xmlsec-nss: Option to ignore certificate validity expiry time

lsh123 / xmlsec

XML Security Library

Other

136 stars 100 forks source link

xmlsec-nss: Option to ignore certificate validity expiry time #852

Open jignatius opened 3 weeks ago

jignatius commented 3 weeks ago

openssl provides the -no_check_time option to "ignore certificate validity time".

Example:

$ openssl verify -CAfile cert1.pem  -CApath ./ cert2.pem  
...
error 10 at 1 depth lookup: certificate has expired
...
error 10 at 0 depth lookup: certificate has expired
error cert2.pem: verification failed

$ openssl verify -no_check_time -CAfile cert1.pem -CApath ./ cert2.pem  
cert2.pem: OK

It would be useful to have a "no check time" option in xmlsec too.

lsh123 commented 6 days ago

There is no easy way to skip timestamp checks in NSS. Will keep the issue open for the future if NSS provides new APIs.