Tim Bruijnzeels
2012-11-14 12:44:55 UTC
Hi,
We recently upgraded to bouncy castle 1.47. Since then we we occasionally get a "verifier not valid at sigingTime" error for CMS objects that we try to verify (code snippet below). I believe, however, that this may be a little too strict.
The current CMS RFC 5652 (http://tools.ietf.org/html/rfc5652#section-11.3) has this text:
"No requirement is imposed concerning the correctness of the signing
time, and acceptance of a purported signing time is a matter of a
recipient's discretion. It is expected, however, that some signers,
such as time-stamp servers, will be trusted implicitly."
Which suggests that one should not (always) reject a CMS in this case.
And in our case we are using this to validate a specific CMS for which the signing time "MAY be present", but "MUST NOT affect the validity of the signed object":
http://tools.ietf.org/html/rfc6488#section-2.1.6.4.3
So my questions:
= Do you agree that this check is too strict?
= Or, are we just doing it wrong -- is there a way to let bouncy castle validate and not be strict on this (even if the signing time is present).
(for now we work around this by using on of the deprecated verify methods that does not enforce this)
Thanks,
Tim Bruijnzeels
Senior Software Engineer
RIPE NCC
=====
Relevant code in bouncy castle:
org.bouncycastle.cms.SignerInformation:
/**
* Verify that the given verifier can successfully verify the signature on
* this SignerInformation object.
*
* @param verifier a suitably configured SignerInformationVerifier.
* @return true if the signer information is verified, false otherwise.
* @throws org.bouncycastle.cms.CMSVerifierCertificateNotValidException if the provider has an associated certificate and the certificate is not valid at the time given as the SignerInfo's signing time.
* @throws org.bouncycastle.cms.CMSException if the verifier is unable to create a ContentVerifiers or DigestCalculators.
*/
public boolean verify(SignerInformationVerifier verifier)
throws CMSException
{
Time signingTime = getSigningTime(); // has to be validated if present.
if (verifier.hasAssociatedCertificate())
{
if (signingTime != null)
{
X509CertificateHolder dcv = verifier.getAssociatedCertificate();
if (!dcv.isValidOn(signingTime.getDate()))
{
throw new CMSVerifierCertificateNotValidException("verifier not valid at signingTime");
}
}
}
return doVerify(verifier);
}
We recently upgraded to bouncy castle 1.47. Since then we we occasionally get a "verifier not valid at sigingTime" error for CMS objects that we try to verify (code snippet below). I believe, however, that this may be a little too strict.
The current CMS RFC 5652 (http://tools.ietf.org/html/rfc5652#section-11.3) has this text:
"No requirement is imposed concerning the correctness of the signing
time, and acceptance of a purported signing time is a matter of a
recipient's discretion. It is expected, however, that some signers,
such as time-stamp servers, will be trusted implicitly."
Which suggests that one should not (always) reject a CMS in this case.
And in our case we are using this to validate a specific CMS for which the signing time "MAY be present", but "MUST NOT affect the validity of the signed object":
http://tools.ietf.org/html/rfc6488#section-2.1.6.4.3
So my questions:
= Do you agree that this check is too strict?
= Or, are we just doing it wrong -- is there a way to let bouncy castle validate and not be strict on this (even if the signing time is present).
(for now we work around this by using on of the deprecated verify methods that does not enforce this)
Thanks,
Tim Bruijnzeels
Senior Software Engineer
RIPE NCC
=====
Relevant code in bouncy castle:
org.bouncycastle.cms.SignerInformation:
/**
* Verify that the given verifier can successfully verify the signature on
* this SignerInformation object.
*
* @param verifier a suitably configured SignerInformationVerifier.
* @return true if the signer information is verified, false otherwise.
* @throws org.bouncycastle.cms.CMSVerifierCertificateNotValidException if the provider has an associated certificate and the certificate is not valid at the time given as the SignerInfo's signing time.
* @throws org.bouncycastle.cms.CMSException if the verifier is unable to create a ContentVerifiers or DigestCalculators.
*/
public boolean verify(SignerInformationVerifier verifier)
throws CMSException
{
Time signingTime = getSigningTime(); // has to be validated if present.
if (verifier.hasAssociatedCertificate())
{
if (signingTime != null)
{
X509CertificateHolder dcv = verifier.getAssociatedCertificate();
if (!dcv.isValidOn(signingTime.getDate()))
{
throw new CMSVerifierCertificateNotValidException("verifier not valid at signingTime");
}
}
}
return doVerify(verifier);
}