Re: in the department of "ain't no perfect"

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tuesday, 15 January 2019 22:38:32 CET Eliot Lear wrote:
> Hi Rich and thanks for your response.  Please see below.
> 
> On 15.01.19 21:12, Salz, Rich via openssl-users wrote:
> >> like a way to extract the signature date from a CMS structure.  With all
> >> the opaque structs that have been introduced in the last few releases,
> >> it's not clear to me how to do that.  Any examples or guidance (other
> >> than don't do that)?> 
> > Can you list which fields you need and open an issue on github?  Yes, this
> > would be a bug-fix because "going opaque" made some things not possible.
> Wilco.  For the benefit of others, I'm the verifier, and at least at the
> moment, no externally signed timestamp is available.  So what I want
> access to is the id-signingTime attribute from the CMS structure,
> preferably parsed neatly into a time_t akin to
> X509_VERIFY_PARAM_get_time, but presumably coming  from CMS_ContentInfo.
> 
> I don't know if this was was ever externalized, Rich, but I'll open the
> Github issue.  I recognize that examining this value is not without
> risks in the general case.

for one, if the attacker can forge a signature, he or she can easily forge 
that attribute too – it's not something you can depend on

For maintaining signatures that need to be valid long into the future 
standards like CAdES should be used. They keep time of signing in timestamps 
signed by trusted time-stamping authorities, along with the rest of revocation 
data necessary to verify the original signature.
-- 
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 115, 612 00  Brno, Czech Republic

Attachment: signature.asc
Description: This is a digitally signed message part.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux