[gnutls-devel] GnuTLS | Gnutls3.6.7 accepts a certificate whose notbefore field is a non-digits string while openssl rejects such certificates (#870)
Development of GNU's TLS library
gnutls-devel at lists.gnutls.org
Sat Dec 14 14:12:13 CET 2019
llqll commented:
@nmav hello,thanks for your advice. I verify the certificate by reverting [https://gitlab.com/gnutls/gnutls/commit/8e7bc8fec48bf5748b08426ea183d18c2d7b52a9](https://gitlab.com/gnutls/gnutls/commit/8e7bc8fec48bf5748b08426ea183d18c2d7b52a9). And I used the new version of gnutls (gnutls3.6.11) to verify the certificate. The result is the same. gnutls3.6.11 accept the certificate with invalid notbefore field.
I think this problem is different from [https://gitlab.com/gnutls/gnutls/issues/207](https://gitlab.com/gnutls/gnutls/issues/207) because the notbefore field of the certificate conforms to der syntax.
Through debugging I found the reason.
gnutls uses atoi(x) to get the year, month and day values. When x cannot be converted to int, return 0 instead of error. In this case, x=" #" , after year=atoi(x), the value of year is 0. [https://baike.baidu.com/item/atoi](https://baike.baidu.com/item/atoi).
the gnutls code is:
In this case, x=" #" , after year=atoi(x), the value of year is 0. [https://baike.baidu.com/item/atoi](https://baike.baidu.com/item/atoi).
--
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/870#note_260357431
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20191214/89214610/attachment.html>
More information about the Gnutls-devel
mailing list