[openssl-dev] [openssl.org #3951] [RFC][PATCH] Allow certificate time checks to be disabled

David Woodhouse dwmw2 at infradead.org
Tue Jul 28 10:38:05 UTC 2015 

On Wed, 2015-07-22 at 16:47 +0000, Viktor Dukhovni wrote:
> On Wed, Jul 22, 2015 at 03:36:40PM +0000, David Woodhouse via RT 
> wrote:
> 
> > FWIW the Linux kernel also specifically avoids checking timestamps
> > altogether when validating signed modules.
> 
> You probably need a dedicated implementation of X509_verify_cert().
> When dealing with "data at rest" (signed email, signed code, ...)
> certificate expiration needs to be understood in the context of
> time of signature, not time of verification.

Yes, but AFAICT the security model here is entirely bogus.

If we're going to trust a third party to say "<this> is my signature,
oh and trust me, <this> is when I signed it", then we might as well not
be checking the validity time for that third party's signatures at all.
There is *no* benefit, surely? Just complexity.

> Ideally (this generally works for email), the verifier "initially"
> verifies the signed object before the expiration time of the
> certificate and then caches this fact in some manner, so that
> subsequent verification can ignore the certificate entirely, and
> just check the the object has not changed since initially verified.

Except that IMAP deliberately provides a *read-only* message store. You
cannot modify messages in any way, by design. You can only add flags.

I don't even want to contemplate a world in which we just have a
'trust me, message signature was OK' flag on a mailstore and allow that
to bypass the *actual* checking.

Actually, if you look at RFC3851 §2.5.1 you'll see that we include a
signingTime attribute in the S/MIME message. Validation is done using
that.

Which makes it entirely pointless, as I said above. You might as well
just not *check* the validity time at all when validating email,
surely?

Hell, it would make more sense in the case of email to do the check
using the Date: header (or the last Resent-Date: header). At least that
wouldn't be *entirely* redundant. And it wouldn't be possible to
falsely sign a message 


> If caching results of initial verification is not an option, then
> perhaps disabling expiration checks is a last-resort option. 

It's not an option. It's not even a good idea.

>  There are ways (with care) to do this via the verify callback, which 
> can be made to suppress *only* expiration errors and fail on all 
> other errors.

Yeah. And it turns out that we have verify callbacks in most cases
*already*, to cope with intermediate CAs being present in our trust
store without the ultimate self-signed root CA also being present.
(Although I'd hope there was a better way to handle that; I'll come
back to that later.)

So for now I can live without the requested feature — although
reluctantly because I think the reasons for refusing are utterly bogus
— and fix it up on the EDK2 side just by ignoring/allowing
X509_V_ERR_CERT_{HAS_EXPIRED,NOT_YET_VALID} thus:
  http://git.infradead.org/users/dwmw2/edk2.git/commitdiff/9b89269c

-- 
David Woodhouse                            Open Source Technology Centre
David.Woodhouse at intel.com                              Intel Corporation
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5691 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150728/f56fdb2f/attachment-0001.bin>

More information about the openssl-dev mailing list