contentauth
--certs created corrupted certificate files on 0.8
Version v0.7 works fine
Version v0.8.1 (next binary I can download) creates a corrupted cert that fails verification.
It seems it add 05 00 bytes at Offset 1d which decodes into a "parameter null". The resulting certificate fails to verify.
# openssl verify -attime 1669870800 -show_chain -CAfile ca.cert.pem -untrusted intermediate-prod.cert.pem 1.cert C = US, ST = California, L = Los Angeles, O = Starling Lab, CN = Starling Lab Bijeljina Investigation, emailAddress = "[email protected]"
error 7 at 0 depth lookup: certificate signature failure
error 1.cert: verification failed
140171197306176:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib:../crypto/asn1/a_verify.c:170:
vs 0.7
# openssl verify -attime 1669870800 -show_chain -CAfile ca.cert.pem -untrusted intermediate-prod.cert.pem 1-1.cert
1-1.cert: OK
Chain:
depth=0: C = US, ST = California, L = Los Angeles, O = Starling Lab, CN = Starling Lab Bijeljina Investigation, emailAddress = "[email protected]" (untrusted)
depth=1: C = US, ST = California, L = Stanford, O = Starling Lab, CN = Starling Lab Intermediate CA, emailAddress = "[email protected]" (untrusted)
depth=2: C = US, ST = California, L = Stanford, O = Starling Lab, emailAddress = "[email protected]", CN = Starling Lab Root CA
I cannot reproduce this. Can you supply test image and possibly certs?
@mauricefisher64
Example image (taken of the DJ and the War Crimes archive):
https://investigation.rollingstone.com/original-assets/C049-1296.png
Content Verified online: https://contentcredentials.org/verify?source=https%3A%2F%2Finvestigation.rollingstone.com%2Foriginal-assets%2FC049-1296.png
CA Certificates: https://github.com/starlinglab/starling-certificate-authority/tree/master/CA/certs
Update: Replaced example with C049-1296.png.
Note: the other example i posted had a photoshop manifest as the last manifest signed, so --certs where extracting only the last certificate (adobe). There does not seem to be any way to extract earlier certificates.
Example:
# Get Certs
wget https://raw.githubusercontent.com/starlinglab/starling-certificate-authority/master/CA/certs/ca.cert.pem
wget https://raw.githubusercontent.com/starlinglab/starling-certificate-authority/master/CA/certs/intermediate-prod.cert.pem
# Get image
wget https://investigation.rollingstone.com/original-assets/C049-1296.png
# test C2PA 9.4
wget https://github.com/contentauth/c2patool/releases/download/v0.9.4/c2patool-v0.9.4-x86_64-unknown-linux-gnu.tar.gz
tar xvf c2patool-v0.9.4-x86_64-unknown-linux-gnu.tar.gz
c2patool/c2patool --certs C049-1296.png > test-9.4.cert
openssl verify -attime 1669870800 -show_chain -CAfile ca.cert.pem -untrusted intermediate-prod.cert.pem test-9.4.cert
C = US, ST = California, L = Los Angeles, O = Starling Lab, CN = Starling Lab Bijeljina Investigation, emailAddress = "[email protected]"
error 7 at 0 depth lookup: certificate signature failure
error test-9.4.cert: verification failed
4097DAE6297F0000:error:06880006:asn1 encoding routines:ASN1_item_verify_ctx:EVP lib:../crypto/asn1/a_verify.c:217:
# test C2PA 7.0
wget https://github.com/contentauth/c2patool/releases/download/v0.7.0/c2patool_linux_intel.tar.gz
tar xvf c2patool_linux_intel.tar.gz
c2patool/c2patool --certs C049-1296.png > test-7.0.cert
openssl verify -attime 1669870800 -show_chain -CAfile ca.cert.pem -untrusted intermediate-prod.cert.pem test-7.0.cert
test-7.0.cert: OK
Chain:
depth=0: C = US, ST = California, L = Los Angeles, O = Starling Lab, CN = Starling Lab Bijeljina Investigation, emailAddress = "[email protected]" (untrusted)
depth=1: C = US, ST = California, L = Stanford, O = Starling Lab, CN = Starling Lab Intermediate CA, emailAddress = "[email protected]" (untrusted)
depth=2: C = US, ST = California, L = Stanford, O = Starling Lab, emailAddress = "[email protected]", CN = Starling Lab Root CA
#