[openssl-users] in the department of "ain't no perfect"

[Hubert Kario]

On Tuesday, 15 January 2019 22:38:32 CET Eliot Lear wrote:
> Hi Rich and thanks for your response.  Please see below.
> 
> On 15.01.19 21:12, Salz, Rich via openssl-users wrote:
> >> like a way to extract the signature date from a CMS structure.  With all
> >> the opaque structs that have been introduced in the last few releases,
> >> it's not clear to me how to do that.  Any examples or guidance (other
> >> than don't do that)?> 
> > Can you list which fields you need and open an issue on github?  Yes, this
> > would be a bug-fix because "going opaque" made some things not possible.
> Wilco.  For the benefit of others, I'm the verifier, and at least at the
> moment, no externally signed timestamp is available.  So what I want
> access to is the id-signingTime attribute from the CMS structure,
> preferably parsed neatly into a time_t akin to
> X509_VERIFY_PARAM_get_time, but presumably coming  from CMS_ContentInfo.
> 
> I don't know if this was was ever externalized, Rich, but I'll open the
> Github issue.  I recognize that examining this value is not without
> risks in the general case.

for one, if the attacker can forge a signature, he or she can easily forge 
that attribute too – it's not something you can depend on

For maintaining signatures that need to be valid long into the future 
standards like CAdES should be used. They keep time of signing in timestamps 
signed by trusted time-stamping authorities, along with the rest of revocation 
data necessary to verify the original signature.
-- 
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 115, 612 00  Brno, Czech Republic
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20190116/89619fb1/attachment.sig>