Closed sbranand closed 6 months ago
OK, the reason is that the unix epoch start is 0 and 0 is reserved as an indicator for an error. I will take a look, it should be possible to fix it relatively easily.
Thanks for looking into it.
@sbranand any chance you can try https://github.com/lsh123/xmlsec/pull/767? I believe it should fix it.
@lsh123 Thanks for the quick fix. The initial tests showed the issue has been fixed. I will post here after performing some more tests.
@lsh123 #767 fixes the issue. Thanks.
great, thanks for confirming!
@lsh123 Any plan to push this fix on an official release tag Thanks.
This change will be in the next release. Probably mid-late April as usual.
Thanks.
xmlsec 1.3.3 fails to validate signature if the signer cert's notBefore is set to
notBefore=Jan 1 00:00:00 1970 GMT
Signer certificate's validity is intentionally set to begin at epoch to validate even when the system clock is not set. This issue is noted when compiling xmlsec with openssl.
It fails at src/openssl/x509.c::1627-1630
The change that causes this failure was introduced in this commit https://github.com/lsh123/xmlsec/commit/a85ded7f926fe56edba89f7bc857ec22887afb26