<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:"Courier New";}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal">Hello,<o:p></o:p></p>
<p class="MsoNormal"> I am using a modified “sign3” example code for embedding a X.509 certificate and signing xml documents and I ran into what seems like an odd behavior; this is in Linux with
<b>xmlsec1-1.2.20</b><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The specific question I have is about the X.509 <b>Certificate verification-time</b>:<o:p></o:p></p>
<div style="mso-element:para-border-div;border:solid #AAAAFF 1.0pt;padding:6.0pt 6.0pt 6.0pt 6.0pt;background:#EEEEFF">
<p class="MsoNormal" style="background:#EEEEFF;border:none;padding:0in"><span style="font-size:10.0pt;font-family:"Courier New"">struct xmlSecKeyInfoCtx {<o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Courier New"">…<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Courier New""> /* x509 certificates */<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Courier New""> time_t
<span style="background:yellow;mso-highlight:yellow">certsVerificationTime</span>;<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I used a self-signed CA certificate with this validity:<o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Courier New""> Validity<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Courier New""> Not Before: Jan 26 20:46:22 2015 GMT<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Courier New""> Not After : Feb 25 20:46:22 2015 GMT<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">And:<o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Courier New""># sign3 testxml.xml rootkey.pem rootcert.pem >testSigned.xml<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Courier New"">Enter PEM pass phrase:<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">It worked fine; but next I moved the system date to Mar 3, 2015… and to my surprise it still worked!<o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Courier New""># date<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Courier New";background:yellow;mso-highlight:yellow">Tue Mar 3 22:22:16 EST 2015</span><span style="font-size:8.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Courier New""># sign3 testxml.xml rootkey.pem rootcert.pem >testSigned.xml<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Courier New"">Enter PEM pass phrase:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal">In both cases I get the output file signed and with the embedded X.509 cert:<o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Courier New""># vim testSigned.xml<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Courier New""><?xml version="1.0"?><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Courier New""><racine toto="erer">level1<test>intest</test><test>intest2</test>endoflevel1<Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Courier New""><SignedInfo><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Courier New""><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Courier New""><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Courier New""><Reference><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Courier New""><Transforms><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Courier New""><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Courier New""></Transforms><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Courier New""><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Courier New""><DigestValue>H/ILZ7Z0RSv2h74QrfJaB5aBOuA=</DigestValue><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Courier New""></Reference><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Courier New""></SignedInfo><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Courier New""><SignatureValue>A7eUNa8k/gh34mO3AwtO3KAYptQ5JLrnhjiNHLJVUInbUbjxGFfDr+DvIgvjPE2j<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Courier New"">6AE2MiUVt84prNh5JZ7NC+SqrRyd3WrNDFObPBS9gzL+8vXxOvp849PCPLVLirLN<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Courier New"">if1Q3ndzLcuEq2xBHjc++6r8Xe2TXpk5dOuW51lxa8TdRxe4vxv9H5mnXQDBeMpG<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Courier New"">AeuFWEdvqMepHOqP1zBeIr0M/mFLOg945lX+tJALc7CL0tn0nzPw2UVMlOTEBPEP<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Courier New"">cgZyATG1MjoPGg5gt68mIx5EIJBnTo+HoGCw9cNFAI8s4ylgCgWx/DLKo9qAqIxb<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Courier New"">7hsfZo+uRkhGdLqd9hJWXg==</SignatureValue><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Courier New""><KeyInfo><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Courier New""><X509Data><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Courier New""><X509Certificate>…<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Courier New"">…<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Courier New"">PhifuV2JLOqxMiTFBQYMLL3zGec/wi6X4rnPWlfkchBK6ITOsQGMEAZ9lNTycTVP<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Courier New"">qLlSKgs=</X509Certificate><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Courier New""></X509Data><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Courier New""></KeyInfo><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Courier New""></Signature></racine><o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">However I need to point out that the verification does fail:
<o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Courier New""># xmlsec1 --verify --print-debug --trusted-pem akirootcert.pem testSigned.xml<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Courier New"">func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=360:obj=x509-store:subj=X509_verify_cert:<span style="background:yellow;mso-highlight:yellow">error=4:crypto library function</span>
failed:subj=/C=CA/ST=Quebec/L=Montreal/O=xyz/OU=ABC/CN=ABC CA ROOT;err=10;<span style="background:yellow;mso-highlight:yellow">msg=certificate has expired</span><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal">Unless I use the –verification-time:<o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Courier New"">xmlsec1 --verify --print-debug --verification-time "2015-01-30 00:00:00" --trusted-pem rootcert.pem testSigned.xml<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Courier New";background:yellow;mso-highlight:yellow">OK</span><span style="font-size:8.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Courier New"">SignedInfo References (ok/all): 1/1<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Courier New"">Manifests References (ok/all): 0/0<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Courier New"">= VERIFICATION CONTEXT<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Courier New"">== Status: succeeded<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Courier New"">…<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal">I was wondering if you could explain this dual behavior.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Regards,<o:p></o:p></p>
<p class="MsoNormal"> Pablo<span style="font-size:8.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Courier New""><o:p> </o:p></span></p>
</div>
</body>
</html>