[xmlsec] Verify signature after certificate expired

Aleksey Sanin aleksey at aleksey.com
Wed Oct 9 21:17:10 PDT 2002 

It turns out that there is pretty simple way to set verification
time in OpenSSL (0.9.7) and I did implemented this so you can
find the "certs verification time" in the tommorow nightly snapshot
or in Gnome CVS (http://www.aleksey.com/xmlsec/download.html).
However, this works only with OpenSSL 0.9.7!

1. Using certs verification time from library.
  a) enable verification time check in the simple keys manager (btw, you
      can set any other OpenSSL flags using the same function):
                   
        xmlSecKeysMngrPtr keyMgr = NULL;

        ....
        xmlSecSimpleKeysMngrSetCertsFlags(keyMgr,  
X509_V_FLAG_USE_CHECK_TIME);
        ....

  b) set the new "certsVerificationTime" member of the xmlSecDSigCtxPtr or
      xmlSecEncCtxPtr structures to the required time (most likely this 
means
      that you'll need to create new structures for each signature 
verification or
      each decryption operation).

2. Using certs verification time from xmlsec command line utility.
(you need to have strptime() function available on your platform: Linux 
and Windows
do have it).
  Specify --verificaiton-time <time> parameter where <time> is the local 
system time and
  has the following format
        YYYY-MM-DD HH:MM:SS
  
Hope, this closes the problem but let me know if there something else I 
can do.


With best regards,

Aleksey

Aleksey Sanin wrote:

> I had some time to read RFC (in particular, RFC 1422, RFC 1423, RFC 1424,
> RFC 2459), and I found that:
>    1) signature verification requires "valid" certificate;
>    2) "valid" certificate is application specific;
>    3) the application may accept "invalid" certs and show application 
> specific
>     warning to user.
> To clarify item 2): the application may decide that "expired cert" is 
> valid cert as well
> as "cert found in CRL" is valid cert or "cert has wrong purpose" is 
> valid cert.
> IMHO, this is wrong but I do understand that there may be good reasons 
> to do this.
>
> In application to XMLSec library, this means that when I don't like 
> the idea of
> accepting expired certificates, I will try to look at OpenSSL and find 
> out
> how difficult it would be to disable this check. If this could be done 
> w/o huge problems
> then I'll add a config parameter to xmlSecKeysManager (and xmlsec 
> application)
> that controls whether it accepts expired certs or not. However, if 
> I'll found that this check
> is in the core of OpenSSL certs verification process and there is no 
> simple way
> of disabling it then I'll leave this to application (as you know the 
> cert verification
> could be completelly handled by the application). Of course, if anyone 
> can submit
> a patch to xmlsec that'll do this then I'll be happy to apply it 
> (after code review,
> of course :) ).
>
> Any suggestions, comments?
>
> Aleksey.
>
>  
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec

More information about the xmlsec mailing list