openssl cms verification date

Lutz Jänicke lutz at lutz-jaenicke.de
Sat Feb 10 17:29:47 UTC 2024


On 08.02.24 16:57, Hubert Kario wrote:
> On Thursday, 8 February 2024 14:13:35 CET, François Legal wrote:
>> Le Jeudi, Février 08, 2024 11:46 CET, Tomas Mraz <tomas at openssl.org> 
>> a écrit:
>>> On Thu, 2024-02-08 at 11:37 +0100, François Legal wrote:
>>>> Hello,
>>>>
>>>> I'm new to this list.
>>>>
>>>> I'm using pkcs7 packages to embbed firmware, to procide authenticity
>>>> verification before doing firmware upgrades.
>>>>
>>>> I use the openssl cms command for verification purpose, but face the
>>>> following problem :
>>>> when doing verify, openssl cms -verify does check whether the signing
>>>> certificate is valid today, not whether or not it was still valid
>>>> when the package got signed.
>>>>
>>>> I saw the -attime option to specify the verification date, but found
>>>> no easy way to fetch the signature date from the package for each
>>>> signature.
>>>>
>>>> So I was wondering if it was the intended function that the
>>>> certificate validity verification was made at the verification date
>>>> and not the signature date.
>>>
>>> Yes, this was certainly intentional. I could envision that a new option
>>> could be added to the cms command that would verify the signature at
>>> the date when the signature was made. However please note that without
>>> some kind of assurance that the signature was really made at the time
>>> that is recorded in the message, the signature could have been done
>>> with a key that was already expired anyway. This assurance is done
>>> usually by timestamping via a trusted timestamping authority but there
>>> might be other means.
>>>
>>
>> Sure I get the point. You can't really be sure that the signature was 
>> made at the clained time as the signerInfo structure is not signed 
>> itself. Could you please comment however on why verifying the 
>> validity of the certificate at the verification date is better in 
>> that matter.
>> I already have a patch to provide for verifying the signature at 
>> signature time. Shall I send a pull request ?
>
> I'd suggest reading the CAdES[1] standards for electronic signatures 
> that are
> supposed to be verified years after the signature were made. It goes
> into detail what you need to do.
>
> In practice it means:
>
> * you need trusted timestamps from a time stamping
>   authority in the CAdES format (that will allow for automated 
> verification).
> * Or a notary document stating that given signature was made before given
>   date (that will require manual verification).
>
> 1 - https://en.wikipedia.org/wiki/CAdES_(computing)


Please have a look into https://github.com/openssl/openssl/pull/21475

Best regards,

     Lutz




More information about the openssl-users mailing list