1. Janos SUTO Avatar Janos SUTO
  2. Piler
  3. piler
  4. Issues

Timestamp Verifiation Error due tor expired certificate in chain

Issue #1281 closed
Alexander Noack created an issue

I was wondering why I could not open old messages anymore.

It turned out that a certificate in the TSA chain expired last year. Instead of returning “false” this leads to an uncaught PHP error:

PHP Fatal error:  Uncaught Exception: Systemcommand failed: Using configuration from /usr/lib/ssl/openssl.cnf, 140642033243456:error:2F06D064:time stamp routines:ts_verify_cert:certificate verify error:../crypto/ts/ts_rsp_verify.c:184:Verify error:certificate has expired, Verification: FAILED in /var/piler/www/system/helper/TrustedTimestamps.php:224\nStack trace:
 #0 /var/piler/www/model/search/message.php(389): TrustedTimestamps::validate()
 #1 /var/piler/www/model/search/message.php(34): ModelSearchMessage->check_rfc3161_timestamp_for_id()
 #2 /var/piler/www/model/search/message.php(65): ModelSearchMessage->verify_message()
 #3 /var/piler/www/model/search/message.php(148): ModelSearchMessage->get_raw_message()
 #4 /var/piler/www/controller/message/view.php(83): ModelSearchMessage->extract_message()
 #5 /var/piler/www/system/front.php(36): ControllerMessageView->index()
 #6 /var/piler/www/system/front.php(14): Front->execute()
 #7 /var/piler/www/index.php(114): Front->dispatch()
 #8 {main}
   thrown in /var/piler/www/system/helper/TrustedTimestamps.php on line 224, referer: https://archive.local/search.php

1.) the exception should probably be handled better (e.g. just returning FALSE for the verification process)

2.) this is more philosophical, if you still want to trust the chain although it has expired, adding a -no_check_time might be applicable

 $cmd = OPENSSL_BINARY . " ts -verify -digest ".escapeshellarg($hash)." -no_check_time -in ".escapeshellarg($responsefile)." -CAfile ".escapeshellarg($tsa_cert_file)." -untrusted ".escapeshellarg($untrustedfile);

Alex

Comments (5)

  1. Janos SUTO repo owner

    Thank you for reporting the issue. Can you validate the below diff whether it handles the exception properly?

    diff --git a/webui/model/search/message.php b/webui/model/search/message.php
index 314feb2..395fbfd 100644
--- a/webui/model/search/message.php
+++ b/webui/model/search/message.php
@@ -386,8 +386,14 @@ class ModelSearchMessage extends Model {
          }

          if($query->row['hash_value'] == $computed_hash) {
-            $validate = TrustedTimestamps::validate($query->row['hash_value'], $query->row['response_string'], $query->row['response_time'], TSA_PUBLIC_KEY_FILE);
-            if($validate == true) { return 1; }
+            try {
+               if(true === TrustedTimestamps::validate($query->row['hash_value'], $query->row['response_string'], $query->row['response_time'], TSA_PUBLIC_KEY_FILE)) {
+                  return 1;
+               }
+            } catch(Exception $e) {
+               syslog(LOG_INFO, "ERROR validating the timestamp: " . $e->getMessage());
+               return 0;
+            }
          }

  2. Alexander Noack reporter

    Thank you, this catches the error properly.

    I know there is little documentation about the TSA option (mostly on the mailing list), and I understand that opinions might differ. Nevertheless having the option to do a relaxed signature check might be useful to most users.

    From a coding standpoint it would be quite simple to check for TSA_RELAXED_CHECK and insert -no_check_time in the verify command of system/helper/TrustedTimestamps.php

  5. Alexander Noack reporter
    • error handling in message.php has been fixed
    • TSA handling has been extended to support expired certificates
  6. Log in to comment
Assignee
Type
bug
Priority
major
Status
closed
Votes
0
Watchers
1
Jira: the preferred issue tracker for Bitbucket. Join the team!