thank you for reporting the issue. Can you validate the below diff whether it handles the exception properly?