lsh123
commented
6 months ago OK, the reason is that the unix epoch start is 0 and 0 is reserved as an indicator for an error. I will take a look, it should be possible to fix it relatively easily.
Closed sbranand closed 6 months ago
lsh123
commented
6 months ago OK, the reason is that the unix epoch start is 0 and 0 is reserved as an indicator for an error. I will take a look, it should be possible to fix it relatively easily.
sbranand
commented
6 months ago Thanks for looking into it.
lsh123
commented
6 months ago @sbranand any chance you can try https://github.com/lsh123/xmlsec/pull/767? I believe it should fix it.
sbranand
commented
6 months ago @lsh123 Thanks for the quick fix. The initial tests showed the issue has been fixed. I will post here after performing some more tests.
sbranand
commented
6 months ago @lsh123 #767 fixes the issue. Thanks.
lsh123
commented
6 months ago great, thanks for confirming!
sbranand
commented
6 months ago @lsh123 Any plan to push this fix on an official release tag Thanks.
lsh123
commented
6 months ago This change will be in the next release. Probably mid-late April as usual.
sbranand
commented
6 months ago Thanks.
xmlsec 1.3.3 fails to validate signature if the signer cert's notBefore is set to
notBefore=Jan 1 00:00:00 1970 GMT
Signer certificate's validity is intentionally set to begin at epoch to validate even when the system clock is not set. This issue is noted when compiling xmlsec with openssl.
It fails at src/openssl/x509.c::1627-1630
The change that causes this failure was introduced in this commit https://github.com/lsh123/xmlsec/commit/a85ded7f926fe56edba89f7bc857ec22887afb26