Re: openssl cms verification date
François Legal
devel at thom.fr.eu.org
Thu Feb 8 13:13:35 UTC 2024
Le Jeudi, Février 08, 2024 11:46 CET, Tomas Mraz <tomas at openssl.org> a écrit:
> On Thu, 2024-02-08 at 11:37 +0100, François Legal wrote:
> > Hello,
> >
> > I'm new to this list.
> >
> > I'm using pkcs7 packages to embbed firmware, to procide authenticity
> > verification before doing firmware upgrades.
> >
> > I use the openssl cms command for verification purpose, but face the
> > following problem :
> > when doing verify, openssl cms -verify does check whether the signing
> > certificate is valid today, not whether or not it was still valid
> > when the package got signed.
> >
> > I saw the -attime option to specify the verification date, but found
> > no easy way to fetch the signature date from the package for each
> > signature.
> >
> > So I was wondering if it was the intended function that the
> > certificate validity verification was made at the verification date
> > and not the signature date.
>
> Yes, this was certainly intentional. I could envision that a new option
> could be added to the cms command that would verify the signature at
> the date when the signature was made. However please note that without
> some kind of assurance that the signature was really made at the time
> that is recorded in the message, the signature could have been done
> with a key that was already expired anyway. This assurance is done
> usually by timestamping via a trusted timestamping authority but there
> might be other means.
>
Sure I get the point. You can't really be sure that the signature was made at the clained time as the signerInfo structure is not signed itself. Could you please comment however on why verifying the validity of the certificate at the verification date is better in that matter.
I already have a patch to provide for verifying the signature at signature time. Shall I send a pull request ?
François
> --
> Tomáš Mráz, OpenSSL
>
More information about the openssl-users
mailing list