Unexpected "certificate has expired or is not yet valid"

Question

Unexpected "certificate has expired or is not yet valid"

t0rr3sp3dr0 opened this issue 2 years ago · comments

I have a file and a CMS signature for it and I'm trying to verify them using ietf-cms, but it returns an error saying the certificate is expired. When performing the same check using openssl, it succeeds.

I'm not very familiar with CMS, so the only information I'm able to give you are both files, the code I wrote to check them using ietf-cms, and the command I used to validate them using openssl.

Files

Archive.zip

OpenSSL Command

openssl cms -verify -inform DER -in ./sig -content ./dat -purpose any

OpenSSL Output

CMS Verification successful

IETF-CMS Code

package main

import (
	"crypto/x509"
	"encoding/base64"
	"log"

	"github.com/github/smimesign/ietf-cms"
)

const (
	dat64 = "2TGNnpt9PwNF0Xxb4tQaU4gIW8U="
	sig64 = "MIIhNgYJKoZIhvcNAQcCoIIhJzCCISMCAQMxDTALBglghkgBZQMEAgEwCwYJKoZIhvcNAQcBoIIOqTCCBXYwggReoAMCAQICEDCb8dtVBjI6eFNjL1VrX3owDQYJKoZIhvcNAQELBQAwfDE2MDQGA1UEAwwtQXBwbGUgU29mdHdhcmUgVXBkYXRlIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MSAwHgYDVQQLDBdDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTETMBEGA1UECgwKQXBwbGUgSW5jLjELMAkGA1UEBhMCVVMwHhcNMTkwNDE3MjEyODIzWhcNMjkwNDE0MjEyODIzWjA8MRgwFgYDVQQDDA9Tb2Z0d2FyZSBVcGRhdGUxEzARBgNVBAoMCkFwcGxlIEluYy4xCzAJBgNVBAYTAlVTMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxAiVROrg2z3HK6X3k9T9ETNW4hpXOte6OJsAW6oTm17pR1KSJRjx+j5pDylbmUfYudJnTe9n9epSgvUgLXUhFUBfWwGhvLUVla5uXc8DWAl108f07lI0r2X8umoldxs05GWTpVxOfVunCtzTY5FFRAehOQQOO+GhgrNhdKENFC9jUk2lXymPuey7fDpao5C7QsXa5gxTpQNK0ctjWBHKXleMMMuCxWtnxyGtLtJTX+aiFslVdbxIG2ofQ+0Wn9CT9XUo2f8C3iSrqUWUNEb62EGnbi4pnQchbnBbPlTDC6esx9gdTHAo0RFF51Uf7+kLDzfO1kFCmZiA4ro7Sc8rsQIDAQABo4ICMjCCAi4wDAYDVR0TAQH/BAIwADAfBgNVHSMEGDAWgBRZV/y6Oc/TWHZDE7PIxAatCFMrRDBFBggrBgEFBQcBAQQ5MDcwNQYIKwYBBQUHMAGGKWh0dHA6Ly9vY3NwLmFwcGxlLmNvbS9vY3NwMDMtc3d1cGRhdGVjYTAxMIIBHQYDVR0gBIIBFDCCARAwggEMBgkqhkiG92NkBQEwgf4wgcMGCCsGAQUFBwICMIG2DIGzUmVsaWFuY2Ugb24gdGhpcyBjZXJ0aWZpY2F0ZSBieSBhbnkgcGFydHkgYXNzdW1lcyBhY2NlcHRhbmNlIG9mIHRoZSB0