On Sun, Mar 07, 2010, Graham Leggett wrote: > Hi all, > > Now that I have my full error message, the problem I have is that the > verification is failing because the certificate has expired: > > error:21075075:PKCS7 routines:PKCS7_verify:certificate verify error: Verify > error:certificate has expired > > The error message is correct - the certificate has expired - but - the > certificate was valid when the message was originally signed. > > Is there a specific way I should format the effective date of the PKCS7 > smime message, so that PKCS7_verify() will say "on the date this message > was signed, the attached certs were valid" (and if so, how), or must I > parse the date of the message manually, and then feed it into > X509_VERIFY_PARAM_set_time() on the certificate store parameters? > > I just need to check I am doing the right thing. >
Obviously you need a realiable indication of when the message was originally signed. There is a signing time attribute in PKCS#7 messages but this could be set to a bogus invalid value by the signer using an expired certificate or a revkoked one pretending to be at a time before revocation. If you do have a realiable time then yes X509_VERIFY_PARAM_set_time() is the correct function to use. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
