Bug#610806: libgnutls26 appears to mis-parse GeneralizedTime objects that use a non-UTC time

Simon Josefsson simon at josefsson.org
Sat Jan 22 22:06:37 UTC 2011


Daniel Kahn Gillmor <dkg at fifthhorseman.net> writes:

> Package: libgnutls26
> Version: 2.10.4-1
> Severity: normal
>
> it looks like gnutls is not appropriately parsing generalizedTime
> objects (e.g. in Validity|notBefore and Validity|notAfter fields in
> X.509 certificates).
>
> Attached are two (invalid) X.509 certificates.  one contains Validity
> timestamps using generalizedTime with TZ=UTC.  the other contains
> Validity timestamps using generalizedTime with TZ=Americas/New_York
> (suffixed with "-0500" instead of "Z"):
>
> 0 dkg at pip:~$ < UTC.pem grep -v ^- | base64 -d | strings
> 0%1#0!
> fake test cert with TZ UTC0"
> 20110122183419Z
> 20120122183419Z0%1#0!
> fake test cert with TZ UTC0
> 0 dkg at pip:~$ < America.New_York.pem grep -v ^- | base64 -d | strings
> 02100.
> 'fake test cert with TZ America/New_York0*
> 20110122133408-0500
> 20120122133408-050002100.
> 'fake test cert with TZ America/New_York0
> 0 dkg at pip:~/src/monkeysphere/fakex509$ 

RFC 5280 says:

4.1.2.5.2.  GeneralizedTime

   The generalized time type, GeneralizedTime, is a standard ASN.1 type
   for variable precision representation of time.  Optionally, the
   GeneralizedTime field can include a representation of the time
   differential between local and Greenwich Mean Time.

   For the purposes of this profile, GeneralizedTime values MUST be
   expressed in Greenwich Mean Time (Zulu) and MUST include seconds
   (i.e., times are YYYYMMDDHHMMSSZ), even where the number of seconds
   is zero.  GeneralizedTime values MUST NOT include fractional seconds.

It is not clear to me whether your timestamps that fails with GnuTLS
conforms to this requirement or not?

/Simon





More information about the Pkg-gnutls-maint mailing list