Fencepost errors in certificate and OCSP validity

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Fencepost errors in certificate and OCSP validity

OpenSSL - User mailing list
Recently, the EJBCA developers publicly warned (via the Mozilla root store
policy mailing list) other CA vendors that they had incorrectly implemented
the handling of the "notAfter" X509 field, resulting in certificates that
lasted 1 second longer than intended.

Prompted by this warning, I checked what the OpenSSL code does, and it
seems
to be a bit more buggy:

x509_vfy.c seems to be a bit ambivalent if certificate validity should be
inclusive or exclusive of the time values in the certificate.

apps.c seems to convert the validity duration in days as if the notAfter
field is exclusive, but the notBefore field is inclusive.

PKIX (RFC5280) says that both timestamps are inclusive, X.509 (10/2012)
says
nothing about this aspect of the interpretation of the validity structure.

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

Reply | Threaded
Open this post in threaded view
|

Re: Fencepost errors in certificate and OCSP validity

Viktor Dukhovni
On Wed, Oct 28, 2020 at 04:32:56PM +0100, Jakob Bohm via openssl-users wrote:

> Recently, the EJBCA developers publicly warned (via the Mozilla root store
> policy mailing list) other CA vendors that they had incorrectly implemented
> the handling of the "notAfter" X509 field, resulting in certificates that
> lasted 1 second longer than intended.

I think that's patently ridiculous.  I'm inclined to dismiss any bug
reports along these lines with prejudice.

--
    Viktor.