aGVuIGFwcGxpY2FibGUgc3RhbmRhcmQgdGVybXMgYW5kIGNvbmRpdGlvbnMgb2YgdXNlLCBjZXJ0aWZpY2F0ZSBwb2xpY3kgYW5kIGNlcnRpZmljYXRpb24gcHJhY3RpY2Ugc3RhdGVtZW50cy4wNgYIKwYBBQUHAgEWKmh0dHBzOi8vd3d3LmFwcGxlLmNvbS9jZXJ0aWZpY2F0ZWF1dGhvcml0eTAXBgNVHSUBAf8EDTALBgkqhkiG92NkBAEwOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDovL2NybC5hcHBsZS5jb20vc29mdHdhcmV1cGRhdGVjYS5jcmwwHQYDVR0OBBYEFLA+ykKw7wZJ2tmXC842or8AipEIMA4GA1UdDwEB/wQEAwIHgDARBgsqhkiG92NkBgEdAgQCBQAwDQYJKoZIhvcNAQELBQADggEBABaM5sYiTZCkPE134dpcfAyYYBrH1IlaiQiaTdQArrMcoqlbkxzxmtj9XoBI7t0csDbzJgDeXRXIRYpxISjDm+Gf6kYYsR+GjlhwI2ODvVeRcU+rXBzkYdk6+SC+UQd9Tc+mc/3YqOhWzA5dHOfXrAWydU+k2KaeJ4o/PdhHuk2FvZf4X1nGIgJAY0Fl2F8Knht9RdO+bLWVg8KcSMJuExIWjZu5ar+3ky8C4U+jmyt0WW35f0hEQEJQJdHpzn9NEDyBt+6aI+6f4JNiCMyi00llkU+3KmAsnqoHl867eCRCsFj8WcXxwnILMrklcx0rtTx9YCkdBl8T790x63WKnZcwggRsMIIDVKADAgECAhBaokehFpDcKC789yxfQn3CMA0GCSqGSIb3DQEBCwUAMGIxCzAJBgNVBAYTAlVTMRMwEQYDVQQKEwpBcHBsZSBJbmMuMSYwJAYDVQQLEx1BcHBsZSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEWMBQGA1UEAxMNQXBwbGUgUm9vdCBDQTAeFw0xOTAzMjIxNzUzMTJaFw0zMTEwMTUwMDAwMDBaMHwxNjA0BgNVBAMMLUFwcGxlIFNvZnR3YXJlIFVwZGF0ZSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEgMB4GA1UECwwXQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxEzARBgNVBAoMCkFwcGxlIEluYy4xCzAJBgNVBAYTAlVTMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtPAgGrQTrFa/Il8ZCoRewcUcBJ4FZ1tun5tdp7PjLPv/kHpMNhOoE3WWHnnN0wGdV0/DWAQB7Wtuuq/k58+lJ3KUt3RMTbY4QsGLSLsUedjCWv2OzfBQHDl24pUTUEf85iqoi83Qmlg/XN6TkWVI8fv1VUXpuCDVVzuTtDARpXFsCFSx2HmpHCPe7/XWZc7pr3OtsSxDTC0L4c7PFt23LuxRCDgovkXZXkzZsip83bIY0+LOukLt4XRSjEFCBe/sv27js5nlXiFGVLT8cplNZZ/6B9pbjOfMbOF7VeCmV7xC95u/BoDoDHJuErGGSxZ7e3iVM6K5oL51ol5EDBr6nQIDAQABo4IBAjCB/zAPBgNVHRMBAf8EBTADAQH/MB8GA1UdIwQYMBaAFCvQaUeUdgn+9GuNLkCm90dNfwheMEQGCCsGAQUFBwEBBDgwNjA0BggrBgEFBQcwAYYoaHR0cDovL29jc3AuYXBwbGUuY29tL29jc3AwMy1hcHBsZXJvb3RjYTAUBgNVHSUEDTALBgkqhkiG92NkBAEwLgYDVR0fBCcwJTAjoCGgH4YdaHR0cDovL2NybC5hcHBsZS5jb20vcm9vdC5jcmwwHQYDVR0OBBYEFFlX/Lo5z9NYdkMTs8jEBq0IUytEMA4GA1UdDwEB/wQEAwIBBjAQBgoqhkiG92NkBgITBAIFADANBgkqhkiG9w0BAQsFAAOCAQEAkml4BIOxRIII27H7DNph4j8bbveEmL/8yFmPOu2YVP8XQKbI3MnWqe8kPatBHqS5SNJVLZqWDpTMBESQlx/1as6Ugv4N4uHt+bNt51WgUsN5/RdtY5aZwSLKvCSCOkKXolBlmDUGb+xygaf//M2UFBP99WtI2GTYjyy7Wwhs6CLKr+HknRecacw8VSyTvIeDaVP7oe90zmEC1TQnBqrJC8bT9BRieE4e1/ZKou1SOurW8FqupcEEAvTFMBBQafJlT4UkMYMMzRH5jn41etzXIs94/RI+tHhGBnFQboOUXAL3RR6g4JINWEFugKEsVfMi6SunYdzGrlpsTY/x7DyleTCCBLswggOjoAMCAQICAQIwDQYJKoZIhvcNAQEFBQAwYjELMAkGA1UEBhMCVVMxEzARBgNVBAoTCkFwcGxlIEluYy4xJjAkBgNVBAsTHUFwcGxlIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MRYwFAYDVQQDEw1BcHBsZSBSb290IENBMB4XDTA2MDQyNTIxNDAzNloXDTM1MDIwOTIxNDAzNlowYjELMAkGA1UEBhMCVVMxEzARBgNVBAoTCkFwcGxlIEluYy4xJjAkBgNVBAsTHUFwcGxlIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MRYwFAYDVQQDEw1BcHBsZSBSb290IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5JGpCR+R2x5HUOsF7V55hC3rNqJXTFXsixmJ3vlLbPUHqyIwAugYPvhQCdN/QaiY+dHKZpwkaxHQo7vkGyrDH5WeegykR4tb1BY3M8vED03OFGnRyRly9V0O1X9fm/IlA7pVj01dDfFkNSMVSxVZHbOU9/acns9QusFYUGePCLQg98usLCBvcLY/ATCMt0PPD5098ytJKBrI/s61uQ7ZXhzWyz21Oq30Dw4AkguxIRYudNU8DdtiFqujcZJHU1XBry9Bs/j743DN5qNMRX4fTGtQlkGJxHRiCxCDQYczioGxMFjsWgQyjGizjx3eZXP/Z15lvEnYdp8zFGWhd5TJLQIDAQABo4IBejCCAXYwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFCvQaUeUdgn+9GuNLkCm90dNfwheMB8GA1UdIwQYMBaAFCvQaUeUdgn+9GuNLkCm90dNfwheMIIBEQYDVR0gBIIBCDCCAQQwggEABgkqhkiG92NkBQEwgfIwKgYIKwYBBQUHAgEWHmh0dHBzOi8vd3d3LmFwcGxlLmNvbS9hcHBsZWNhLzCBwwYIKwYBBQUHAgIwgbYagbNSZWxpYW5jZSBvbiB0aGlzIGNlcnRpZmljYXRlIGJ5IGFueSBwYXJ0eSBhc3N1bWVzIGFjY2VwdGFuY2Ugb2YgdGhlIHRoZW4gYXBwbGljYWJsZSBzdGFuZGFyZCB0ZXJtcyBhbmQgY29uZGl0aW9ucyBvZiB1c2UsIGNlcnRpZmljYXRlIHBvbGljeSBhbmQgY2VydGlmaWNhdGlvbiBwcmFjdGljZSBzdGF0ZW1lbnRzLjANBgkqhkiG9w0BAQUFAAOCAQEAXDaZTC14t+2Mm9zzd5vydtJ3ME/BH4WDhRuZPUc38qmbQI4s1LGQEti+9HOb7tJkD8t5TzTYoj75eP9ryAfsfTmDi1Mg0zjEsb+aTwpr/yv8WacFCXwXQFYRHnTTt4sjO0ej1W8k4uvRt3DfD0XhJ8rxbXjt57UXF6jcfiI1yiXV2Q/Wa9SiJCMR96Gsj3OBYMYbWwkvkrL4REjwYDieFfU9JmcgijNq9w2Cz97roy/5U2pbZMBjM3f3OgcsVuvaDyEO2rpzGU+12TZ/wYdV2aeZuTJC+9jVcZ5+oVK3G72TQiQSKscPHbZNnF5jyEuAF1CqitXa5PzQCQc3sHV1ITGCElMwghJPAgEDoBYEFLA+ykKw7wZJ2tmXC842or8AipEIMAsGCWCGSAFlAwQCAaBLMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwLwYJKoZIhvcNAQkEMSIEIGDKuwGbRA+1yJo0HIeG3vUvsdRIm3CLc478FTC4liUeMA0GCSqGSIb3DQEBCwUABIIBALU5icTMnRQUxN4ESxDKb8MEtA2BbEM2TgiSZBxKSP6Qk0OdgnTxV3aJzPEHchiMj2KkVpRCjJrO7I5pV/oX952fEopJgL3clhADHpQ/UbxaPFqiDpjrptpnLFHbC70k+O6vyHBrAcjk2dx2kjnNXI9KbHmXVP92a4FYJ7LjtfznPjR8CdxanxTNey1jS1K2YzpTASOI8Okw3ysfUj6AF5qveWJhV5uvywQg+i3BhWRlOw9J0VygNEdbzCU1BVJIUH9nPGLFr52Q9BsJ6Ix4WyYDMxzxahc8BNM5ayEPd4his8QqdQsZ5WAuitS+IExF4q1fzEvkXptGj1iowIF9G7qhghDDMIIQvwYLKoZIhvcNAQkQAg4xghCuMIIQqgYJKoZIhvcNAQcCoIIQmzCCEJcCAQMxCzAJBgUrDgMCGgUAMG0GCyqGSIb3DQEJEAEEoF4EXDBaAgEBBgIqAzAxMA0GCWCGSAFlAwQCAQUABCAzr0STO7Xs9qmlDuzp06XyyFSJjg6GGb0ErsCWfs6ezgIIUxYL4QJBu4EYDzIwMTkxMDA1MDEwMzI2WjADAgEBoIIN0TCCBQMwggProAMCAQICCFkObHaIudsWMA0GCSqGSIb3DQEBCwUAMHwxMDAuBgNVBAMMJ0FwcGxlIFRpbWVzdGFtcCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEmMCQGA1UECwwdQXBwbGUgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxEzARBgNVBAoMCkFwcGxlIEluYy4xCzAJBgNVBAYTAlVTMB4XDTE5MDkxNjIzNTAwMVoXDTE5MTAyODIzNTAwMVowQjEeMBwGA1UEAwwVVGltZXN0YW1wIFNpZ25lciBOV0syMRMwEQYDVQQKDApBcHBsZSBJbmMuMQswCQYDVQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKsey25AfKu/YzXCV1ViN7leIx3FHMqk6apzCPtA1IZ+oEAy9ea9wgOg02f2Kmu3owS4bSfGB7Gu2Synpx2V8l4y0qYyvNhaUpx82ZWwYvwfcR4CBMOFT+a9gDOkhZogV+dENo0kKJ7Jd1c1ppIgB/LAbevW0/WhItfsBN2EdcqSE5bIRcA3h2u4ZgPktQCKYF7/KnU2rPYw2k7yIoBRQKYx5fSTPMO4lSn6ulLPoL1zoAWrhEiRnmuoWns1+L8788Nlw/Gn3Br76FAnCUuPyvPQ3Dazl82dYFbubUSx7s/DrWaTZbwZcmVeXQlt0TcNEGQEqMc0kSOSYo3bZSJbP8cCAwEAAaOCAcEwggG9MAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAUNM0lTs3eN4U4oVgm+PniKd7yHJMwggEOBgNVHSAEggEFMIIBATCB/gYJKoZIhvdjZAUBMIHwMCgGCCsGAQUFBwIBFhxodHRwOi8vd3d3LmFwcGxlLmNvbS9hcHBsZWNhMIHDBggrBgEFBQcCAjCBtgyBs1JlbGlhbmNlIG9uIHRoaXMgY2VydGlmaWNhdGUgYnkgYW55IHBhcnR5IGFzc3VtZXMgYWNjZXB0YW5jZSBvZiB0aGUgdGhlbiBhcHBsaWNhYmxlIHN0YW5kYXJkIHRlcm1zIGFuZCBjb25kaXRpb25zIG9mIHVzZSwgY2VydGlmaWNhdGUgcG9saWN5IGFuZCBjZXJ0aWZpY2F0aW9uIHByYWN0aWNlIHN0YXRlbWVudHMuMBYGA1UdJQEB/wQMMAoGCCsGAQUFBwMIMDMGA1UdHwQsMCowKKAmoCSGImh0dHA6Ly9jcmwuYXBwbGUuY29tL3RpbWVzdGFtcC5jcmwwHQYDVR0OBBYEFBF2f+f/q3BTccf9zHONfFYAs6nHMA4GA1UdDwEB/wQEAwIHgDANBgkqhkiG9w0BAQsFAAOCAQEARfZVItOtktNegnwDfMqlGPWOKt1mZL6+Xs2GEVDID66XDjpl6X5bcsS5oFqxlE7H9X7gi1qnxtg0n3ZvlDcIv8VWiyP6FED+Jf5TIjvQ6tCWErWx1xSLPUktST/zI6SejwOW/9kIGgL87+XuR2RyRRA5p+vkS0u3/xpsU1WjRGlluItpNdN/ITbO1jCjU9VcV+qjR+Pb6cnk1SXeGyeDcBb5DcHJ6PWYc0rCuKhz2XBoJYoQXBRblNP9JXM8W0fs7YYnRjr+IR7uOhidFBf+cQuFSRfIQc/OrC2nCPu0dJbX/9p31HPFdO2SsOF3Iz6DCsvI/RNLvSg8A8Ru4/zu7jCCBAcwggLvoAMCAQICCH1MV2Of8/C3MA0GCSqGSIb3DQEBCwUAMGIxCzAJBgNVBAYTAlVTMRMwEQYDVQQKEwpBcHBsZSBJbmMuMSYwJAYDVQQLEx1BcHBsZSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEWMBQGA1UEAxMNQXBwbGUgUm9vdCBDQTAeFw0xMjA0MDUxMjAyNDRaFw0yNzA0MDUxMjAyNDRaMHwxMDAuBgNVBAMMJ0FwcGxlIFRpbWVzdGFtcCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEmMCQGA1UECwwdQXBwbGUgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxEzARBgNVBAoMCkFwcGxlIEluYy4xCzAJBgNVBAYTAlVTMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA03cYofeZEGdc0i6euI8jZz78QuIJfQqKuBj8c0AvvcTYUMUnyP64NHCgDRM8vQhOmpNvOTfanmX1tGP0kMhJbV0g0zn9Cbr0OvPOSmlkBZlG4No1xGUYHsYWoxJhtC718IkNjNw99gbPb4YlTAnCG8gOeIiNwSK4uiETm8ruip7de1v/o+nRo4F+/v/mjEnkOwr5EKZyM7ssxEpacgo5UHTdKG55X36nqBTPVrNWbKXp8MSu+eogjhjHKHTiCE2JJkJ5XvZg40VYoftRSV6SSk2579RztdoEe+NSn8ujGV2sa5hsnuLsdC1EPuBhPgdFfjR1JphAm3WeyDDtS793jwIDAQABo4GmMIGjMB0GA1UdDgQWBBQ0zSVOzd43hTihWCb4+eIp3vIckzAPBgNVHRMBAf8EBTADAQH/MB8GA1UdIwQYMBaAFCvQaUeUdgn+9GuNLkCm90dNfwheMC4GA1UdHwQnMCUwI6AhoB+GHWh0dHA6Ly9jcmwuYXBwbGUuY29tL3Jvb3QuY3JsMA4GA1UdDwEB/wQEAwIBhjAQBgoqhkiG92NkBgIJBAIFADANBgkqhkiG9w0BAQsFAAOCAQEANtL13nFTB8kj2HibZbzz1VvpuH8bI8eiz7SpKOn43XCIITnz2zOcw3JD1j1CUZe6rR2OktJ1i8NdnPXLjNxqajrd61R97RRr89Y+k8htelRf8kOOENB2XJsADB1OyjzN+ub3wj5yt7je6DSqFaCuXGeoDKybHmWz4w8wQjTprtMB06fdQnN1fFFDhZpgENyuJ9JrZ8kzRW/JmB6gmn9NEZPhaf/sS0XzTsoiDlfXIgflIrSH6ZzTRctuP+WOuPxG1VzJsKsFOm03KKOoRmVvVaFoiOpSPsn01Ob6P6TkJoC1OmvWw+X5MoHIMqJI4Y4Goxnks8s7S9/gzA6yr5jRgzCCBLswggOjoAMCAQICAQIwDQYJKoZIhvcNAQEFBQAwYjELMAkGA1UEBhMCVVMxEzARBgNVBAoTCkFwcGxlIEluYy4xJjAkBgNVBAsTHUFwcGxlIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MRYwFAYDVQQDEw1BcHBsZSBSb290IENBMB4XDTA2MDQyNTIxNDAzNloXDTM1MDIwOTIxNDAzNlowYjELMAkGA1UEBhMCVVMxEzARBgNVBAoTCkFwcGxlIEluYy4xJjAkBgNVBAsTHUFwcGxlIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MRYwFAYDVQQDEw1BcHBsZSBSb290IