nhyatt/osslsigncode
1
0
Fork 0
mirror of https://github.com/mtrojnar/osslsigncode.git synced 2025-04-04 17:00:11 -05:00
Code Issues Projects Releases Wiki Activity

RFC3161 section-4.3 comment

Browse Source
This commit is contained in:
olszomal 2022-04-11 12:12:10 +02:00 committed by Michał Trojnara
parent 157bb78a6e
commit b96717506c
1 changed files with 9 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
osslsigncode.c
View File

@ -2734,7 +2734,15 @@ static int verify_timestamp(SIGNATURE *signature, GLOBAL_OPTIONS *options)
if (!store) if (!store)
goto out; goto out;
if (load_file_lookup(store, options->tsa_cafile)) { if (load_file_lookup(store, options->tsa_cafile)) {
/* verify timestamp against the time of its creation */ /*
* The TSA signing key MUST be of a sufficient length to allow for a sufficiently
* long lifetime. Even if this is done, the key will have a finite lifetime.
* Thus, any token signed by the TSA SHOULD be time-stamped again or notarized
* at a later date to renew the trust that exists in the TSA's signature.
* https://datatracker.ietf.org/doc/html/rfc3161#section-4
* Signtool does not respect this RFC and neither we do.
* So verify timestamp against the time of its creation.
*/
if (!set_store_time(store, signature->time)) { if (!set_store_time(store, signature->time)) {
printf("Failed to set store time\n"); printf("Failed to set store time\n");
X509_STORE_free(store); X509_STORE_free(store);