Unexpected "certificate has expired or is not yet valid"
t0rr3sp3dr0 opened this issue · comments
I have a file and a CMS signature for it and I'm trying to verify them using ietf-cms
, but it returns an error saying the certificate is expired. When performing the same check using openssl
, it succeeds.
I'm not very familiar with CMS, so the only information I'm able to give you are both files, the code I wrote to check them using ietf-cms
, and the command I used to validate them using openssl
.
Files
OpenSSL Command
openssl cms -verify -inform DER -in ./sig -content ./dat -purpose any
OpenSSL Output
CMS Verification successful
IETF-CMS Code
package main
import (
"crypto/x509"
"encoding/base64"
"log"
"github.com/github/smimesign/ietf-cms"
)
const (
dat64 = "2TGNnpt9PwNF0Xxb4tQaU4gIW8U="
sig64 = "MIIhNgYJKoZIhvcNAQcCoIIhJzCCISMCAQMxDTALBglghkgBZQMEAgEwCwYJKoZIhvcNAQcBoIIOqTCCBXYwggReoAMCAQICEDCb8dtVBjI6eFNjL1VrX3owDQYJKoZIhvcNAQELBQAwfDE2MDQGA1UEAwwtQXBwbGUgU29mdHdhcmUgVXBkYXRlIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MSAwHgYDVQQLDBdDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTETMBEGA1UECgwKQXBwbGUgSW5jLjELMAkGA1UEBhMCVVMwHhcNMTkwNDE3MjEyODIzWhcNMjkwNDE0MjEyODIzWjA8MRgwFgYDVQQDDA9Tb2Z0d2FyZSBVcGRhdGUxEzARBgNVBAoMCkFwcGxlIEluYy4xCzAJBgNVBAYTAlVTMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxAiVROrg2z3HK6X3k9T9ETNW4hpXOte6OJsAW6oTm17pR1KSJRjx+j5pDylbmUfYudJnTe9n9epSgvUgLXUhFUBfWwGhvLUVla5uXc8DWAl108f07lI0r2X8umoldxs05GWTpVxOfVunCtzTY5FFRAehOQQOO+GhgrNhdKENFC9jUk2lXymPuey7fDpao5C7QsXa5gxTpQNK0ctjWBHKXleMMMuCxWtnxyGtLtJTX+aiFslVdbxIG2ofQ+0Wn9CT9XUo2f8C3iSrqUWUNEb62EGnbi4pnQchbnBbPlTDC6esx9gdTHAo0RFF51Uf7+kLDzfO1kFCmZiA4ro7Sc8rsQIDAQABo4ICMjCCAi4wDAYDVR0TAQH/BAIwADAfBgNVHSMEGDAWgBRZV/y6Oc/TWHZDE7PIxAatCFMrRDBFBggrBgEFBQcBAQQ5MDcwNQYIKwYBBQUHMAGGKWh0dHA6Ly9vY3NwLmFwcGxlLmNvbS9vY3NwMDMtc3d1cGRhdGVjYTAxMIIBHQYDVR0gBIIBFDCCARAwggEMBgkqhkiG92NkBQEwgf4wgcMGCCsGAQUFBwICMIG2DIGzUmVsaWFuY2Ugb24gdGhpcyBjZXJ0aWZpY2F0ZSBieSBhbnkgcGFydHkgYXNzdW1lcyBhY2NlcHRhbmNlIG9mIHRoZSB0aGVuIGFwcGxpY2FibGUgc3RhbmRhcmQgdGVybXMgYW5kIGNvbmRpdGlvbnMgb2YgdXNlLCBjZXJ0aWZpY2F0ZSBwb2xpY3kgYW5kIGNlcnRpZmljYXRpb24gcHJhY3RpY2Ugc3RhdGVtZW50cy4wNgYIKwYBBQUHAgEWKmh0dHBzOi8vd3d3LmFwcGxlLmNvbS9jZXJ0aWZpY2F0ZWF1dGhvcml0eTAXBgNVHSUBAf8EDTALBgkqhkiG92NkBAEwOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDovL2NybC5hcHBsZS5jb20vc29mdHdhcmV1cGRhdGVjYS5jcmwwHQYDVR0OBBYEFLA+ykKw7wZJ2tmXC842or8AipEIMA4GA1UdDwEB/wQEAwIHgDARBgsqhkiG92NkBgEdAgQCBQAwDQYJKoZIhvcNAQELBQADggEBABaM5sYiTZCkPE134dpcfAyYYBrH1IlaiQiaTdQArrMcoqlbkxzxmtj9XoBI7t0csDbzJgDeXRXIRYpxISjDm+Gf6kYYsR+GjlhwI2ODvVeRcU+rXBzkYdk6+SC+UQd9Tc+mc/3YqOhWzA5dHOfXrAWydU+k2KaeJ4o/PdhHuk2FvZf4X1nGIgJAY0Fl2F8Knht9RdO+bLWVg8KcSMJuExIWjZu5ar+3ky8C4U+jmyt0WW35f0hEQEJQJdHpzn9NEDyBt+6aI+6f4JNiCMyi00llkU+3KmAsnqoHl867eCRCsFj8WcXxwnILMrklcx0rtTx9YCkdBl8T790x63WKnZcwggRsMIIDVKADAgECAhBaokehFpDcKC789yxfQn3CMA0GCSqGSIb3DQEBCwUAMGIxCzAJBgNVBAYTAlVTMRMwEQYDVQQKEwpBcHBsZSBJbmMuMSYwJAYDVQQLEx1BcHBsZSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEWMBQGA1UEAxMNQXBwbGUgUm9vdCBDQTAeFw0xOTAzMjIxNzUzMTJaFw0zMTEwMTUwMDAwMDBaMHwxNjA0BgNVBAMMLUFwcGxlIFNvZnR3YXJlIFVwZGF0ZSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEgMB4GA1UECwwXQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxEzARBgNVBAoMCkFwcGxlIEluYy4xCzAJBgNVBAYTAlVTMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtPAgGrQTrFa/Il8ZCoRewcUcBJ4FZ1tun5tdp7PjLPv/kHpMNhOoE3WWHnnN0wGdV0/DWAQB7Wtuuq/k58+lJ3KUt3RMTbY4QsGLSLsUedjCWv2OzfBQHDl24pUTUEf85iqoi83Qmlg/XN6TkWVI8fv1VUXpuCDVVzuTtDARpXFsCFSx2HmpHCPe7/XWZc7pr3OtsSxDTC0L4c7PFt23LuxRCDgovkXZXkzZsip83bIY0+LOukLt4XRSjEFCBe/sv27js5nlXiFGVLT8cplNZZ/6B9pbjOfMbOF7VeCmV7xC95u/BoDoDHJuErGGSxZ7e3iVM6K5oL51ol5EDBr6nQIDAQABo4IBAjCB/zAPBgNVHRMBAf8EBTADAQH/MB8GA1UdIwQYMBaAFCvQaUeUdgn+9GuNLkCm90dNfwheMEQGCCsGAQUFBwEBBDgwNjA0BggrBgEFBQcwAYYoaHR0cDovL29jc3AuYXBwbGUuY29tL29jc3AwMy1hcHBsZXJvb3RjYTAUBgNVHSUEDTALBgkqhkiG92NkBAEwLgYDVR0fBCcwJTAjoCGgH4YdaHR0cDovL2NybC5hcHBsZS5jb20vcm9vdC5jcmwwHQYDVR0OBBYEFFlX/Lo5z9NYdkMTs8jEBq0IUytEMA4GA1UdDwEB/wQEAwIBBjAQBgoqhkiG92NkBgITBAIFADANBgkqhkiG9w0BAQsFAAOCAQEAkml4BIOxRIII27H7DNph4j8bbveEmL/8yFmPOu2YVP8XQKbI3MnWqe8kPatBHqS