Generate valid time values in ca program #3444
Comments
|
From the Debian bug report: Just for the record, the latest openssl (1.1.1-dev from Github) accepts [SS] is optional, <+|-> = either + or - must be present
Regarding RFC5280 in both cases (UTCTime and GeneralizedTime) the See RFC5280 '4.1.2.5.1. UTCTime' and '4.1.2.5.2. GeneralizedTime'. OpenSSL relies on their ASN.1 code to check for validity, which is |
|
Hi guys, I have made a fix for this issue. For UTC time, the format of time string is limited to 'YYMMDDHHMMSSZ', and for GeneralizedTime is 'YYYYMMDDHHMMSSZ', without +/- and fractional seconds support. |
Fixes issue openssl#3444. This one is used to enforce strict format (RFC 5280) check and to convert GeneralizedTime to UTCTime. apps/ca has been changed to use the new API. Test cases and documentation are updated/added Signed-off-by: Paul Yang <paulyang.inf@gmail.com>
Make funcs to deal with non-null-term'd string in both asn1_generalizedtime_to_tm() and asn1_utctime_to_tm(). Fixes issue #3444. This one is used to enforce strict format (RFC 5280) check and to convert GeneralizedTime to UTCTime. apps/ca has been changed to use the new API. Test cases and documentation are updated/added Signed-off-by: Paul Yang <paulyang.inf@gmail.com> Reviewed-by: Kurt Roeckx <kurt@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from #3566)
|
closing, okay @kroeckx ? |
I just found 2 bugs reports that point out that the openssl ca app just puts -startdate and -enddate into the certificate as it was specified on the command line even when it was invalid. We should either reject them or normalize them.
Bugs:
https://gitlab.com/gnutls/gnutls/issues/196
https://bugs.debian.org/862335
The text was updated successfully, but these errors were encountered: