How can I make openssl doesn't add a signed attribute "signingTime" when I sign a cms/cades singnature?

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

How can I make openssl doesn't add a signed attribute "signingTime" when I sign a cms/cades singnature?

shiyao_liu@foxitsoftware.cn
Hello everyone,

    I am working on a project about how to use openssl libs to implement a PAdES(whitch is based on CAdES) signature because I saw that the master branch of openssl has supported CAdES-BES signature. But now there is a problem I don't know how to solve it. So I am asking for some help.
    According to the PAdES reference, signing-time attribute in CMS signature shall not be present in a PAdES signature. In openssl libs, signing-time attribute is set in the function CMS_SignerInfo_sign. But I can't find a way to control it not to set  signing-time attribute. So I want to know if there is a way to not to set signing-time attribute or delete this attribute without changing the openssl source code.

Regards,
Shiyao Liu 


Reply | Threaded
Open this post in threaded view
|

Re: How can I make openssl doesn't add a signed attribute "signingTime" when I sign a cms/cades singnature?

Antonio Iacono
Hello Shiyao,

the signing time attribute has always been considered mandatory or in
any case useful and only with CAdES optional and even with PAdES not
allowed.
A request similar to yours has already been received (see
https://mta.openssl.org/pipermail/openssl-users/2017-February/005240.html)
I also believe that CMS API flag would be useful that allows
suppression of the signing-time attribute.

Antonio

On Wed, Mar 13, 2019 at 12:57 PM [hidden email]
<[hidden email]> wrote:

>
> Hello everyone,
>
>     I am working on a project about how to use openssl libs to implement a PAdES(whitch is based on CAdES) signature because I saw that the master branch of openssl has supported CAdES-BES signature. But now there is a problem I don't know how to solve it. So I am asking for some help.
>     According to the PAdES reference, signing-time attribute in CMS signature shall not be present in a PAdES signature. In openssl libs, signing-time attribute is set in the function CMS_SignerInfo_sign. But I can't find a way to control it not to set  signing-time attribute. So I want to know if there is a way to not to set signing-time attribute or delete this attribute without changing the openssl source code.
>
> Regards,
> Shiyao Liu
>
> ________________________________
> [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: How can I make openssl doesn't add a signed attribute "signingTime" when I sign a cms/cades singnature?

shiyao_liu@foxitsoftware.cn
Hello Antonio,

Thanks for your answer.So there is no way to not add the "signingTime" attribute? Is there a plan to make the attribute optional in the near future?

Regards.
Shiyao Liu
 
 
------------------ Original ------------------
Date:  Thu, Mar 14, 2019 04:41 PM
Cc:  "openssl-users"<[hidden email]>; "gaochao_liu"<[hidden email]>; "junyi_liang"<[hidden email]>; "xiaochuan_liu"<[hidden email]>;
Subject:  Re: How can I make openssl doesn't add a signed attribute "signingTime" when I sign a cms/cades singnature?
 
Hello Shiyao,

the signing time attribute has always been considered mandatory or in
any case useful and only with CAdES optional and even with PAdES not
allowed.
A request similar to yours has already been received (see
https://mta.openssl.org/pipermail/openssl-users/2017-February/005240.html)
I also believe that CMS API flag would be useful that allows
suppression of the signing-time attribute.

cc

On Wed, Mar 13, 2019 at 12:57 PM [hidden email]
<[hidden email]> wrote:

>
> Hello everyone,
>
>     I am working on a project about how to use openssl libs to implement a PAdES(whitch is based on CAdES) signature because I saw that the master branch of openssl has supported CAdES-BES signature. But now there is a problem I don't know how to solve it. So I am asking for some help.
>     According to the PAdES reference, signing-time attribute in CMS signature shall not be present in a PAdES signature. In openssl libs, signing-time attribute is set in the function CMS_SignerInfo_sign. But I can't find a way to control it not to set  signing-time attribute. So I want to know if there is a way to not to set signing-time attribute or delete this attribute without changing the openssl source code.
>
> Regards,
> Shiyao Liu
>
> ________________________________
> [hidden email]