[openssl-users] in the department of "ain't no perfect"
hkario at redhat.com
Wed Jan 16 11:27:34 UTC 2019
On Tuesday, 15 January 2019 22:38:32 CET Eliot Lear wrote:
> Hi Rich and thanks for your response. Please see below.
> On 15.01.19 21:12, Salz, Rich via openssl-users wrote:
> >> like a way to extract the signature date from a CMS structure. With all
> >> the opaque structs that have been introduced in the last few releases,
> >> it's not clear to me how to do that. Any examples or guidance (other
> >> than don't do that)?>
> > Can you list which fields you need and open an issue on github? Yes, this
> > would be a bug-fix because "going opaque" made some things not possible.
> Wilco. For the benefit of others, I'm the verifier, and at least at the
> moment, no externally signed timestamp is available. So what I want
> access to is the id-signingTime attribute from the CMS structure,
> preferably parsed neatly into a time_t akin to
> X509_VERIFY_PARAM_get_time, but presumably coming from CMS_ContentInfo.
> I don't know if this was was ever externalized, Rich, but I'll open the
> Github issue. I recognize that examining this value is not without
> risks in the general case.
for one, if the attacker can forge a signature, he or she can easily forge
that attribute too – it's not something you can depend on
For maintaining signatures that need to be valid long into the future
standards like CAdES should be used. They keep time of signing in timestamps
signed by trusted time-stamping authorities, along with the rest of revocation
data necessary to verify the original signature.
Senior Quality Engineer, QE BaseOS Security team
Red Hat Czech s.r.o., Purkyňova 115, 612 00 Brno, Czech Republic
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: This is a digitally signed message part.
More information about the openssl-users