[Pkg-openssl-devel] Bug#449553: Wrong "Not After" date if too many days specified - time_t overflow?

Adam Majer adamm at zombino.com
Tue Nov 6 16:21:54 UTC 2007


Package: openssl
Version: 0.9.8e-9
Severity: important

Trying to generate a certificate that is too far in the future, seems
to result in invalid dates at least as portrayed by openssl
utility. This may be a cosmetic thing and the certificate is still
correct, but as is, the dates are wrong.


The following is about 12 years into the future:

adamm at mira:/tmp/t$ openssl ca -in t -out cert.pem -keyfile privkey.pem
-selfsign -days 13650 -outdir `pwd`
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for privkey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 3 (0x3)
        Validity
            Not Before: Nov  6 16:11:48 2007 GMT
            Not After : Feb 13 09:43:32 1909 GMT
        Subject:
            countryName               = CA
            stateOrProvinceName       = Man
            organizationName          = Widget
            organizationalUnitName    = test
            commonName                = zombino
            emailAddress              = test at galsoft.net
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                E4:E4:B2:15:36:D9:68:1B:06:FD:C3:6C:90:19:A8:AA:CD:BF:8D:D7
            X509v3 Authority Key Identifier: 
                keyid:E4:E4:B2:15:36:D9:68:1B:06:FD:C3:6C:90:19:A8:AA:CD:BF:8D:D7

Certificate is to be certified until Sep  2 13:09:43 2019 GMT (13650
days)
Sign the certificate? [y/n]:


which gives correct "certificate valid until" date, but Not After is
messed up. If I go 10x that amount, both numbers will be wrong,


adamm at mira:/tmp/t$ openssl ca -in t -out cert.pem -keyfile privkey.pem
-selfsign -days 136500 -outdir `pwd`
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for privkey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 3 (0x3)
        Validity
            Not Before: Nov  6 16:19:23 2007 GMT
            Not After : Apr  7 20:54:35 1973 GMT
        Subject:
            countryName               = CA
            stateOrProvinceName       = Man
            organizationName          = Widget
            organizationalUnitName    = test
            commonName                = zombino
            emailAddress              = test at galsoft.net
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                E4:E4:B2:15:36:D9:68:1B:06:FD:C3:6C:90:19:A8:AA:CD:BF:8D:D7
            X509v3 Authority Key Identifier: 
                keyid:E4:E4:B2:15:36:D9:68:1B:06:FD:C3:6C:90:19:A8:AA:CD:BF:8D:D7

Certificate is to be certified until Apr  7 20:54:35 1973 GMT (136500
days)
Sign the certificate? [y/n]:


I know that OpenSSL library uses different structures on the inside to
represent dates, but I'm not sure what openssl (utility is doing).

- Adam



-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (900, 'unstable'), (5, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.22-1-k7 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages openssl depends on:
ii  libc6                   2.6.1-5          GNU C Library: Shared libraries
ii  libssl0.9.8             0.9.8e-9         SSL shared libraries
ii  zlib1g                  1:1.2.3.3.dfsg-6 compression library - runtime

openssl recommends no packages.

-- no debconf information





More information about the Pkg-openssl-devel mailing list