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5JGpCR+R2x5HUOsF7V55hC3rNqJXTFXsixmJ3vlLbPUHqyIwAugYPvhQCdN/QaiY+dHKZpwkaxHQo7vkGyrDH5WeegykR4tb1BY3M8vED03OFGnRyRly9V0O1X9fm/IlA7pVj01dDfFkNSMVSxVZHbOU9/acns9QusFYUGePCLQg98usLCBvcLY/ATCMt0PPD5098ytJKBrI/s61uQ7ZXhzWyz21Oq30Dw4AkguxIRYudNU8DdtiFqujcZJHU1XBry9Bs/j743DN5qNMRX4fTGtQlkGJxHRiCxCDQYczioGxMFjsWgQyjGizjx3eZXP/Z15lvEnYdp8zFGWhd5TJLQIDAQABo4IBejCCAXYwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFCvQaUeUdgn+9GuNLkCm90dNfwheMB8GA1UdIwQYMBaAFCvQaUeUdgn+9GuNLkCm90dNfwheMIIBEQYDVR0gBIIBCDCCAQQwggEABgkqhkiG92NkBQEwgfIwKgYIKwYBBQUHAgEWHmh0dHBzOi8vd3d3LmFwcGxlLmNvbS9hcHBsZWNhLzCBwwYIKwYBBQUHAgIwgbYagbNSZWxpYW5jZSBvbiB0aGlzIGNlcnRpZmljYXRlIGJ5IGFueSBwYXJ0eSBhc3N1bWVzIGFjY2VwdGFuY2Ugb2YgdGhlIHRoZW4gYXBwbGljYWJsZSBzdGFuZGFyZCB0ZXJtcyBhbmQgY29uZGl0aW9ucyBvZiB1c2UsIGNlcnRpZmljYXRlIHBvbGljeSBhbmQgY2VydGlmaWNhdGlvbiBwcmFjdGljZSBzdGF0ZW1lbnRzLjANBgkqhkiG9w0BAQUFAAOCAQEAXDaZTC14t+2Mm9zzd5vydtJ3ME/BH4WDhRuZPUc38qmbQI4s1LGQEti+9HOb7tJkD8t5TzTYoj75eP9ryAfsfTmDi1Mg0zjEsb+aTwpr/yv8WacFCXwXQFYRHnTTt4sjO0ej1W8k4uvRt3DfD0XhJ8rxbXjt57UXF6jcfiI1yiXV2Q/Wa9SiJCMR96Gsj3OBYMYbWwkvkrL4REjwYDieFfU9JmcgijNq9w2Cz97roy/5U2pbZMBjM3f3OgcsVuvaDyEO2rpzGU+12TZ/wYdV2aeZuTJC+9jVcZ5+oVK3G72TQiQSKscPHbZNnF5jyEuAF1CqitXa5PzQCQc3sHV1ITGCAj8wggI7AgEBMIGIMHwxMDAuBgNVBAMMJ0FwcGxlIFRpbWVzdGFtcCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEmMCQGA1UECwwdQXBwbGUgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxEzARBgNVBAoMCkFwcGxlIEluYy4xCzAJBgNVBAYTAlVTAghZDmx2iLnbFjAJBgUrDgMCGgUAoIGMMBoGCSqGSIb3DQEJAzENBgsqhkiG9w0BCRABBDAcBgkqhkiG9w0BCQUxDxcNMTkxMDA1MDEwMzI2WjAjBgkqhkiG9w0BCQQxFgQUGaDqbrE0SezirYquz38CFBcvL7IwKwYLKoZIhvcNAQkQAgwxHDAaMBgwFgQU9gUjR8isi4YGoAlFiZDQ86fw2VkwDQYJKoZIhvcNAQEBBQAEggEAjcmaH4IV0MdX085dO+mCi+M/8Cr5d5LHa3ZsJZxHdcFjmI2W1aOJTVb4jF3Xe49tysMMdL/cNI/rxVfM9gJ1B8QDtzMTYJmlD3gk9qTackvYcYwLuTG7A38DTHYqKrr9IiO04w6tB3/6yVjw8mhbpXTiWjs7NrMobzC+BZVYUx4r1EmqHzi2EU0CLVwv6XvD/IVPK2g6JjdWkN25PC391C2oHX4I357ldLrhLV8/cLAN+2cgjjxNoaPUNxJi9fyvQV12AItq3Y0xx1NCgqAy6b3Nwm0jKnOkqCFlIE+pd/BnPDTPqBNuw7BeL15s8ye/wUvgNofAwd6Pqkg0MvJNRgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
)

