[xmlsec] Verify signature after certificate expired
Moultrie, Ferrell (ISSAtlanta)
FMoultrie at iss.net
Wed Oct 9 22:21:44 PDT 2002
Since OpenSSL 0.9.7 is still in beta, I'm a bit reluctant to use it in
a release version of my products. We're very close to release right now
and I hate to have to revisit most of the QA process just because I need
to upgrade OpenSSL -- and to an unreleased version also. Can you point
me to what the issue is in 0.9.6g vs 0.9.7 -- API, file, etc. -- so that
maybe I can figure out a minimally intrusive way to do something similar
in 0.9.6g? Any ideas/hints would be appreciated ...
From: Aleksey Sanin [mailto:aleksey at aleksey.com]
Sent: Thursday, October 10, 2002 12:17 AM
To: xmlsec at aleksey.com
Subject: Re: [xmlsec] Verify signature after certificate expired
It turns out that there is pretty simple way to set verification
time in OpenSSL (0.9.7) and I did implemented this so you can
find the "certs verification time" in the tommorow nightly snapshot
or in Gnome CVS (http://www.aleksey.com/xmlsec/download.html).
However, this works only with OpenSSL 0.9.7!
1. Using certs verification time from library.
a) enable verification time check in the simple keys manager (btw, you
can set any other OpenSSL flags using the same function):
xmlSecKeysMngrPtr keyMgr = NULL;
b) set the new "certsVerificationTime" member of the xmlSecDSigCtxPtr
xmlSecEncCtxPtr structures to the required time (most likely this
that you'll need to create new structures for each signature
each decryption operation).
2. Using certs verification time from xmlsec command line utility.
(you need to have strptime() function available on your platform: Linux
do have it).
Specify --verificaiton-time <time> parameter where <time> is the local
system time and
has the following format
Hope, this closes the problem but let me know if there something else I
With best regards,
Aleksey Sanin wrote:
> I had some time to read RFC (in particular, RFC 1422, RFC 1423, RFC
> RFC 2459), and I found that:
> 1) signature verification requires "valid" certificate;
> 2) "valid" certificate is application specific;
> 3) the application may accept "invalid" certs and show application
> warning to user.
> To clarify item 2): the application may decide that "expired cert" is
> valid cert as well
> as "cert found in CRL" is valid cert or "cert has wrong purpose" is
> valid cert.
> IMHO, this is wrong but I do understand that there may be good reasons
> to do this.
> In application to XMLSec library, this means that when I don't like
> the idea of
> accepting expired certificates, I will try to look at OpenSSL and find
> how difficult it would be to disable this check. If this could be done
> w/o huge problems
> then I'll add a config parameter to xmlSecKeysManager (and xmlsec
> that controls whether it accepts expired certs or not. However, if
> I'll found that this check
> is in the core of OpenSSL certs verification process and there is no
> simple way
> of disabling it then I'll leave this to application (as you know the
> cert verification
> could be completelly handled by the application). Of course, if anyone
> can submit
> a patch to xmlsec that'll do this then I'll be happy to apply it
> (after code review,
> of course :) ).
> Any suggestions, comments?
> xmlsec mailing list
> xmlsec at aleksey.com
xmlsec mailing list
xmlsec at aleksey.com
More information about the xmlsec