On Thu, 2024-02-08 at 11:37 +0100, François Legal wrote: > Hello, > > I'm new to this list. > > I'm using pkcs7 packages to embbed firmware, to procide authenticity > verification before doing firmware upgrades. > > I use the openssl cms command for verification purpose, but face the > following problem : > when doing verify, openssl cms -verify does check whether the signing > certificate is valid today, not whether or not it was still valid > when the package got signed. > > I saw the -attime option to specify the verification date, but found > no easy way to fetch the signature date from the package for each > signature. > > So I was wondering if it was the intended function that the > certificate validity verification was made at the verification date > and not the signature date. Yes, this was certainly intentional. I could envision that a new option could be added to the cms command that would verify the signature at the date when the signature was made. However please note that without some kind of assurance that the signature was really made at the time that is recorded in the message, the signature could have been done with a key that was already expired anyway. This assurance is done usually by timestamping via a trusted timestamping authority but there might be other means. -- Tomáš Mráz, OpenSSL
