[openssl-users] Why is the signing-time signed attribute added unconditionally in CMS signatures?
Stephan Mühlstrasser
stm at pdflib.com
Tue Feb 7 11:15:33 UTC 2017
Hi,
I'm wondering why OpenSSL adds the signing-time signed attribute
unconditionally to a CMS signedData object. See function
CMS_SignerInfo_sign() in source file cms_sd.c:
if (CMS_signed_get_attr_by_NID(si, NID_pkcs9_signingTime, -1) < 0) {
if (!cms_add1_signingTime(si, NULL))
goto err;
}
I found nothing in RFC 5652 that mandates the addition of the
signing-time attribute. It's merely described as a "useful attribute".
The unconditional addition of the signing-time attribute is a problem
when using OpenSSL for the creation of PAdES-conforming PDF signatures.
The ETSI standard ETSI TS 102 778-3 (PDF Advanced Electronic Signature
Profiles; Part 3: PAdES Enhanced) explicitly requires the following:
http://www.etsi.org/deliver/etsi_ts/102700_102799/10277803/01.01.02_60/ts_10277803v010102p.pdf
"4.5.3 signing-time Attribute
For all profiles covered in the present document the signing-time
attribute shall not be used."
So a CMS API flag would be useful that allows suppression of the
signing-time attribute.
--
Stephan
More information about the openssl-users
mailing list