[Bug 2003701] Re: PKCS7: Message signed outside of X.509 validity window
Dimitri John Ledkov
2003701 at bugs.launchpad.net
Mon Jan 23 11:53:12 UTC 2023
setting PKCS7_NOATTR is not enough, as that only removes the smime
capabilities signed attribute, whilst signature timestamp remains.
--- ./regular.text 2023-01-23 11:42:49.992929526 +0000
+++ noattr.text 2023-01-23 11:42:59.288981639 +0000
@@ -128,7 +128,7 @@
object: signingTime (1.2.840.113549.1.9.5)
set:
- UTCTIME:Jan 23 11:41:20 2023 GMT
+ UTCTIME:Jan 23 11:41:53 2023 GMT
object: messageDigest (1.2.840.113549.1.9.4)
set:
@@ -136,56 +136,32 @@
0000 - f8 cf 89 70 c1 6c 14 26-6d 56 c1 25 96 ...p.l.&mV.%.
000d - ce 74 11 77 a0 36 47 4d-3b 28 bf 7f 5b .t.w.6GM;(..[
001a - 1e b6 04 ed 21 f8 ....!.
-
- object: S/MIME Capabilities (1.2.840.113549.1.9.15)
- set:
- SEQUENCE:
- 0:d=0 hl=2 l= 106 cons: SEQUENCE
- 2:d=1 hl=2 l= 11 cons: SEQUENCE
- 4:d=2 hl=2 l= 9 prim: OBJECT :aes-256-cbc
- 15:d=1 hl=2 l= 11 cons: SEQUENCE
- 17:d=2 hl=2 l= 9 prim: OBJECT :aes-192-cbc
- 28:d=1 hl=2 l= 11 cons: SEQUENCE
- 30:d=2 hl=2 l= 9 prim: OBJECT :aes-128-cbc
- 41:d=1 hl=2 l= 10 cons: SEQUENCE
- 43:d=2 hl=2 l= 8 prim: OBJECT :des-ede3-cbc
- 53:d=1 hl=2 l= 14 cons: SEQUENCE
- 55:d=2 hl=2 l= 8 prim: OBJECT :rc2-cbc
- 65:d=2 hl=2 l= 2 prim: INTEGER :80
- 69:d=1 hl=2 l= 13 cons: SEQUENCE
- 71:d=2 hl=2 l= 8 prim: OBJECT :rc2-cbc
- 81:d=2 hl=2 l= 1 prim: INTEGER :40
- 84:d=1 hl=2 l= 7 cons: SEQUENCE
- 86:d=2 hl=2 l= 5 prim: OBJECT :des-cbc
- 93:d=1 hl=2 l= 13 cons: SEQUENCE
- 95:d=2 hl=2 l= 8 prim: OBJECT :rc2-cbc
- 105:d=2 hl=2 l= 1 prim: INTEGER :28
digest_enc_alg:
** Description changed:
When signing UEFI applications, the signature includes signing
timestamp.
Kernels, upon kexec, check that message signature is within the validity
of the X.509 signing certificate.
When using original canonical kernel team test key, I no longer can
kexec kernels, as the test key has expired.
UEFI specifications in general ignore signing time.
IMHO we should remove / not include signing timestamp in the UEFI
signatures to avoid this.
+
+ ---
+
+ i guess openssl needs to provide ability to create signatures without
+ signingtime attribute.
** Also affects: openssl (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to sbsigntool in Ubuntu.
https://bugs.launchpad.net/bugs/2003701
Title:
PKCS7: Message signed outside of X.509 validity window
Status in openssl package in Ubuntu:
New
Status in sbsigntool package in Ubuntu:
New
Bug description:
When signing UEFI applications, the signature includes signing
timestamp.
Kernels, upon kexec, check that message signature is within the
validity of the X.509 signing certificate.
When using original canonical kernel team test key, I no longer can
kexec kernels, as the test key has expired.
UEFI specifications in general ignore signing time.
IMHO we should remove / not include signing timestamp in the UEFI
signatures to avoid this.
---
i guess openssl needs to provide ability to create signatures without
signingtime attribute.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/2003701/+subscriptions
More information about the foundations-bugs
mailing list