000026128 - Verifying Signer Certificates on a PKCS #7 SignedData message.

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000026128
Applies ToRSA BSAFE Cert-C
The CMSF_VERIFY_SIGNER_CERTS bit in the cmsOptions argument passed as an input to C_ReadSignedDataMsg is turned on.
The CERT_PATH_CTX passed in to C_ReadSignedDataMsg contains the needed trusted certs.
The CERT_PATH_CTX also contains a valid database SERVICE populated with intermediate certs and the trusted certs.
If no CRLs are being used, the CERT_PATH_CTX.pathOptions has the PF_IGNORE_REVOCATION bit turned on.
This bug regarding no error being reported when the path provider is absent applies to the Cert-C 2.0 prerelease and the 1.x releases of Cert-C.
No matter what version of Cert-C you are using, if you want to verify the signer's cert, you must register a path provider (and a revocation status provider if revocation checking is desired).
IssueVerifying Signer Certificates on a PKCS #7 SignedData message.
Have C_ReadSignedDataMsg populate the "verifySigners" LIST_OBJ with the verified signer's SIGNER_INFO.
A signer which is supposed to be valid, given the information in the CERT_PATH_CTX, is listed in the "unVerifySigners" LIST_OBJ.
C_ReadSignedDataMsg returns a normal status code.
A status log provider was registered, but no errors related to path processing are logged.
CauseVerifying the signer's cert is optional, but when CMSF_VERIFY_SIGNER_CERTS is specified, no check is done to see whether or not path processing can be performed at all. In other words, if no path provider is registered, it just falls into the case where the signer cannot be verified.
ResolutionBug #14580 was filed against the Cert-C 2.0 prerelease (it applies to all 1.x releases as well) requesting that the absence of a path provider when CMSF_VERIFY_SIGNER_CERTS is set be treated as an error condition, or at least logged as a problem.
In order to properly use C_ReadSignedDataMsg, you must have at least the following two providers registered with the current Cert-C context.

NOTE: If you want revocation checking, you also need a provider of type SPT_CERT_STATUS. The crypto provider is needed for signature verification.

 SERVICE_HANDLER spTable[2] = { 
   {SPT_CRYPTO, "BSAFE Crypto-C", S_InitializeDefaultCSP}
   {SPT_CERT_PATH, "Path Provider", S_InitializePKIXPath}
 };

 POINTER spParams[2] = {
   NULL, NULL
 };
Legacy Article IDa534

Attachments

    Outcomes