Why is the signing-time signed attribute added unconditionally in CMS signatures?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Why is the signing-time signed attribute added unconditionally in CMS signatures?

Stephan Mühlstrasser
Hi,

I'm wondering why OpenSSL adds the signing-time signed attribute
unconditionally to a CMS signedData object. See function
CMS_SignerInfo_sign() in source file cms_sd.c:

     if (CMS_signed_get_attr_by_NID(si, NID_pkcs9_signingTime, -1) < 0) {
         if (!cms_add1_signingTime(si, NULL))
             goto err;
     }

I found nothing in RFC 5652 that mandates the addition of the
signing-time attribute. It's merely described as a "useful attribute".

The unconditional addition of the signing-time attribute is a problem
when using OpenSSL for the creation of PAdES-conforming PDF signatures.

The ETSI standard ETSI TS 102 778-3 (PDF Advanced Electronic Signature
Profiles; Part 3: PAdES Enhanced) explicitly requires the following:

http://www.etsi.org/deliver/etsi_ts/102700_102799/10277803/01.01.02_60/ts_10277803v010102p.pdf

"4.5.3 signing-time Attribute
For all profiles covered in the present document the signing-time
attribute shall not be used."

So a CMS API flag would be useful that allows suppression of the
signing-time attribute.

--
Stephan
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Loading...