a ROA with EE cert replaced with specially-crafted invalid cert is sort-of accepted in certain circumstances

[dseomn]

WIth the following sequence of events:

1. empty the RPSTIR database
2. get/generate a valid ROA file and call it good.roa
3. extract the EE certificate
4. invalidate the extracted EE certificate in some way that's not immediately detectable by RPSTIR without additional information (e.g., re-issue the same EE cert from different CA that doesn't hold the resources in the EE cert)
5. put the bad certificate back in the ROA and call the resulting file bad.roa
6. add bad.roa into the RPSTIR database
7. add the original good.roa into the database
8. add all of the relevant CA certificates

RPSTIR will print the following error message when adding good.roa:

ERR: Add failed: good.roa: error Duplicate signature (-90)

and the query utility will report bad.roa and good.roa.cer as accepted. It should accept good.roa, not bad.roa (the two are identical, however, when you ignore the EE cert).

Reported by: rhansen

Original Ticket: rpstir/tickets/28