OpenCA improperly verifies certificate signatures

openca-improper-signature-verification (14847) The risk level is classified as MediumMedium Risk


OpenCA could allow a remote attacker to bypass signature verification, caused by a vulnerability in the libCheckSignature in the crypto-utils.lib library. OpenCA validates signatures improperly based only on the serial of the certificate. A remote attacker could exploit this vulnerability by using an invalid certificate to gain unauthorized access to an application using OpenCA.


Gain Access


Upgrade to the latest version of OpenCA ( or later), available from the OpenCA Web site. See References.


  • OpenCA Security Advisory [16 January 2004]: Vulnerability in signature verification.
  • OpenCA Web site: OpenCA PKI Development Project.
  • BID-9435: OpenCA Crypto-Utils.Lib Signature Verification Vulnerability
  • BID-944: HP Path MTU Discovery DoS Vulnerability
  • CVE-2004-0004: The libCheckSignature function in crypto-utils.lib for OpenCA and earlier only compares the serial of the signer's certificate and the one in the database, which can cause OpenCA to incorrectly accept a signature if the certificate's chain is trusted by OpenCA's chain directory, allowing remote attackers to spoof requests from other users.
  • OSVDB ID: 3615: OpenCA crypto-utils.lib libCheckSignature Function Signature Validation Weakness
  • US-CERT VU#336446: OpenCA libCheckSignature function fails to properly verify the signature of certificates

Platforms Affected:

  • OpenCA OpenCA prior to


Jan 16, 2004

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email ignore thisxforceignore this@ignore thisus.ignore thisibm.comignore this

Return to the main page