Verify XML with expired certificate

[Wissperwind]

Hi,

Could you please add a switch to skip the certificate expire check?
If a certificate has expired, but I know that it is the correct certificate. It is still mouch better to check the XML signature with the expired certificate compared to not checking the signature at all.

I would love to have a switch to disable it.
Or if that is not possible it would be nice if in case of an expired certificate the library would check the signature first.
So if the signature is corrupted it would say invalid signature!!
And if the signature is correct it would say in that case, certificate expired.

Or give me both statements. But just expired is not enough in my opinion.

[kislyuk]

SignXML currently depends on pyOpenSSL's API to OpenSSL to verify certificate validity. The pyOpenSSL API does not support this type of configurability.

We will probably be switching from pyOpenSSL to cryptography's new verify_directly_issued_by() API, but even then I don't anticipate that SignXML will provide the ability to provide a log of multiple validation failure reasons. But with verify_directly_issued_by we can probably provide the ability to specify a moment in time for validating, similar to certvalidator.context.ValidationContext.moment, as well as the ability to subclass the verifier to bypass expiration checks by stubbing out the relevant method.