On Tuesday, 15 January 2019 22:38:32 CET Eliot Lear wrote: > Hi Rich and thanks for your response. Please see below. > > On 15.01.19 21:12, Salz, Rich via openssl-users wrote: > >> like a way to extract the signature date from a CMS structure. With all > >> the opaque structs that have been introduced in the last few releases, > >> it's not clear to me how to do that. Any examples or guidance (other > >> than don't do that)?> > > Can you list which fields you need and open an issue on github? Yes, this > > would be a bug-fix because "going opaque" made some things not possible. > Wilco. For the benefit of others, I'm the verifier, and at least at the > moment, no externally signed timestamp is available. So what I want > access to is the id-signingTime attribute from the CMS structure, > preferably parsed neatly into a time_t akin to > X509_VERIFY_PARAM_get_time, but presumably coming from CMS_ContentInfo. > > I don't know if this was was ever externalized, Rich, but I'll open the > Github issue. I recognize that examining this value is not without > risks in the general case. for one, if the attacker can forge a signature, he or she can easily forge that attribute too – it's not something you can depend on For maintaining signatures that need to be valid long into the future standards like CAdES should be used. They keep time of signing in timestamps signed by trusted time-stamping authorities, along with the rest of revocation data necessary to verify the original signature. -- Regards, Hubert Kario Senior Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 115, 612 00 Brno, Czech Republic
Attachment:
signature.asc
Description: This is a digitally signed message part.
-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
