Dolph; yeah, this is only for checking the revocation list; the tokens themselves need to be valid tokens. It is restricted to PKI based tokens only. The mistake was using the hash of the whole document for the token id; it should have been the same hash of the token tdata that is used for the cryptographic signature. The values being manipulated are the ASN1 specific values that indicate "This next block is signed data" which openssl really should be validating.
For example; here is a diff of a derdump of the origianl file and the modified file, with some lines of context;
All of the places susceptible to the modifications seem to be this kind of string, with the exception of the final padding;
$ diff -u /tmp/auth_v3_token_scoped_orig.pem /tmp/auth_v3_token_scoped4364.pem
--- /tmp/auth_v3_token_scoped_orig.pem 2015-09-02 11:14:11.414915072 -0400
+++ /tmp/auth_v3_token_scoped4364.pem 2015-09-02 11:14:28.749902282 -0400
@@ -66,4 +66,4 @@
4RQzkShFx97ioGPE9wE1Jv9Yzxo5uTg6z246gi42e50uSIFZMmNMqkUdz0n6Qct+
1zMf8W+e1pykKscVBz757F9n+qAhx15LxxdCKIrQ1kNT8dAyLRBQU0qZeLmLvS3W
nmf/JlQ7LDQmq3XQEHRbQ1s5dz/mwM8IiSm8
------END CMS-----
+-----END CMS-----
\ No newline at end of file
Dolph; yeah, this is only for checking the revocation list; the tokens themselves need to be valid tokens. It is restricted to PKI based tokens only. The mistake was using the hash of the whole document for the token id; it should have been the same hash of the token tdata that is used for the cryptographic signature. The values being manipulated are the ASN1 specific values that indicate "This next block is signed data" which openssl really should be validating.
For example; here is a diff of a derdump of the origianl file and the modified file, with some lines of context;
$ diff -U 10 /tmp/auth_ v3_token_ scoped_ orig.pem. txt /tmp/auth_ v3_token_ scoped77. pem.txt v3_token_ scoped_ orig.pem. txt 2015-09-02 11:27:46.423313737 -0400 v3_token_ scoped77. pem.txt 2015-09-02 11:27:46.398313755 -0400
C- Sequence (7)
Object Identifier (5)
1 3 14 3 2 26 (SHA-1)
C-Sequence (2692)
Octet String (2673)
7b 22 74 6f 6b 65 6e 22 3a 20 7b 22 6d 65 74 68 6f 64
73 22 3a 20 5b 22 70 61 73 73 77 6f 72 64 22 5d 2c 20
22 72 6f 6c 65 73 22 3a 20 5b 7b 22 69 64 22 3a 20 22
66 30 33 66 64 61 38 66 38 61 33 32 34 39 62 32 61 37
30 66 62 31 66 31 37 36 61 37 62 36 33 31 22 2c 20 22
6e 61 6d 65 22 3a 20 22 72 6f 6c 65 31 22 7d 2c 20 7b
22 69 64 22 3a 20 22 66 30 33 66 64 61 38 66 38 61 33
32 34 39 62 32 61 37 30 66 62 31 66 31 37 36 61 37 62
--- /tmp/auth_
+++ /tmp/auth_
@@ -4,21 +4,21 @@
C-[0] (3176)
C-Sequence (3172)
Integer (1)
01
C-Set (9)
Object Identifier (9)
- 1 2 840 113549 1 7 1 (PKCS #7 Data)
+ 0 26 840 113549 1 7 1
C-[0] (2677)
All of the places susceptible to the modifications seem to be this kind of string, with the exception of the final padding; v3_token_ scoped_ orig.pem /tmp/auth_ v3_token_ scoped4364. pem v3_token_ scoped_ orig.pem 2015-09-02 11:14:11.414915072 -0400 v3_token_ scoped4364. pem 2015-09-02 11:14:28.749902282 -0400 PE9wE1Jv9Yzxo5u Tg6z246gi42e50u SIFZMmNMqkUdz0n 6Qct+ e1pykKscVBz757F 9n+qAhx15LxxdCK IrQ1kNT8dAyLRBQ U0qZeLmLvS3W XQEHRbQ1s5dz/ mwM8IiSm8
$ diff -u /tmp/auth_
--- /tmp/auth_
+++ /tmp/auth_
@@ -66,4 +66,4 @@
4RQzkShFx97ioG
1zMf8W+
nmf/JlQ7LDQmq3
------END CMS-----
+-----END CMS-----
\ No newline at end of file