Daniel Kahn Gillmor <d...@fifthhorseman.net> writes: >has anyone run any analysis on the X.509 certs in the observatory that >indicates whether the validity timestamps are properly encoded?
I haven't run into any of those for many years, and even when there were some in use (~10 years ago) they were quite rare. I haven't looked at the Observatory data for this, but I'd be pretty surprised if there were any in there. >PS this is related to http://bugs.debian.org/610806, which is about the >behavior of GnuTLS in regard to times that don't meet the constraints laid >down in RFC 5280. Not sure if my post will make it onto the Debian list, but: >However, section 4.1.2.5 also says: > > Conforming applications MUST be able to process validity dates that > are encoded in either UTCTime or GeneralizedTime. PKI RFCs often contain redundant and slightly differently-phrased versions of the same thing in different locations, so you have to learn to filter out the fluff when reading them. In this case it's just repeating what's already been said, that you need to be able to process both UTCTime and GeneralizedTime dates subject to the constraints already given earlier. BTW here's what dumpasn1 says about the cert: 0 484: SEQUENCE { 4 333: SEQUENCE { 8 3: [0] { 10 1: INTEGER 2 : } 13 1: INTEGER 1 16 13: SEQUENCE { 18 9: OBJECT IDENTIFIER sha1withRSAEncryption (1 2 840 113549 1 1 5) 29 0: NULL : } 31 50: SEQUENCE { 33 48: SET { 35 46: SEQUENCE { 37 3: OBJECT IDENTIFIER organizationalUnitName (2 5 4 11) 42 39: PrintableString 'fake test cert with TZ America/New_York' : Error: PrintableString contains illegal character(s). : } : } : } 83 42: SEQUENCE { 85 19: GeneralizedTime '20110122133408-0500' : Error: Time is encoded incorrectly. 106 19: GeneralizedTime '20120122133408-0500' : Error: Time is encoded incorrectly. : } 127 50: SEQUENCE { 129 48: SET { 131 46: SEQUENCE { 133 3: OBJECT IDENTIFIER commonName (2 5 4 3) 138 39: PrintableString 'fake test cert with TZ America/New_York' : Error: PrintableString contains illegal character(s). : } : } : } 179 159: SEQUENCE { 182 13: SEQUENCE { 184 9: OBJECT IDENTIFIER rsaEncryption (1 2 840 113549 1 1 1) 195 0: NULL : } 197 141: BIT STRING, encapsulates { 201 137: SEQUENCE { 204 129: INTEGER : 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 : [ Another 1 bytes skipped ] 336 3: INTEGER 65537 : } : } : } : } 341 13: SEQUENCE { 343 9: OBJECT IDENTIFIER sha1withRSAEncryption (1 2 840 113549 1 1 5) 354 0: NULL : } 356 129: BIT STRING : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 : } 0 warnings, 4 errors. IMO neither GnuTLS nor OpenSSL (nor anything for that matter) should even accept a cert like that (and it's not just OSS that does this, Windows accepts and installs it without any problems). Peter. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
