certificate validity should be checked at time of timestamp, not at time of verify

After #162 was fixed the same test material  shows a potential bug:
* the certificate chain for the TSA is currently expired but was not expired at time timestamp
* verification fails with 
  ```
  VerificationError: Error while verifying certificates: Unable to verify pkcs7 signature:
      ErrorStack([Error {
          code: 276824181,
          library: "PKCS7 routines",
          function: "PKCS7_verify",
          reason: "certificate verify error",
          file: "crypto/pkcs7/pk7_smime.c",
          line: 301,
          data: "Verify error: certificate has expired"
      }])   
  
  ```
  
* I believe this should **not** fail as the RFC says :

  ```
  B) The validity of the digital signature may then be verified in the
        following way:
  
  ...
  
        4)    The date/time indicated by the TSA MUST be within the
              validity period of the signer's certificate.
  
  ...
  ```
  
There does not seem to be a requirement for the cert to be valid at time of verification (but I am no expert, feel free to correct me)


Example timestamp is in the bundle in https://github.com/sigstore/sigstore-conformance/blob/main/test/assets/bundle-verify/intoto-with-custom-trust-root/ . The certchain is in trusted_root.json in the same directory -- but any timestamp with expired certs likely has same results.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

certificate validity should be checked at time of timestamp, not at time of verify #171

Metadata

Assignees

Labels

Type

Fields

Projects

Milestone

Relationships

Development

certificate validity should be checked at time of timestamp, not at time of verify #171

Description

Metadata

Metadata

Assignees

Labels

Type

Fields

Projects

Milestone

Relationships

Development

Issue actions