Recently, the EJBCA developers publicly warned (via the Mozilla root store
policy mailing list) other CA vendors that they had incorrectly implemented
the handling of the "notAfter" X509 field, resulting in certificates that
lasted 1 second longer than intended.
Prompted by this warning, I checked what the OpenSSL code does, and it
to be a bit more buggy:
x509_vfy.c seems to be a bit ambivalent if certificate validity should be
inclusive or exclusive of the time values in the certificate.
apps.c seems to convert the validity duration in days as if the notAfter
field is exclusive, but the notBefore field is inclusive.
PKIX (RFC5280) says that both timestamps are inclusive, X.509 (10/2012)
nothing about this aspect of the interpretation of the validity structure.
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
Re: Fencepost errors in certificate and OCSP validity
On Wed, Oct 28, 2020 at 04:32:56PM +0100, Jakob Bohm via openssl-users wrote:
> Recently, the EJBCA developers publicly warned (via the Mozilla root store
> policy mailing list) other CA vendors that they had incorrectly implemented
> the handling of the "notAfter" X509 field, resulting in certificates that
> lasted 1 second longer than intended.
I think that's patently ridiculous. I'm inclined to dismiss any bug
reports along these lines with prejudice.