[SSL Observatory] validity timestamp formats: utcTime vs. generalizedTime, TZ embedded vs. not?
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Sun Jan 23 21:00:13 PST 2011
Daniel Kahn Gillmor <dkg at fifthhorseman.net> writes:
>has anyone run any analysis on the X.509 certs in the observatory that
>indicates whether the validity timestamps are properly encoded?
I haven't run into any of those for many years, and even when there were some
in use (~10 years ago) they were quite rare. I haven't looked at the
Observatory data for this, but I'd be pretty surprised if there were any in
there.
>PS this is related to http://bugs.debian.org/610806, which is about the
>behavior of GnuTLS in regard to times that don't meet the constraints laid
>down in RFC 5280.
Not sure if my post will make it onto the Debian list, but:
>However, section 4.1.2.5 also says:
>
> Conforming applications MUST be able to process validity dates that
> are encoded in either UTCTime or GeneralizedTime.
PKI RFCs often contain redundant and slightly differently-phrased versions of
the same thing in different locations, so you have to learn to filter out the
fluff when reading them. In this case it's just repeating what's already been
said, that you need to be able to process both UTCTime and GeneralizedTime
dates subject to the constraints already given earlier.
BTW here's what dumpasn1 says about the cert:
0 484: SEQUENCE {
4 333: SEQUENCE {
8 3: [0] {
10 1: INTEGER 2
: }
13 1: INTEGER 1
16 13: SEQUENCE {
18 9: OBJECT IDENTIFIER sha1withRSAEncryption (1 2 840 113549 1 1
5)
29 0: NULL
: }
31 50: SEQUENCE {
33 48: SET {
35 46: SEQUENCE {
37 3: OBJECT IDENTIFIER organizationalUnitName (2 5 4 11)
42 39: PrintableString 'fake test cert with TZ America/New_York'
: Error: PrintableString contains illegal character(s).
: }
: }
: }
83 42: SEQUENCE {
85 19: GeneralizedTime '20110122133408-0500'
: Error: Time is encoded incorrectly.
106 19: GeneralizedTime '20120122133408-0500'
: Error: Time is encoded incorrectly.
: }
127 50: SEQUENCE {
129 48: SET {
131 46: SEQUENCE {
133 3: OBJECT IDENTIFIER commonName (2 5 4 3)
138 39: PrintableString 'fake test cert with TZ America/New_York'
: Error: PrintableString contains illegal character(s).
: }
: }
: }
179 159: SEQUENCE {
182 13: SEQUENCE {
184 9: OBJECT IDENTIFIER rsaEncryption (1 2 840 113549 1 1 1)
195 0: NULL
: }
197 141: BIT STRING, encapsulates {
201 137: SEQUENCE {
204 129: INTEGER
: 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00
: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
: [ Another 1 bytes skipped ]
336 3: INTEGER 65537
: }
: }
: }
: }
341 13: SEQUENCE {
343 9: OBJECT IDENTIFIER sha1withRSAEncryption (1 2 840 113549 1 1 5)
354 0: NULL
: }
356 129: BIT STRING
: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
: }
0 warnings, 4 errors.
IMO neither GnuTLS nor OpenSSL (nor anything for that matter) should even
accept a cert like that (and it's not just OSS that does this, Windows accepts
and installs it without any problems).
Peter.
More information about the Observatory
mailing list