[xmlsec] X.509 Certificate verification-time for signing versus verifying

Pablo DePaulis Pablo.DePaulis at dialogic.com
Fri Jan 30 14:33:57 PST 2015 

Hello,
  I am using a modified "sign3" example code for embedding a X.509 certificate and signing xml documents and I ran into what seems like an odd behavior; this is in Linux with xmlsec1-1.2.20

The specific question I have is about the X.509 Certificate verification-time:
struct xmlSecKeyInfoCtx {

...
    /* x509 certificates */
    time_t                              certsVerificationTime;

I used a self-signed CA certificate with this validity:
        Validity
            Not Before: Jan 26 20:46:22 2015 GMT
            Not After : Feb 25 20:46:22 2015 GMT

And:
# sign3 testxml.xml rootkey.pem rootcert.pem >testSigned.xml
Enter PEM pass phrase:

It worked fine; but next I moved the system date to Mar 3, 2015... and to my surprise it still worked!
# date
Tue Mar  3 22:22:16 EST 2015

# sign3 testxml.xml rootkey.pem rootcert.pem >testSigned.xml
Enter PEM pass phrase:

In both cases I get the output file signed and with the embedded X.509 cert:

# vim testSigned.xml

<?xml version="1.0"?>
<racine toto="erer">level1<test>intest</test><test>intest2</test>endoflevel1<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference>
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>H/ILZ7Z0RSv2h74QrfJaB5aBOuA=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>A7eUNa8k/gh34mO3AwtO3KAYptQ5JLrnhjiNHLJVUInbUbjxGFfDr+DvIgvjPE2j
6AE2MiUVt84prNh5JZ7NC+SqrRyd3WrNDFObPBS9gzL+8vXxOvp849PCPLVLirLN
if1Q3ndzLcuEq2xBHjc++6r8Xe2TXpk5dOuW51lxa8TdRxe4vxv9H5mnXQDBeMpG
AeuFWEdvqMepHOqP1zBeIr0M/mFLOg945lX+tJALc7CL0tn0nzPw2UVMlOTEBPEP
cgZyATG1MjoPGg5gt68mIx5EIJBnTo+HoGCw9cNFAI8s4ylgCgWx/DLKo9qAqIxb
7hsfZo+uRkhGdLqd9hJWXg==</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>...
...
PhifuV2JLOqxMiTFBQYMLL3zGec/wi6X4rnPWlfkchBK6ITOsQGMEAZ9lNTycTVP
qLlSKgs=</X509Certificate>
</X509Data>
</KeyInfo>
</Signature></racine>

However I need to point out that the verification does fail:
# xmlsec1 --verify --print-debug --trusted-pem akirootcert.pem testSigned.xml

func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=360:obj=x509-store:subj=X509_verify_cert:error=4:crypto library function failed:subj=/C=CA/ST=Quebec/L=Montreal/O=xyz/OU=ABC/CN=ABC CA ROOT;err=10;msg=certificate has expired


Unless I use the -verification-time:
xmlsec1 --verify --print-debug --verification-time "2015-01-30 00:00:00" --trusted-pem rootcert.pem testSigned.xml

OK
SignedInfo References (ok/all): 1/1
Manifests References (ok/all): 0/0
= VERIFICATION CONTEXT
== Status: succeeded
...

I was wondering if you could explain this dual behavior.

Regards,
  Pablo




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.aleksey.com/pipermail/xmlsec/attachments/20150130/ffa7f042/attachment.html>

More information about the xmlsec mailing list