failing enveloping-expired-cert with "certificate is not yet valid"

[SmartLayer]

Using the master branch newly checked out. make check has:

aleksey-xmldsig-01/enveloping-expired-cert
    Checking required transforms                            OK
    Checking required key data                              OK
    Verify existing signature                             Fail

So I manually run the test and noticed the message: "certificate is not yet valid" (it's at the bottom of the first line of the command line output, scroll to see)

$ LD_LIBRARY_PATH=./src/openssl/.libs/ ./apps/xmlsec1 verify --X509-skip-strict-checks  --crypto openssl --crypto-config /tmp/xmlsec-crypto-config --trusted-der /home/weiwu/Proyectos/xmlsec/tests/keys/cacert.der --enabled-key-data x509 --verification-time 2014-05-24+00:00:00 /home/weiwu/Proyectos/xmlsec/tests/aleksey-xmldsig-01/enveloping-expired-cert.xml
func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=350:obj=x509-store:subj=unknown:error=71:certificate verification failed:X509_verify_cert: subject=/C=US/ST=California/O=XML Security Library (http://www.aleksey.com/xmlsec)/OU=Root CA/CN=Aleksey Sanin/emailAddress=xmlsec@aleksey.com; issuer=/C=US/ST=California/O=XML Security Library (http://www.aleksey.com/xmlsec)/OU=Root CA/CN=Aleksey Sanin/emailAddress=xmlsec@aleksey.com; err=9; msg=certificate is not yet valid
func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=376:obj=x509-store:subj=unknown:error=75:certificate is not yet valid:subject=/C=US/ST=California/O=XML Security Library (http://www.aleksey.com/xmlsec)/OU=Root CA/CN=Aleksey Sanin/emailAddress=xmlsec@aleksey.com; issuer=/C=US/ST=California/O=XML Security Library (http://www.aleksey.com/xmlsec)/OU=Root CA/CN=Aleksey Sanin/emailAddress=xmlsec@aleksey.com; err=9; msg=certificate is not yet valid
func=xmlSecKeysMngrGetKey:file=keys.c:line=1253:obj=unknown:subj=xmlSecKeysMngrFindKey:error=1:xmlsec library function failed: 
func=xmlSecDSigCtxProcessKeyInfoNode:file=xmldsig.c:line=793:obj=unknown:subj=unknown:error=45:key is not found:details=NULL
func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=508:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec library function failed: 
func=xmlSecDSigCtxVerify:file=xmldsig.c:line=346:obj=unknown:subj=xmlSecDSigCtxProcessSignatureNode:error=1:xmlsec library function failed: 
Error: signature failed 
ERROR
SignedInfo References (ok/all): 0/0
Manifests References (ok/all): 0/0
Error: failed to verify file "/home/weiwu/Proyectos/xmlsec/tests/aleksey-xmldsig-01/enveloping-expired-cert.xml"

if I add one year to --verification-time 2014-05-24+00:00:00 and use --verification-time 2015-05-24+00:00:00 then the output is a more reasonable "certificate has expired"

I know the default answer might be something like "it passed CI so it must have been your environment". I'm just consulting on where to look, not assuming the code is broken or that the problem is not my environment. My theory was that perhaps the test certificate bumped a year while the test cases didn't, but that can't explain why it then passed CI.

[lsh123]

The error message is correct when I run it on my environment and in CI:

/home/aleksey/dev/xmlsec/apps/xmlsec1 verify --X509-skip-strict-checks --crypto openssl --crypto-config /tmp/xmlsec-crypto-config --trusted-der /home/aleksey/dev/xmlsec/tests/keys/cacert.der --enabled-key-data x509 --verification-time 2014-05-25+00:00:00 /home/aleksey/dev/xmlsec/tests/aleksey-xmldsig-01/enveloping-expired-cert.xml
func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=353:obj=x509-store:subj=unknown:error=71:certificate verification failed:X509_verify_cert: subject=/C=US/ST=California/O=XML Security Library (http://www.aleksey.com/xmlsec)/OU=Test Expired RSA Certificate/CN=Aleksey Sanin/emailAddress=xmlsec@aleksey.com; issuer=/C=US/ST=California/O=XML Security Library (http://www.aleksey.com/xmlsec)/CN=Aleksey Sanin/emailAddress=xmlsec@aleksey.com; err=10; msg=certificate has expired
func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=386:obj=x509-store:subj=unknown:error=76:certificate has expired:subject=/C=US/ST=California/O=XML Security Library (http://www.aleksey.com/xmlsec)/OU=Test Expired RSA Certificate/CN=Aleksey Sanin/emailAddress=xmlsec@aleksey.com; issuer=/C=US/ST=California/O=XML Security Library (http://www.aleksey.com/xmlsec)/CN=Aleksey Sanin/emailAddress=xmlsec@aleksey.com; err=10; msg=certificate has expired
func=xmlSecKeysMngrGetKey:file=keys.c:line=1253:obj=unknown:subj=xmlSecKeysMngrFindKey:error=1:xmlsec library function failed:
func=xmlSecDSigCtxProcessKeyInfoNode:file=xmldsig.c:line=793:obj=unknown:subj=unknown:error=45:key is not found:details=NULL
func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=508:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec library function failed:
func=xmlSecDSigCtxVerify:file=xmldsig.c:line=346:obj=unknown:subj=xmlSecDSigCtxProcessSignatureNode:error=1:xmlsec library function failed:
Error: signature failed
ERROR

[SmartLayer]

The error message is correct when I run it on my environment and in CI

Knowing libxmlsec is completely blameless since it's clearly proven in the CI output, and not intending to indicate that there might be the slightest error in the code, can you provide your openssl library version?

Mine is 1.1.1c and I wonder if the problem on my environment, again, completely not your problem, could be caused by a different openssl library?

[lsh123]

You have source code. Put the breakpoint around the issuance check and see what openssl returns.

[telans]

@lsh123 This test fails for me with TZ=Pacific/Auckland, but succeeds with TZ=UTC. I would say this is the root of the issue. Could this be re-opened?

[lsh123]

Sure

[lsh123]

Fixed by adding (and using) --verification-gmt-time option for xmlsec1 tool

[SmartLayer]

Very excited, testing soon!