Bug#610806: libgnutls26 appears to mis-parse GeneralizedTime objects that use a non-UTC time

Daniel Kahn Gillmor dkg at fifthhorseman.net
Sat Jan 22 18:46:27 UTC 2011 

Package: libgnutls26
Version: 2.10.4-1
Severity: normal

it looks like gnutls is not appropriately parsing generalizedTime
objects (e.g. in Validity|notBefore and Validity|notAfter fields in
X.509 certificates).

Attached are two (invalid) X.509 certificates.  one contains Validity
timestamps using generalizedTime with TZ=UTC.  the other contains
Validity timestamps using generalizedTime with TZ=Americas/New_York
(suffixed with "-0500" instead of "Z"):

0 dkg at pip:~$ < UTC.pem grep -v ^- | base64 -d | strings
0%1#0!
fake test cert with TZ UTC0"
20110122183419Z
20120122183419Z0%1#0!
fake test cert with TZ UTC0
0 dkg at pip:~$ < America.New_York.pem grep -v ^- | base64 -d | strings
02100.
'fake test cert with TZ America/New_York0*
20110122133408-0500
20120122133408-050002100.
'fake test cert with TZ America/New_York0
0 dkg at pip:~/src/monkeysphere/fakex509$ 


OpenSSL seems to parse the timestamps in the certificate correctly;
GnuTLS reports them as (time_t)-1:

0 dkg at pip:~/src/monkeysphere/fakex509$ < America.New_York.pem openssl x509 -text | grep -A2 Validity
        Validity
            Not Before: Jan 22 13:34:08 2011
            Not After : Jan 22 13:34:08 2012
0 dkg at pip:~/src/monkeysphere/fakex509$ < UTC.pem openssl x509 -text | grep -A2 Validity
        Validity
            Not Before: Jan 22 18:34:19 2011 GMT
            Not After : Jan 22 18:34:19 2012 GMT
0 dkg at pip:~/src/monkeysphere/fakex509$ < America.New_York.pem certtool -i | grep -A2 Validity
	Validity:
		Not Before: Wed Dec 31 23:59:59 UTC 1969
		Not After: Wed Dec 31 23:59:59 UTC 1969
0 dkg at pip:~/src/monkeysphere/fakex509$ < UTC.pem certtool -i | grep -A2 Validity
	Validity:
		Not Before: Sat Jan 22 18:34:19 UTC 2011
		Not After: Sun Jan 22 18:34:19 UTC 2012
0 dkg at pip:~/src/monkeysphere/fakex509$ 

I'm not sure of the appropriate place to fix this, but i suspect it's
within libgnutls.  If you feel it should be reassigned to libtasn1,
that might be reasonable too.

If i'm totally wrong and generalizedTime fields shouldn't be able to
contain time zones like this, i'd appreciate a reference to that; then
i'll go file bugs against several other tools :)

Regards,

        --dkg

-- System Information: Debian Release: 6.0 APT prefers testing APT
policy: (500, 'testing'), (200, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.37-trunk-686 (SMP w/1 CPU core)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages libgnutls26 depends on:
ii  libc6                   2.11.2-7         Embedded GNU C Library: Shared lib
ii  libgcrypt11             1.4.6-4          LGPL Crypto library - runtime libr
ii  libgpg-error0           1.10-0.2         library for common error values an
ii  libtasn1-3              2.7-1            Manage ASN.1 structures (runtime)
ii  zlib1g                  1:1.2.3.4.dfsg-3 compression library - runtime

libgnutls26 recommends no packages.

Versions of packages libgnutls26 suggests:
ii  gnutls-bin                    2.10.4-1   the GNU TLS library - commandline 

-- no debconf information
-------------- next part --------------
-----BEGIN CERTIFICATE-----
MIIBwjCCASugAwIBAgIBATANBgkqhkiG9w0BAQUFADAlMSMwIQYDVQQLExpmYWtl
IHRlc3QgY2VydCB3aXRoIFRaIFVUQzAiGA8yMDExMDEyMjE4MzQxOVoYDzIwMTIw
MTIyMTgzNDE5WjAlMSMwIQYDVQQDExpmYWtlIHRlc3QgY2VydCB3aXRoIFRaIFVU
QzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAgAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAACAwEAATANBgkqhkiG9w0BAQUFAAOBgQAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-----END CERTIFICATE-----
-------------- next part --------------
-----BEGIN CERTIFICATE-----
MIIB5DCCAU2gAwIBAgIBATANBgkqhkiG9w0BAQUFADAyMTAwLgYDVQQLEydmYWtl
IHRlc3QgY2VydCB3aXRoIFRaIEFtZXJpY2EvTmV3X1lvcmswKhgTMjAxMTAxMjIx
MzM0MDgtMDUwMBgTMjAxMjAxMjIxMzM0MDgtMDUwMDAyMTAwLgYDVQQDEydmYWtl
IHRlc3QgY2VydCB3aXRoIFRaIEFtZXJpY2EvTmV3X1lvcmswgZ8wDQYJKoZIhvcN
AQEBBQADgY0AMIGJAoGBAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAA=
-----END CERTIFICATE-----

More information about the Pkg-gnutls-maint mailing list