openssl cms verification date
Tomas Mraz
tomas at openssl.org
Thu Feb 8 10:46:59 UTC 2024
On Thu, 2024-02-08 at 11:37 +0100, François Legal wrote:
> Hello,
>
> I'm new to this list.
>
> I'm using pkcs7 packages to embbed firmware, to procide authenticity
> verification before doing firmware upgrades.
>
> I use the openssl cms command for verification purpose, but face the
> following problem :
> when doing verify, openssl cms -verify does check whether the signing
> certificate is valid today, not whether or not it was still valid
> when the package got signed.
>
> I saw the -attime option to specify the verification date, but found
> no easy way to fetch the signature date from the package for each
> signature.
>
> So I was wondering if it was the intended function that the
> certificate validity verification was made at the verification date
> and not the signature date.
Yes, this was certainly intentional. I could envision that a new option
could be added to the cms command that would verify the signature at
the date when the signature was made. However please note that without
some kind of assurance that the signature was really made at the time
that is recorded in the message, the signature could have been done
with a key that was already expired anyway. This assurance is done
usually by timestamping via a trusted timestamping authority but there
might be other means.
--
Tomáš Mráz, OpenSSL
More information about the openssl-users
mailing list