[xmlsec] Verify signature after certificate expired

Moultrie, Ferrell (ISSAtlanta) FMoultrie at iss.net
Wed Oct 9 22:21:44 PDT 2002

  Since OpenSSL 0.9.7 is still in beta, I'm a bit reluctant to use it in
a release version of my products. We're very close to release right now
and I hate to have to revisit most of the QA process just because I need
to upgrade OpenSSL -- and to an unreleased version also. Can you point
me to what the issue is in 0.9.6g vs 0.9.7 -- API, file, etc. -- so that
maybe I can figure out a minimally intrusive way to do something similar
in 0.9.6g? Any ideas/hints would be appreciated ...

-----Original Message-----
From: Aleksey Sanin [mailto:aleksey at aleksey.com] 
Sent: Thursday, October 10, 2002 12:17 AM
To: xmlsec at aleksey.com
Subject: Re: [xmlsec] Verify signature after certificate expired

It turns out that there is pretty simple way to set verification
time in OpenSSL (0.9.7) and I did implemented this so you can
find the "certs verification time" in the tommorow nightly snapshot
or in Gnome CVS (http://www.aleksey.com/xmlsec/download.html).
However, this works only with OpenSSL 0.9.7!

1. Using certs verification time from library.
  a) enable verification time check in the simple keys manager (btw, you
      can set any other OpenSSL flags using the same function):
        xmlSecKeysMngrPtr keyMgr = NULL;


  b) set the new "certsVerificationTime" member of the xmlSecDSigCtxPtr
      xmlSecEncCtxPtr structures to the required time (most likely this 
      that you'll need to create new structures for each signature 
verification or
      each decryption operation).

2. Using certs verification time from xmlsec command line utility.
(you need to have strptime() function available on your platform: Linux 
and Windows
do have it).
  Specify --verificaiton-time <time> parameter where <time> is the local

system time and
  has the following format
Hope, this closes the problem but let me know if there something else I 
can do.

With best regards,


Aleksey Sanin wrote:

> I had some time to read RFC (in particular, RFC 1422, RFC 1423, RFC
> RFC 2459), and I found that:
>    1) signature verification requires "valid" certificate;
>    2) "valid" certificate is application specific;
>    3) the application may accept "invalid" certs and show application 
> specific
>     warning to user.
> To clarify item 2): the application may decide that "expired cert" is 
> valid cert as well
> as "cert found in CRL" is valid cert or "cert has wrong purpose" is 
> valid cert.
> IMHO, this is wrong but I do understand that there may be good reasons

> to do this.
> In application to XMLSec library, this means that when I don't like 
> the idea of
> accepting expired certificates, I will try to look at OpenSSL and find

> out
> how difficult it would be to disable this check. If this could be done

> w/o huge problems
> then I'll add a config parameter to xmlSecKeysManager (and xmlsec 
> application)
> that controls whether it accepts expired certs or not. However, if 
> I'll found that this check
> is in the core of OpenSSL certs verification process and there is no 
> simple way
> of disabling it then I'll leave this to application (as you know the 
> cert verification
> could be completelly handled by the application). Of course, if anyone

> can submit
> a patch to xmlsec that'll do this then I'll be happy to apply it 
> (after code review,
> of course :) ).
> Any suggestions, comments?
> Aleksey.
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec

xmlsec mailing list
xmlsec at aleksey.com

More information about the xmlsec mailing list