pyOpenSSL only supports GeneralizedTime for validity but UTCTime is required for RFC compliance
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
pyOpenSSL |
New
|
Undecided
|
Unassigned |
Bug Description
Hi,
The full description of this bug report is here:
In short, set_notBefore and set_notAfter only support GeneralizedTime formatted strings but according to http://
CAs conforming to this profile MUST always encode certificate
validity dates through the year 2049 as UTCTime; certificate validity
dates in 2050 or later MUST be encoded as GeneralizedTime.
While openssl is flexible with this restriction, other implementations may not be. For example, RouterOS (MikroTik's OS) fails to properly import these certificates and assumes a time of 0 (which is obviously a bug on their side as well, but nevertheless).
Since set_notBefore and set_notAfter accept a preformated string they should be able to handle both cases and leave the decision to the caller.
I did a quick patch which worked perfectly so please consider it for inclusion.
Thanks,
Stefanos
On a second thought, the conversion in the patch should be reversed (i.e. first attempt ASN1_UTCTIM and then ASN1_GENERALIZE DTIME), or the check in the final block shoud be performed with ASN1_UTCTIME_* calls.