Daniel Kahn Gillmor <d...@fifthhorseman.net> writes: > Package: libgnutls26 > Version: 2.10.4-1 > Severity: normal > > it looks like gnutls is not appropriately parsing generalizedTime > objects (e.g. in Validity|notBefore and Validity|notAfter fields in > X.509 certificates). > > Attached are two (invalid) X.509 certificates. one contains Validity > timestamps using generalizedTime with TZ=UTC. the other contains > Validity timestamps using generalizedTime with TZ=Americas/New_York > (suffixed with "-0500" instead of "Z"): > > 0 dkg@pip:~$ < UTC.pem grep -v ^- | base64 -d | strings > 0%1#0! > fake test cert with TZ UTC0" > 20110122183419Z > 20120122183419Z0%1#0! > fake test cert with TZ UTC0 > 0 dkg@pip:~$ < America.New_York.pem grep -v ^- | base64 -d | strings > 02100. > 'fake test cert with TZ America/New_York0* > 20110122133408-0500 > 20120122133408-050002100. > 'fake test cert with TZ America/New_York0 > 0 dkg@pip:~/src/monkeysphere/fakex509$
RFC 5280 says: 4.1.2.5.2. GeneralizedTime The generalized time type, GeneralizedTime, is a standard ASN.1 type for variable precision representation of time. Optionally, the GeneralizedTime field can include a representation of the time differential between local and Greenwich Mean Time. For the purposes of this profile, GeneralizedTime values MUST be expressed in Greenwich Mean Time (Zulu) and MUST include seconds (i.e., times are YYYYMMDDHHMMSSZ), even where the number of seconds is zero. GeneralizedTime values MUST NOT include fractional seconds. It is not clear to me whether your timestamps that fails with GnuTLS conforms to this requirement or not? /Simon -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