5SNJVLZqWDpTMBESQlx/1as6Ugv4N4uHt+bNt51WgUsN5/RdtY5aZwSLKvCSCOkKXolBlmDUGb+xygaf//M2UFBP99WtI2GTYjyy7Wwhs6CLKr+HknRecacw8VSyTvIeDaVP7oe90zmEC1TQnBqrJC8bT9BRieE4e1/ZKou1SOurW8FqupcEEAvTFMBBQafJlT4UkMYMMzRH5jn41etzXIs94/RI+tHhGBnFQboOUXAL3RR6g4JINWEFugKEsVfMi6SunYdzGrlpsTY/x7DyleTCCBLswggOjoAMCAQICAQIwDQYJKoZIhvcNAQEFBQAwYjELMAkGA1UEBhMCVVMxEzARBgNVBAoTCkFwcGxlIEluYy4xJjAkBgNVBAsTHUFwcGxlIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MRYwFAYDVQQDEw1BcHBsZSBSb290IENBMB4XDTA2MDQyNTIxNDAzNloXDTM1MDIwOTIxNDAzNlowYjELMAkGA1UEBhMCVVMxEzARBgNVBAoTCkFwcGxlIEluYy4xJjAkBgNVBAsTHUFwcGxlIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MRYwFAYDVQQDEw1BcHBsZSBSb290IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5JGpCR+R2x5HUOsF7V55hC3rNqJXTFXsixmJ3vlLbPUHqyIwAugYPvhQCdN/QaiY+dHKZpwkaxHQo7vkGyrDH5WeegykR4tb1BY3M8vED03OFGnRyRly9V0O1X9fm/IlA7pVj01dDfFkNSMVSxVZHbOU9/acns9QusFYUGePCLQg98usLCBvcLY/ATCMt0PPD5098ytJKBrI/s61uQ7ZXhzWyz21Oq30Dw4AkguxIRYudNU8DdtiFqujcZJHU1XBry9Bs/j743DN5qNMRX4fTGtQlkGJxHRiCxCDQYczioGxMFjsWgQyjGizjx3eZXP/Z15lvEnYdp8zFGWhd5TJLQIDAQABo4IBejCCAXYwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFCvQaUeUdgn+9GuNLkCm90dNfwheMB8GA1UdIwQYMBaAFCvQaUeUdgn+9GuNLkCm90dNfwheMIIBEQYDVR0gBIIBCDCCAQQwggEABgkqhkiG92NkBQEwgfIwKgYIKwYBBQUHAgEWHmh0dHBzOi8vd3d3LmFwcGxlLmNvbS9hcHBsZWNhLzCBwwYIKwYBBQUHAgIwgbYagbNSZWxpYW5jZSBvbiB0aGlzIGNlcnRpZmljYXRlIGJ5IGFueSBwYXJ0eSBhc3N1bWVzIGFjY2VwdGFuY2Ugb2YgdGhlIHRoZW4gYXBwbGljYWJsZSBzdGFuZGFyZCB0ZXJtcyBhbmQgY29uZGl0aW9ucyBvZiB1c2UsIGNlcnRpZmljYXRlIHBvbGljeSBhbmQgY2VydGlmaWNhdGlvbiBwcmFjdGljZSBzdGF0ZW1lbnRzLjANBgkqhkiG9w0BAQUFAAOCAQEAXDaZTC14t+2Mm9zzd5vydtJ3ME/BH4WDhRuZPUc38qmbQI4s1LGQEti+9HOb7tJkD8t5TzTYoj75eP9ryAfsfTmDi1Mg0zjEsb+aTwpr/yv8WacFCXwXQFYRHnTTt4sjO0ej1W8k4uvRt3DfD0XhJ8rxbXjt57UXF6jcfiI1yiXV2Q/Wa9SiJCMR96Gsj3OBYMYbWwkvkrL4REjwYDieFfU9JmcgijNq9w2Cz97roy/5U2pbZMBjM3f3OgcsVuvaDyEO2rpzGU+12TZ/wYdV2aeZuTJC+9jVcZ5+oVK3G72TQiQSKscPHbZNnF5jyEuAF1CqitXa5PzQCQc3sHV1ITGCElMwghJPAgEDoBYEFLA+ykKw7wZJ2tmXC842or8AipEIMAsGCWCGSAFlAwQCAaBLMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwLwYJKoZIhvcNAQkEMSIEIGDKuwGbRA+1yJo0HIeG3vUvsdRIm3CLc478FTC4liUeMA0GCSqGSIb3DQEBCwUABIIBALU5icTMnRQUxN4ESxDKb8MEtA2BbEM2TgiSZBxKSP6Qk0OdgnTxV3aJzPEHchiMj2KkVpRCjJrO7I5pV/oX952fEopJgL3clhADHpQ/UbxaPFqiDpjrptpnLFHbC70k+O6vyHBrAcjk2dx2kjnNXI9KbHmXVP92a4FYJ7LjtfznPjR8CdxanxTNey1jS1K2YzpTASOI8Okw3ysfUj6AF5qveWJhV5uvywQg+i3BhWRlOw9J0VygNEdbzCU1BVJIUH9nPGLFr52Q9BsJ6Ix4WyYDMxzxahc8BNM5ayEPd4his8QqdQsZ5WAuitS+IExF4q1fzEvkXptGj1iowIF9G7qhghDDMIIQvwYLKoZIhvcNAQkQAg4xghCuMIIQqgYJKoZIhvcNAQcCoIIQmzCCEJcCAQMxCzAJBgUrDgMCGgUAMG0GCyqGSIb3DQEJEAEEoF4EXDBaAgEBBgIqAzAxMA0GCWCGSAFlAwQCAQUABCAzr0STO7Xs9qmlDuzp06XyyFSJjg6GGb0ErsCWfs6ezgIIUxYL4QJBu4EYDzIwMTkxMDA1MDEwMzI2WjADAgEBoIIN0TCCBQMwggProAMCAQICCFkObHaIudsWMA0GCSqGSIb3DQEBCwUAMHwxMDAuBgNVBAMMJ0FwcGxlIFRpbWVzdGFtcCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEmMCQGA1UECwwdQXBwbGUgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxEzARBgNVBAoMCkFwcGxlIEluYy4xCzAJBgNVBAYTAlVTMB4XDTE5MDkxNjIzNTAwMVoXDTE5MTAyODIzNTAwMVowQjEeMBwGA1UEAwwVVGltZXN0YW1wIFNpZ25lciBOV0syMRMwEQYDVQQKDApBcHBsZSBJbmMuMQswCQYDVQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKsey25AfKu/YzXCV1ViN7leIx3FHMqk6apzCPtA1IZ+oEAy9ea9wgOg02f2Kmu3owS4bSfGB7Gu2Synpx2V8l4y0qYyvNhaUpx82ZWwYvwfcR4CBMOFT+a9gDOkhZogV+dENo0kKJ7Jd1c1ppIgB/LAbevW0/WhItfsBN2EdcqSE5bIRcA3h2u4ZgPktQCKYF7/KnU2rPYw2k7yIoBRQKYx5fSTPMO4lSn6ulLPoL1zoAWrhEiRnmuoWns1+L8788Nlw/Gn3Br76FAnCUuPyvPQ3Dazl82dYFbubUSx7s/DrWaTZbwZcmVeXQlt0TcNEGQEqMc0kSOSYo3bZSJbP8cCAwEAAaOCAcEwggG9MAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAUNM0lTs3eN4U4oVgm+PniKd7yHJMwggEOBgNVHSAEggEFMIIBATCB/gYJKoZIhvdjZAUBMIHwMCgGCCsGAQUFBwIBFhxodHRwOi8vd3d3LmFwcGxlLmNvbS9hcHBsZWNhMIHDBggrBgEFBQcCAjCBtgyBs1JlbGlhbmNlIG9uIHRoaXMgY2VydGlmaWNhdGUgYnkgYW55IHBhcnR5IGFzc3VtZXMgYWNjZXB0YW5jZSBvZiB0aGUgdGhlbiBhcHBsaWNhYmxlIHN0YW5kYXJkIHRlcm1zIGFuZCBjb25kaXRpb25zIG9mIHVzZSwgY2VydGlmaWNhdGUgcG9saWN5IGFuZCBjZXJ0aWZpY2F0aW9uIHByYWN0aWNlIHN0YXRlbWVudHMuMBYGA1UdJQEB/wQMMAoGCCsGAQUFBwMIMDMGA1UdHwQsMCowKKAmoCSGImh0dHA6Ly9jcmwuYXBwbGUuY29tL3RpbWVzdGFtcC5jcmwwHQYDVR0OBBYEFBF2f+f/q3BTccf9zHONfFYAs6nHMA4GA1UdDwEB/wQEAwIHgDANBgkqhkiG9w0BAQsFAAOCAQEARfZVItOtktNegnwDfMqlGPWOKt1mZL6+Xs2GEVDID66XDjpl6X5bcsS5oFqxlE7H9X7gi1qnxtg0n3ZvlDcIv8VWiyP6FED+Jf5TIjvQ6tCWErWx1xSLPUktST/zI6SejwOW/9kIGgL87+XuR2RyRRA5p+vkS0u3/xpsU1WjRGlluItpNdN/ITbO1jCjU9VcV+qjR+Pb6cnk1SXeGyeDcBb5DcHJ6PWYc0rCuKhz2XBoJYoQXBRblNP9JXM8W0fs7YYnRjr+IR7uOhidFBf+cQuFSRfIQc/OrC2nCPu0dJbX/9p31HPFdO2SsOF3Iz6DCsvI/RNLvSg8A8Ru4/zu7jCCBAcwggLvoAMCAQICCH1MV2Of8/C3MA0GCSqGSIb3DQEBCwUAMGIxCzAJBgNVBAYTAlVTMRMwEQYDVQQKEwpBcHBsZSBJbmMuMSYwJAYDVQQLEx1BcHBsZSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEWMBQGA1UEAxMNQXBwbGUgUm9vdCBDQTAeFw0xMjA0MDUxMjAyNDRaFw0yNzA0MDUxMjAyNDRaMHwxMDAuBgNVBAMMJ0FwcGxlIFRpbWVzdGFtcCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEmMCQGA1UECwwdQXBwbGUgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxEzARBgNVBAoMCkFwcGxlIEluYy4xCzAJBgNVBAYTAlVTMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA03cYofeZEGdc0i6euI8jZz78QuIJfQqKuBj8c0AvvcTYUMUnyP64NHCgDRM8vQhOmpNvOTfanmX1tGP0kMhJbV0g0zn9Cbr0OvPOSmlkBZlG4No1xGUYHsYWoxJhtC718IkNjNw99gbPb4YlTAnCG8gOeIiNwSK4uiETm8ruip7de1v/o+nRo4F+/v/mjEnkOwr5EKZyM7ssxEpacgo5UHTdKG55X36nqBTPVrNWbKXp8MSu+eogjhjHKHTiCE2JJkJ5XvZg40VYoftRSV6SSk2579RztdoEe+NSn8ujGV2sa5hsnuLsdC1EPuBhPgdFfjR1JphAm3WeyDDtS793jwIDAQABo4GmMIGjMB0GA1UdDgQWBBQ0zSVOzd43hTihWCb4+eIp3vIckzAPBgNVHRMBAf8EBTADAQH/MB8GA1UdIwQYMBaAFCvQaUeUdgn+9GuNLkCm90dNfwheMC4GA1UdHwQnMCUwI6AhoB+GHWh0dHA6Ly9jcmwuYXBwbGUuY29tL3Jvb3QuY3JsMA4GA1UdDwEB/wQEAwIBhjAQBgoqhkiG92NkBgIJBAIFADANBgkqhkiG9w0BAQsFAAOCAQEANtL13nFTB8kj2HibZbzz1VvpuH8bI8eiz7SpKOn43XCIITnz2zOcw3JD1j1CUZe6rR2OktJ1i8NdnPXLjNxqajrd61R97RRr89Y+k8htelRf8kOOENB2XJsADB1OyjzN+ub3wj5yt7je6DSqFaCuXGeoDKybHmWz4w8wQjTprtMB06fdQnN1fFFDhZpgENyuJ9JrZ8kzRW/JmB6gmn9NEZPhaf/sS0XzTsoiDlfXIgflIrSH6ZzTRctuP+WOuPxG1VzJsKsFOm03KKOoRmVvVaFoiOpSPsn01Ob6P6TkJoC1OmvWw+X5MoHIMqJI4Y4Goxnks8s7S9/gzA6yr5jRgzCCBLswggOjoAMCAQICAQIwDQYJKoZIhvcNAQEFBQAwYjELMAkGA1UEBhMCVVMxEzARBgNVBAoTCkFwcGxlIEluYy4xJjAkBgNVBAsTHUFwcGxlIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MRYwFAYDVQQDEw1BcHBsZSBSb290IENBMB4XDTA2MDQyNTIxNDAzNloXDTM1MDIwOTIxNDAzNlowYjELMAkGA1UEBhMCVVMxEzARBgNVBAoTCkFwcGxlIEluYy4xJjAkBgNVBAsTHUFwcGxlIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MRYwFAYDVQQDEw1BcHBsZSBSb290IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5JGpCR+R2x5HUOsF7V55hC3rNqJXTFXsixmJ3vlLbPUHqyIwAugYPvhQCdN/QaiY+dHKZpwkaxHQo7vkGyrDH5WeegykR4tb1BY3M8vED03OFGnRyRly9V0O1X9fm/IlA7pVj01dDfFkNSMVSxVZHbOU9/acns9QusFYUGePCLQg98usLCBvcLY/ATCMt0PPD5098ytJKBrI/s61uQ7ZXhzWyz21Oq30Dw4AkguxIRYudNU8DdtiFqujcZJHU1XBry9Bs/j743DN5qNMRX4fTGtQlkGJxHRiCxCDQYczioGxMFjsWgQyjGizjx3eZXP/Z15lvEnYdp8zFGWhd5TJLQIDAQABo4IBejCCAXYwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFCvQaUeUdgn+9GuNLkCm90dNfwheMB8GA1UdIwQYMBaAFCvQaUeUdgn+9GuNLkCm90dNfwheMIIBEQYDVR0gBIIBCDCCAQQwggEABgkqhkiG92NkBQEwgfIwKgYIKwYBBQUHAgEWHmh0dHBzOi8vd3d3LmFwcGxlLmNvbS9hcHBsZWNhLzCBwwYIKwYBBQUHAgIwgbYagbNSZWxpYW5jZSBvbiB0aGlzIGNlcnRpZmljYXRlIGJ5IGFueSBwYXJ0eSBhc3N1bWVzIGFjY2VwdGFuY2Ugb2YgdGhlIHRoZW4gYXBwbGljYWJsZSBzdGFuZGFyZCB0ZXJtcyBhbmQgY29uZGl0aW9ucyBvZiB1c2UsIGNlcnRpZmljYXRlIHBvbGljeSBhbmQgY2VydGlmaWNhdGlvbiBwcmFjdGljZSBzdGF0ZW1lbnRzLjANBgkqhkiG9w0BAQUFAAOCAQEAXDaZTC14t+2Mm9zzd5vydtJ3ME/BH4WDhRuZPUc38qmbQI4s1LGQEti+9HOb7tJkD8t5TzTYoj75eP9ryAfsfTmDi1Mg0zjEsb+aTwpr/yv8WacFCXwXQFYRHnTTt4sjO0ej1W8k4uvRt3DfD0XhJ8rxbXjt57UXF6jcfiI1yiXV2Q/Wa9SiJCMR96Gsj3OBYMYbWwkvkrL4REjwYDieFfU9JmcgijNq9w2Cz97roy/5U2pbZMBjM3f3OgcsVuvaDyEO2rpzGU+12TZ/wYdV2aeZuTJC+9jVcZ5+oVK3G72TQiQSKscPHbZNnF5jyEuAF1CqitXa5PzQCQc3sHV1ITGCAj8wggI7AgEBMIGIMHwxMDAuBgNVBAMMJ0FwcGxlIFRpbWVzdGFtcCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEmMCQGA1UECwwdQXBwbGUgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxEzARBgNVBAoMCkFwcGxlIEluYy4xCzAJBgNVBAYTAlVTAghZDmx2iLnbFjAJBgUrDgMCGgUAoIGMMBoGCSqGSIb3DQEJAzENBgsqhkiG9w0BCRABBDAcBgkqhkiG9w0BCQUxDxcNMTkxMDA1MDEwMzI2WjAjBgkqhkiG9w0BCQQxFgQUGaDqbrE0SezirYquz38CFBcvL7IwKwYLKoZIhvcNAQkQAgwxHDAaMBgwFgQU9gUjR8isi4YGoAlFiZDQ86fw2VkwDQYJKoZIhvcNAQEBBQAEggEAjcmaH4IV0MdX085dO+mCi+M/8Cr5d5LHa3ZsJZxHdcFjmI2W1aOJTVb4jF3Xe49tysMMdL/cNI/rxVfM9gJ1B8QDtzMTYJmlD3gk9qTackvYcYwLuTG7A38DTHYqKrr9IiO04w6tB3/6yVjw8mhbpXTiWjs7NrMobzC+BZVYUx4r1EmqHzi2EU0CLVwv6XvD/IVPK2g6JjdWkN25PC391C2oHX4I357ldLrhLV8/cLAN+2cgjjxNoaPUNxJi9fyvQV12AItq3Y0xx1NCgqAy6b3Nwm0jKnOkqCFlIE+pd/BnPDTPqBNuw7BeL15s8ye/wUvgNofAwd6Pqkg0MvJNRgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
