3.1.0: date(1) command sensitive to LC_TIME locale, causing date parse failures if locale's time/date formers differ from C/POSIX [FreeBSD 13.1]

[mandree]

On FreeBSD 13.1, with LANG=de_DE.UTF-8 or LC_TIME=fr_FR.UTF-8,
I get Failed conversion of ``Jun 12 02:02:02 1999 GMT'' using format ``%b %d %T %Y %Z'' and date: illegal time format failures building a server:

$ bash
$ easyrsa build-server-full mynewserv6 nopass |& tee log6
...
Keypair and certificate request completed. Your files are:
req: /tmp/try21/pki/reqs/mynewserv6.req
key: /tmp/try21/pki/private/mynewserv6.key

Failed conversion of ``Jun 12 02:02:02 1999 GMT'' using format ``%b %d %T %Y %Z''
date: illegal time format
usage: date [-jnRu] [-I[date|hours|minutes|seconds]] [-f input_fmt]
            [-r filename|seconds] [-v[+|-]val[y|m|w|d|H|M|S]]
            [[[[[[cc]yy]mm]dd]HH]MM[.SS] | new_date] [+output_fmt]
Failed conversion of ``Jun 12 02:02:02 1999 GMT'' using format ``%b %d %T %Y %Z''
date: illegal time format
usage: date [-jnRu] [-I[date|hours|minutes|seconds]] [-f input_fmt]
            [-r filename|seconds] [-v[+|-]val[y|m|w|d|H|M|S]]
            [[[[[[cc]yy]mm]dd]HH]MM[.SS] | new_date] [+output_fmt]
Using configuration from /tmp/try21/pki/e2bcb465/temp.2d7e8186
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'mynewserv6'
Certificate is to be certified until Sep  7 04:58:22 2024 GMT (825 days)

Write out database with 1 new entries
Data Base Updated

* Notice:
Certificate created at: /tmp/try21/pki/issued/mynewserv6.crt

The workaround, and possibly solution, is to override LC_TIME=C or LC_TIME=C.UTF-8 or LC_TIME=POSIX.

This is my relevant locale configuration:

$ env | grep -E LANG\|LC_ ; echo ; locale
LANG=de_DE.UTF-8

LANG=de_DE.UTF-8
LC_CTYPE="de_DE.UTF-8"
LC_COLLATE="de_DE.UTF-8"
LC_TIME="de_DE.UTF-8"
LC_NUMERIC="de_DE.UTF-8"
LC_MONETARY="de_DE.UTF-8"
LC_MESSAGES="de_DE.UTF-8"
LC_ALL=

$ easyrsa version
EasyRSA Version Information
Version:     3.1.0
Generated:   Wed May 18 20:53:50 CDT 2022
SSL Lib:     OpenSSL 1.1.1o-freebsd  3 May 2022
Git Commit:  1600b3fe9bd71e229b8648cd24206c55917b2f9b
Source Repo: https://github.com/OpenVPN/easy-rsa

[mandree]

Minimal reproducer in sh-like shells.

( export LANG=el_GR.UTF-8 ; export EASYRSA_BATCH=1 ; export EASYRSA_REQ_CN="My CommonName" ; easyrsa init-pki ; easyrsa build-ca nopass ; easyrsa build-server-full myserver nopass )

Note that LC_ALL is actually quite brutal as it would override an LC_TIME setting, so for enhanced testing:

( export LC_ALL=el_GR.UTF-8 ; export EASYRSA_BATCH=1 ; export EASYRSA_REQ_CN="My CommonName" ; easyrsa init-pki ; easyrsa build-ca nopass ; easyrsa build-server-full myserver nopass )

[TinCanTech]

@mandree Thanks for testing and this detailed report.

cert_dates() function is quite fragile. I am working on it for v3.1.1

[mandree]

This is the brute-force patch I am using downstream in our 3.1.0_2 package:
https://cgit.freebsd.org/ports/tree/security/easy-rsa/files/patch-easyrsa?id=32877d0369a1bf4ac1cbd0a6c11ac3347bb5653b

[TinCanTech]

@mandree Please test this patch:

diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
index 1a9c4f8..dbcb791 100755
--- a/easyrsa3/easyrsa
+++ b/easyrsa3/easyrsa
@@ -2114,19 +2114,19 @@ Non-decimal value for EASYRSA_FIX_OFFSET: '$EASYRSA_FIX_OFFSET'"
        # OS dependencies
        case "$easyrsa_uname" in
        "Darwin"|*"BSD")
-               now_sec="$(date -j +%s)"
-               expire_date="$(date -j -f '%b %d %T %Y %Z' "$crt_not_after")"
-               expire_date_s="$(date -j -f '%b %d %T %Y %Z' "$crt_not_after" +%s)"
+               now_sec="$(LC_ALL=C date -j +%s)"
+               expire_date="$(LC_ALL=C date -j -f '%b %d %T %Y %Z' "$crt_not_after")"
+               expire_date_s="$(LC_ALL=C date -j -f '%b %d %T %Y %Z' "$crt_not_after" +%s)"
                allow_renew_date_s="$(( now_sec + EASYRSA_CERT_RENEW * 86400 ))"
 
                if [ "$EASYRSA_FIX_OFFSET" ]; then
                        start_fix_sec="$(
-                               date -j -f '%Y%m%d%H%M%S' "${this_year}0101000000" +%s
+                               LC_ALL=C date -j -f '%Y%m%d%H%M%S' "${this_year}0101000000" +%s
                                )"
                        end_fix_sec="$(( start_fix_sec + fix_days * 86400 ))"
                        # Convert to date-stamps for SSL input
-                       start_fixdate="$(date -j -r "$start_fix_sec" +%Y%m%d%H%M%SZ)"
-                       end_fixdate="$(date -j -r "$end_fix_sec" +%Y%m%d%H%M%SZ)"
+                       start_fixdate="$(LC_ALL=C date -j -r "$start_fix_sec" +%Y%m%d%H%M%SZ)"
+                       end_fixdate="$(LC_ALL=C date -j -r "$end_fix_sec" +%Y%m%d%H%M%SZ)"
                fi
        ;;
        *)

Obviously, this only addresses Darwin|*BSD, however, if it looks reliable then something similar can be applied more globally, in time.

Thanks for your help!

[TinCanTech]

Linking #593

[TinCanTech]

I believe this should be fully addressed by #595

Testing/feedback welcome.