[openssl-users] Why is the signing-time signed attribute added unconditionally in CMS signatures?

Stephan Mühlstrasser stm at pdflib.com
Tue Feb 7 11:15:33 UTC 2017


I'm wondering why OpenSSL adds the signing-time signed attribute 
unconditionally to a CMS signedData object. See function 
CMS_SignerInfo_sign() in source file cms_sd.c:

     if (CMS_signed_get_attr_by_NID(si, NID_pkcs9_signingTime, -1) < 0) {
         if (!cms_add1_signingTime(si, NULL))
             goto err;

I found nothing in RFC 5652 that mandates the addition of the 
signing-time attribute. It's merely described as a "useful attribute".

The unconditional addition of the signing-time attribute is a problem 
when using OpenSSL for the creation of PAdES-conforming PDF signatures.

The ETSI standard ETSI TS 102 778-3 (PDF Advanced Electronic Signature 
Profiles; Part 3: PAdES Enhanced) explicitly requires the following:


"4.5.3 signing-time Attribute
For all profiles covered in the present document the signing-time 
attribute shall not be used."

So a CMS API flag would be useful that allows suppression of the 
signing-time attribute.


More information about the openssl-users mailing list