func main() {
	dat, err := base64.StdEncoding.DecodeString(dat64)
	if err != nil {
		log.Panic(err)
	}

	sig, err := base64.StdEncoding.DecodeString(sig64)
	if err != nil {
		log.Panic(err)
	}

	sd, err := cms.ParseSignedData(sig)
	if err != nil {
		log.Panic(err)
	}

	certs, err := sd.VerifyDetached(dat, x509.VerifyOptions{})
	if err != nil {
		log.Panic(err)
	}

	log.Print(certs)
}

IETF-CMS Output

2022/03/22 01:20:13 x509: certificate has expired or is not yet valid: current time 2022-03-22T01:20:13Z is after 2019-10-28T23:50:01Z
panic: x509: certificate has expired or is not yet valid: current time 2022-03-22T01:20:13Z is after 2019-10-28T23:50:01Z

goroutine 1 [running]:
log.Panic({0xc000199f60, 0x0, 0x0})
    /nix/store/d9rw46ym59cszc79n4vs60yqfz5rkps9-go-1.17.3/share/go/src/log/log.go:354 +0x65
main.main()
    /home/runner/IllustriousHandsomeComputeranimation/main.go:34 +0x1eb

Pedro Tôrres · Answer 1 · Tue Mar 22 2022 09:42:14 GMT+0800 (China Standard Time)

The same error occurs when validating the files with smimesign directly:

smimesign --verify ./sig ./dat

failed to verify signature: x509: certificate has expired or is not yet valid: current time 2022-03-21T22:36:12-03:00 is after 2019-10-28T23:50:01Z

Pedro Tôrres · Answer 2 · Tue Mar 22 2022 15:52:19 GMT+0800 (China Standard Time)

After some research, I found that the problem is that the final certificate that was used to sign the timestamp expired, as hinted here: https://weisser-zwerg.dev/posts/trusted_timestamping/#verify-the-timestamp-response-together-with-the-referenced-piece-of-data.

Apple uses short-lived certificates on their timestamping servers, valid only for 42 days. But their intermediate and root certificates are valid for 15 and 30 years respectively. So there should be some mechanisms to ignore the expiration date of the last certificate of the chain, just like OpenSSL has, so that signatures can be validate properly.

Pedro Tôrres · Answer 3 · Tue Mar 22 2022 16:16:37 GMT+0800 (China Standard Time)

I just implemented a quick and simple workaround here inloco@64a83fe, but there's probably a better way of doing that upstream.