[xmlsec] Verify signature after certificate expired

Aleksey Sanin aleksey at aleksey.com
Wed Oct 9 23:02:05 PDT 2002 

OpenSSL just don't have the required parameters in X509_STORE
structure. However, it does have the needed stuff in X509_STORE_CTX
so potentially there is a way to handle this, just extra code in xmlsec.
How badly do you really need this stuff? Please, think twice because:

    1) XMLDsig has no standard way of specifing signature timestamp
    (i.e. if you want to use this then you'll need to define your own and
    extract the timestamp before verifing the signature);
    2) you will need to create xmlSecDSigCtx object for every signature
    you are verifing (signature timestamps may be different)
    3) imho, this is wrong idea and it is very simple to screw up everything


Aleksey


Moultrie, Ferrell (ISSAtlanta) wrote:

>Aleksey:
>  Since OpenSSL 0.9.7 is still in beta, I'm a bit reluctant to use it in
>a release version of my products. We're very close to release right now
>and I hate to have to revisit most of the QA process just because I need
>to upgrade OpenSSL -- and to an unreleased version also. Can you point
>me to what the issue is in 0.9.6g vs 0.9.7 -- API, file, etc. -- so that
>maybe I can figure out a minimally intrusive way to do something similar
>in 0.9.6g? Any ideas/hints would be appreciated ...
>Thanks!
>  Ferrell
>
>-----Original Message-----
>From: Aleksey Sanin [mailto:aleksey at aleksey.com] 
>Sent: Thursday, October 10, 2002 12:17 AM
>To: xmlsec at aleksey.com
>Subject: Re: [xmlsec] Verify signature after certificate expired
>
>
>It turns out that there is pretty simple way to set verification
>time in OpenSSL (0.9.7) and I did implemented this so you can
>find the "certs verification time" in the tommorow nightly snapshot
>or in Gnome CVS (http://www.aleksey.com/xmlsec/download.html).
>However, this works only with OpenSSL 0.9.7!
>
>1. Using certs verification time from library.
>  a) enable verification time check in the simple keys manager (btw, you
>      can set any other OpenSSL flags using the same function):
>                   
>        xmlSecKeysMngrPtr keyMgr = NULL;
>
>        ....
>        xmlSecSimpleKeysMngrSetCertsFlags(keyMgr,  
>X509_V_FLAG_USE_CHECK_TIME);
>        ....
>
>  b) set the new "certsVerificationTime" member of the xmlSecDSigCtxPtr
>or
>      xmlSecEncCtxPtr structures to the required time (most likely this 
>means
>      that you'll need to create new structures for each signature 
>verification or
>      each decryption operation).
>
>2. Using certs verification time from xmlsec command line utility.
>(you need to have strptime() function available on your platform: Linux 
>and Windows
>do have it).
>  Specify --verificaiton-time <time> parameter where <time> is the local
>
>system time and
>  has the following format
>        YYYY-MM-DD HH:MM:SS
>  
>Hope, this closes the problem but let me know if there something else I 
>can do.
>
>
>With best regards,
>
>Aleksey
>
>Aleksey Sanin wrote:
>
>  
>
>>I had some time to read RFC (in particular, RFC 1422, RFC 1423, RFC
>>    
>>
>1424,
>  
>
>>RFC 2459), and I found that:
>>   1) signature verification requires "valid" certificate;
>>   2) "valid" certificate is application specific;
>>   3) the application may accept "invalid" certs and show application 
>>specific
>>    warning to user.
>>To clarify item 2): the application may decide that "expired cert" is 
>>valid cert as well
>>as "cert found in CRL" is valid cert or "cert has wrong purpose" is 
>>valid cert.
>>IMHO, this is wrong but I do understand that there may be good reasons
>>    
>>
>
>  
>
>>to do this.
>>
>>In application to XMLSec library, this means that when I don't like 
>>the idea of
>>accepting expired certificates, I will try to look at OpenSSL and find
>>    
>>
>
>  
>
>>out
>>how difficult it would be to disable this check. If this could be done
>>    
>>
>
>  
>
>>w/o huge problems
>>then I'll add a config parameter to xmlSecKeysManager (and xmlsec 
>>application)
>>that controls whether it accepts expired certs or not. However, if 
>>I'll found that this check
>>is in the core of OpenSSL certs verification process and there is no 
>>simple way
>>of disabling it then I'll leave this to application (as you know the 
>>cert verification
>>could be completelly handled by the application). Of course, if anyone
>>    
>>
>
>  
>
>>can submit
>>a patch to xmlsec that'll do this then I'll be happy to apply it 
>>(after code review,
>>of course :) ).
>>
>>Any suggestions, comments?
>>
>>Aleksey.
>>
>> 
>>_______________________________________________
>>xmlsec mailing list
>>xmlsec at aleksey.com
>>http://www.aleksey.com/mailman/listinfo/xmlsec
>>    
>>
>
>
>
>
>_______________________________________________
>xmlsec mailing list
>xmlsec at aleksey.com
>http://www.aleksey.com/mailman/listinfo/xmlsec
>_______________________________________________
>xmlsec mailing list
>xmlsec at aleksey.com
>http://www.aleksey.com/mailman/listinfo/xmlsec
>  
>

More information about the xmlsec mailing list