Bug#610806: libgnutls26 appears to mis-parse GeneralizedTime objects that use a non-UTC time

Daniel Kahn Gillmor Sat, 22 Jan 2011 10:51:17 -0800

Package: libgnutls26
Version: 2.10.4-1
Severity: normal

it looks like gnutls is not appropriately parsing generalizedTime
objects (e.g. in Validity|notBefore and Validity|notAfter fields in
X.509 certificates).


Attached are two (invalid) X.509 certificates.  one contains Validity
timestamps using generalizedTime with TZ=UTC.  the other contains
Validity timestamps using generalizedTime with TZ=Americas/New_York
(suffixed with "-0500" instead of "Z"):

0 dkg@pip:~$ < UTC.pem grep -v ^- | base64 -d | strings
0%1#0!
fake test cert with TZ UTC0"
20110122183419Z
20120122183419Z0%1#0!
fake test cert with TZ UTC0
0 dkg@pip:~$ < America.New_York.pem grep -v ^- | base64 -d | strings
02100.
'fake test cert with TZ America/New_York0*
20110122133408-0500
20120122133408-050002100.
'fake test cert with TZ America/New_York0
0 dkg@pip:~/src/monkeysphere/fakex509$ 


OpenSSL seems to parse the timestamps in the certificate correctly;
GnuTLS reports them as (time_t)-1:

0 dkg@pip:~/src/monkeysphere/fakex509$ < America.New_York.pem openssl x509 
-text | grep -A2 Validity
        Validity
            Not Before: Jan 22 13:34:08 2011
            Not After : Jan 22 13:34:08 2012
0 dkg@pip:~/src/monkeysphere/fakex509$ < UTC.pem openssl x509 -text | grep -A2 
Validity
        Validity
            Not Before: Jan 22 18:34:19 2011 GMT
            Not After : Jan 22 18:34:19 2012 GMT
0 dkg@pip:~/src/monkeysphere/fakex509$ < America.New_York.pem certtool -i | 
grep -A2 Validity
        Validity:
                Not Before: Wed Dec 31 23:59:59 UTC 1969
                Not After: Wed Dec 31 23:59:59 UTC 1969
0 dkg@pip:~/src/monkeysphere/fakex509$ < UTC.pem certtool -i | grep -A2 Validity
        Validity:
                Not Before: Sat Jan 22 18:34:19 UTC 2011
                Not After: Sun Jan 22 18:34:19 UTC 2012
0 dkg@pip:~/src/monkeysphere/fakex509$ 

I'm not sure of the appropriate place to fix this, but i suspect it's
within libgnutls.  If you feel it should be reassigned to libtasn1,
that might be reasonable too.

If i'm totally wrong and generalizedTime fields shouldn't be able to
contain time zones like this, i'd appreciate a reference to that; then
i'll go file bugs against several other tools :)

Regards,

        --dkg

-- System Information: Debian Release: 6.0 APT prefers testing APT
policy: (500, 'testing'), (200, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.37-trunk-686 (SMP w/1 CPU core)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages libgnutls26 depends on:
ii  libc6                   2.11.2-7         Embedded GNU C Library: Shared lib
ii  libgcrypt11             1.4.6-4          LGPL Crypto library - runtime libr
ii  libgpg-error0           1.10-0.2         library for common error values an
ii  libtasn1-3              2.7-1            Manage ASN.1 structures (runtime)
ii  zlib1g                  1:1.2.3.4.dfsg-3 compression library - runtime

libgnutls26 recommends no packages.

Versions of packages libgnutls26 suggests:
ii  gnutls-bin                    2.10.4-1   the GNU TLS library - commandline 

-- no debconf information

Bug#610806: libgnutls26 appears to mis-parse GeneralizedTime objects that use a non-UTC time

Reply via email to