Bug#610806: libgnutls26 appears to mis-parse GeneralizedTime objects that use a non-UTC time
Simon Josefsson
simon at josefsson.org
Sat Jan 22 22:06:37 UTC 2011
Daniel Kahn Gillmor <dkg at fifthhorseman.net> writes:
> Package: libgnutls26
> Version: 2.10.4-1
> Severity: normal
>
> it looks like gnutls is not appropriately parsing generalizedTime
> objects (e.g. in Validity|notBefore and Validity|notAfter fields in
> X.509 certificates).
>
> Attached are two (invalid) X.509 certificates. one contains Validity
> timestamps using generalizedTime with TZ=UTC. the other contains
> Validity timestamps using generalizedTime with TZ=Americas/New_York
> (suffixed with "-0500" instead of "Z"):
>
> 0 dkg at pip:~$ < UTC.pem grep -v ^- | base64 -d | strings
> 0%1#0!
> fake test cert with TZ UTC0"
> 20110122183419Z
> 20120122183419Z0%1#0!
> fake test cert with TZ UTC0
> 0 dkg at pip:~$ < America.New_York.pem grep -v ^- | base64 -d | strings
> 02100.
> 'fake test cert with TZ America/New_York0*
> 20110122133408-0500
> 20120122133408-050002100.
> 'fake test cert with TZ America/New_York0
> 0 dkg at pip:~/src/monkeysphere/fakex509$
RFC 5280 says:
4.1.2.5.2. GeneralizedTime
The generalized time type, GeneralizedTime, is a standard ASN.1 type
for variable precision representation of time. Optionally, the
GeneralizedTime field can include a representation of the time
differential between local and Greenwich Mean Time.
For the purposes of this profile, GeneralizedTime values MUST be
expressed in Greenwich Mean Time (Zulu) and MUST include seconds
(i.e., times are YYYYMMDDHHMMSSZ), even where the number of seconds
is zero. GeneralizedTime values MUST NOT include fractional seconds.
It is not clear to me whether your timestamps that fails with GnuTLS
conforms to this requirement or not?
/Simon
More information about the Pkg-gnutls-maint
mailing list