Checking certificate validity for a specific time

Question

I am curently working with a system, that has PDF signing option.

Now, when creating a complementary Android application, I've run into a bit of a conundrum: How do I check the validity of the certificate?

The problem is, that I'm interested whether the certificate was valid at the time of signing. Now I know, that Adobe has this kind of capability, but I'd like to know how to implement such a thing on my own.

I've succesfuly checked the status of the certificate against OCSP, but the only thing it gives me status of the certificate, whether or not it has been revoked/suspended and the date (which is incorect, and still puzzles me). I've also taken a look at CRL, but it seems, that it only has one record per certificate, meaning, it can't tell me whether or not a certificate was valid at a specific point of time.

Example:

Certificate 01 4D 44 5B - issued on 20.08.2012 - suspended on 21.08.2012 - reactivated on 22.08.2012

PDF document1 - signed on 20.08.2012

PDF document2 - signed on 21.08.2012

Now if we check the documents validity in Adobe Reader, PDF1 would show valid and PDF2 as invalid.

How does Adobe knows, and how do I find out the same information? Maybe there is some OS programm, who's source I could take a look into, to find this out?

Answer 1

This usually done by embedding a timestamp in the digital signature, usually itself signed by a different but trusted CA, like that used in Microsoft authenticode. This timestamp is compared to the validity period for the certificate to determine whether the certificate was valid at the time of signing.

Also see How does countersign in code signing work? or the signtool.exe /t option for more discussion on this.