Fencepost errors in certificate and OCSP validity

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Recently, the EJBCA developers publicly warned (via the Mozilla root store
policy mailing list) other CA vendors that they had incorrectly implemented
the handling of the "notAfter" X509 field, resulting in certificates that
lasted 1 second longer than intended.

Prompted by this warning, I checked what the OpenSSL code does, and it seems
to be a bit more buggy:

x509_vfy.c seems to be a bit ambivalent if certificate validity should be
inclusive or exclusive of the time values in the certificate.

apps.c seems to convert the validity duration in days as if the notAfter
field is exclusive, but the notBefore field is inclusive.

PKIX (RFC5280) says that both timestamps are inclusive, X.509 (10/2012) says
nothing about this aspect of the interpretation of the validity structure.

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded 	




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux