[xmlsec] X.509 Certificate verification-time for signing versus verifying
Aleksey Sanin
aleksey at aleksey.com
Fri Jan 30 19:47:59 PST 2015
Signature is not validating the certificate since the entity performing
the signature is presumably has complete control over the key selection.
On the other hand, verification process has to validate the key to
ensure signature validity.
Best,
Aleksey
On 1/30/15 2:33 PM, Pablo DePaulis wrote:
> Hello,
>
> I am using a modified “sign3” example code for embedding a X.509
> certificate and signing xml documents and I ran into what seems like an
> odd behavior; this is in Linux with *xmlsec1-1.2.20*
>
>
>
> The specific question I have is about the X.509 *Certificate
> verification-time*:
>
> struct xmlSecKeyInfoCtx {
>
>
>
> …
>
> /* x509 certificates */
>
> time_t certsVerificationTime;
>
>
>
> I used a self-signed CA certificate with this validity:
>
> Validity
>
> Not Before: Jan 26 20:46:22 2015 GMT
>
> Not After : Feb 25 20:46:22 2015 GMT
>
>
>
> And:
>
> # sign3 testxml.xml rootkey.pem rootcert.pem >testSigned.xml
>
> Enter PEM pass phrase:
>
>
>
> It worked fine; but next I moved the system date to Mar 3, 2015… and to
> my surprise it still worked!
>
> # date
>
> Tue Mar 3 22:22:16 EST 2015
>
>
>
> # sign3 testxml.xml rootkey.pem rootcert.pem >testSigned.xml
>
> Enter PEM pass phrase:
>
>
>
> In both cases I get the output file signed and with the embedded X.509 cert:
>
>
>
> # vim testSigned.xml
>
>
>
> <?xml version="1.0"?>
>
> <racine
> toto="erer">level1<test>intest</test><test>intest2</test>endoflevel1<Signature
> xmlns="http://www.w3.org/2000/09/xmldsig#">
>
> <SignedInfo>
>
> <CanonicalizationMethod
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>
> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>
> <Reference>
>
> <Transforms>
>
> <Transform
> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
>
> </Transforms>
>
> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>
> <DigestValue>H/ILZ7Z0RSv2h74QrfJaB5aBOuA=</DigestValue>
>
> </Reference>
>
> </SignedInfo>
>
> <SignatureValue>A7eUNa8k/gh34mO3AwtO3KAYptQ5JLrnhjiNHLJVUInbUbjxGFfDr+DvIgvjPE2j
>
> 6AE2MiUVt84prNh5JZ7NC+SqrRyd3WrNDFObPBS9gzL+8vXxOvp849PCPLVLirLN
>
> if1Q3ndzLcuEq2xBHjc++6r8Xe2TXpk5dOuW51lxa8TdRxe4vxv9H5mnXQDBeMpG
>
> AeuFWEdvqMepHOqP1zBeIr0M/mFLOg945lX+tJALc7CL0tn0nzPw2UVMlOTEBPEP
>
> cgZyATG1MjoPGg5gt68mIx5EIJBnTo+HoGCw9cNFAI8s4ylgCgWx/DLKo9qAqIxb
>
> 7hsfZo+uRkhGdLqd9hJWXg==</SignatureValue>
>
> <KeyInfo>
>
> <X509Data>
>
> <X509Certificate>…
>
> …
>
> PhifuV2JLOqxMiTFBQYMLL3zGec/wi6X4rnPWlfkchBK6ITOsQGMEAZ9lNTycTVP
>
> qLlSKgs=</X509Certificate>
>
> </X509Data>
>
> </KeyInfo>
>
> </Signature></racine>
>
>
>
> However I need to point out that the verification does fail:
>
> # xmlsec1 --verify --print-debug --trusted-pem akirootcert.pem
> testSigned.xml
>
>
>
> func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=360:obj=x509-store:subj=X509_verify_cert:error=4:crypto
> library function
> failed:subj=/C=CA/ST=Quebec/L=Montreal/O=xyz/OU=ABC/CN=ABC CA
> ROOT;err=10;msg=certificate has expired
>
>
>
>
>
> Unless I use the –verification-time:
>
> xmlsec1 --verify --print-debug --verification-time "2015-01-30 00:00:00"
> --trusted-pem rootcert.pem testSigned.xml
>
>
>
> OK
>
> SignedInfo References (ok/all): 1/1
>
> Manifests References (ok/all): 0/0
>
> = VERIFICATION CONTEXT
>
> == Status: succeeded
>
> …
>
>
>
> I was wondering if you could explain this dual behavior.
>
>
>
> Regards,
>
> Pablo
>
>
>
>
>
>
>
>
>
>
>
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec
>
More information about the xmlsec
mailing list