Ahmet-Kaplan / xades4j

Automatically exported from code.google.com/p/xades4j
GNU Lesser General Public License v3.0
0 stars 0 forks source link

Verification of TimeStamp tokens uses time from token itself #50

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
DefaultTimeStampVerificationProvider, verifyToken method uses time from the 
token itself to validate if the signature in it is valid.

So we're using not validated data in validation. That's incorrect.
The time should be either *now* or time from some validated time stamp higher 
in XAdES hierarchy.

What version of the product are you using? On what operating system?
1.3.0

Patch that fixes the issue is attached (it's a bit hackish though). Depends on 
patch from issue 49.

Original issue reported on code.google.com by hubert.k...@gmail.com on 4 Oct 2012 at 3:06

Attachments:

GoogleCodeExporter commented 9 years ago
I don't know how I looked at the tests with previous patch, this is the correct 
one

Original comment by hubert.k...@gmail.com on 4 Oct 2012 at 3:35

Attachments:

GoogleCodeExporter commented 9 years ago

Original comment by luis.fgoncalv on 11 Oct 2012 at 9:17