Re: openssl cms verification date

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 08.02.24 16:57, Hubert Kario wrote:

On Thursday, 8 February 2024 14:13:35 CET, François Legal wrote:
Le Jeudi, Février 08, 2024 11:46 CET, Tomas Mraz <tomas@xxxxxxxxxxx> a écrit: 
On Thu, 2024-02-08 at 11:37 +0100, François Legal wrote:

Hello,

I'm new to this list.

I'm using pkcs7 packages to embbed firmware, to procide authenticity
verification before doing firmware upgrades.

I use the openssl cms command for verification purpose, but face the
following problem :
when doing verify, openssl cms -verify does check whether the signing
certificate is valid today, not whether or not it was still valid
when the package got signed.

I saw the -attime option to specify the verification date, but found
no easy way to fetch the signature date from the package for each
signature.

So I was wondering if it was the intended function that the
certificate validity verification was made at the verification date
and not the signature date.


Yes, this was certainly intentional. I could envision that a new option
could be added to the cms command that would verify the signature at
the date when the signature was made. However please note that without
some kind of assurance that the signature was really made at the time
that is recorded in the message, the signature could have been done
with a key that was already expired anyway. This assurance is done
usually by timestamping via a trusted timestamping authority but there
might be other means.
Sure I get the point. You can't really be sure that the signature was made at the clained time as the signerInfo structure is not signed itself. Could you please comment however on why verifying the validity of the certificate at the verification date is better in that matter. I already have a patch to provide for verifying the signature at signature time. Shall I send a pull request ?
I'd suggest reading the CAdES[1] standards for electronic signatures that are 
supposed to be verified years after the signature were made. It goes
into detail what you need to do.

In practice it means:

* you need trusted timestamps from a time stamping
  authority in the CAdES format (that will allow for automated verification). 
* Or a notary document stating that given signature was made before given
  date (that will require manual verification).

1 - https://en.wikipedia.org/wiki/CAdES_(computing)



Please have a look into https://github.com/openssl/openssl/pull/21475

Best regards,

    Lutz
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux