[gnutls-devel] GnuTLS | Certificate verification: validity period format check (#1620)
Read-only notification of GnuTLS library development activities
gnutls-devel at lists.gnutls.org
Sat Nov 30 03:34:24 CET 2024
dulanshuangqiao created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1620
## Description of problem:
Gnutls mistakenly validated a certificate that does not comply with RFC5280
RFC5280 stipulates: CAs conforming to this profile MUST always encode certificate validity dates through the year 2049 as UTCTime; certificate validity dates in 2050 or later MUST be encoded as GeneralizedTime.
Cryptography performs this check and treats the use case that does not conform to the format as a verification failure
## Version of gnutls used:
gnutls-cli 3.7.3
## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)
Ubuntu
## How reproducible:
Steps to Reproduce:
* certtool --verify --load-ca-certificate RootCA.pem --infile Cert17319380403.pem
[validity.zip](/uploads/4dbc367f07393cab83aa8dd566213647/validity.zip)
## Actual results:
Chain verification output: Verified. The certificate is trusted.
## Expected results:
validation failed: validity dates between 1950 and 2049 must be UtcTime
--
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1620
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20241130/70bc8753/attachment.html>
More information about the Gnutls-devel
mailing list