[Pkg-openssl-devel] Bug#862335: openssl creates and accepts certificates with bad notAfter field
Tim Rühsen
tim.ruehsen at gmx.de
Fri May 12 10:31:26 UTC 2017
On Thu, 11 May 2017 18:42:17 +0200 Kurt Roeckx <kurt at roeckx.be> wrote:
> On Thu, May 11, 2017 at 02:59:20PM +0200, Harald Dunkel wrote:
>>
>> Please note the "-enddate 20451231235959Z" and compare with RFC
>> 5280 section 4.1.2.5 (https://www.ietf.org/rfc/rfc5280.txt). The
>> GeneralizedTime format is not allowed for 2045, but apparently
>> openssl doesn't convert the string to UTCTime format.
>
> Please note that the manual says the format is: YYMMDDHHMMSSZ
>
> I guess it would be nice we converted it properly.
Just for the record, the latest openssl (1.1.1-dev from Github) accepts
this (seen from the code):
[SS] is optional, <+|-> = either + or - must be present
1.
YYMMDDHHMM[SS]Z YYMMDDHHMM[SS]<+|->hhmm
If valid, these date strings are written to ASN.1 into an UTCTime field.
2.
YYYYMMDDHHMM[SS]Z or YYYYMMDDHHMMSS<+|->hhmm
If valid, these date strings are written to ASN.1 into a GeneralizedTime
field.
Regarding RFC5280 in both cases (UTCTime and GeneralizedTime) the
seconds (SS) and Z (Zulu) timezone is a MUST.
See RFC5280 '4.1.2.5.1. UTCTime' and '4.1.2.5.2. GeneralizedTime'.
OpenSSL relies on their ASN.1 code to check for validity, which is
simply not strict enough. Other implementors do a strict check and thus
might reject certificates generated by openssl.
Regards, Tim
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-openssl-devel/attachments/20170512/8adaa3f0/attachment.sig>
More information about the Pkg-openssl-devel
mailing list