pyOpenSSL

pyOpenSSL only supports GeneralizedTime for validity but UTCTime is required for RFC compliance

Bug #1203407 reported by Stefanos Harhalakis
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
pyOpenSSL
New
Undecided
Unassigned

Bug Description

Hi,

The full description of this bug report is here:

http://www.v13.gr/blog/?p=342

In short, set_notBefore and set_notAfter only support GeneralizedTime formatted strings but according to http://www.ietf.org/rfc/rfc3280.txt, section 4.1.2.5:

   CAs conforming to this profile MUST always encode certificate
   validity dates through the year 2049 as UTCTime; certificate validity
   dates in 2050 or later MUST be encoded as GeneralizedTime.

While openssl is flexible with this restriction, other implementations may not be. For example, RouterOS (MikroTik's OS) fails to properly import these certificates and assumes a time of 0 (which is obviously a bug on their side as well, but nevertheless).

Since set_notBefore and set_notAfter accept a preformated string they should be able to handle both cases and leave the decision to the caller.

I did a quick patch which worked perfectly so please consider it for inclusion.

Thanks,
Stefanos

Revision history for this message
Stefanos Harhalakis (v13) wrote :
Revision history for this message
Stefanos Harhalakis (v13) wrote :

On a second thought, the conversion in the patch should be reversed (i.e. first attempt ASN1_UTCTIM and then ASN1_GENERALIZEDTIME), or the check in the final block shoud be performed with ASN1_UTCTIME_* calls.

Revision history for this message
J. D. Bartlett (jd-bartlett) wrote :

The attached patch fixes set_notBefore() and set_notAfter() to obey the RFC and use UTCTime for dates < 2050.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.