)
func main() {
dat, err := base64.StdEncoding.DecodeString(dat64)
if err != nil {
log.Panic(err)
}
sig, err := base64.StdEncoding.DecodeString(sig64)
if err != nil {
log.Panic(err)
}
sd, err := cms.ParseSignedData(sig)
if err != nil {
log.Panic(err)
}
certs, err := sd.VerifyDetached(dat, x509.VerifyOptions{})
if err != nil {
log.Panic(err)
}
log.Print(certs)
}
IETF-CMS Output
2022/03/22 01:20:13 x509: certificate has expired or is not yet valid: current time 2022-03-22T01:20:13Z is after 2019-10-28T23:50:01Z
panic: x509: certificate has expired or is not yet valid: current time 2022-03-22T01:20:13Z is after 2019-10-28T23:50:01Z
goroutine 1 [running]:
log.Panic({0xc000199f60, 0x0, 0x0})
/nix/store/d9rw46ym59cszc79n4vs60yqfz5rkps9-go-1.17.3/share/go/src/log/log.go:354 +0x65
main.main()
/home/runner/IllustriousHandsomeComputeranimation/main.go:34 +0x1eb
The same error occurs when validating the files with smimesign
directly:
smimesign --verify ./sig ./dat
failed to verify signature: x509: certificate has expired or is not yet valid: current time 2022-03-21T22:36:12-03:00 is after 2019-10-28T23:50:01Z
After some research, I found that the problem is that the final certificate that was used to sign the timestamp expired, as hinted here: https://weisser-zwerg.dev/posts/trusted_timestamping/#verify-the-timestamp-response-together-with-the-referenced-piece-of-data.
Apple uses short-lived certificates on their timestamping servers, valid only for 42 days. But their intermediate and root certificates are valid for 15 and 30 years respectively. So there should be some mechanisms to ignore the expiration date of the last certificate of the chain, just like OpenSSL has, so that signatures can be validate properly.
I just implemented a quick and simple workaround here inloco@64a83fe, but there's probably a better way of doing that upstream.