[gnutls-devel] GnuTLS | GnuTLS3.7.11 cannot process thisUpdate field according to RFC5280 (#1638)
Read-only notification of GnuTLS library development activities
gnutls-devel at lists.gnutls.org
Wed Jan 1 14:20:51 CET 2025
Qianxin Cheng created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1638
## Description of problem:
The RFC standard for X.509 CRLs restricts the thisUpdate field to only two formats, namely UTCTime (YYMMDDHHMMSSZ) and GeneralizedTime (YYYYMMDDHHMMSSZ) in ASN.1 representation, which are 13 and 15 characters wide, respectively. However, GnuTLS 3.7.11 accepts certificates with a thisUpdate field of length 11 ("0103010100Z").
## Version of gnutls used:
GnuTLS3.7.11
## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)
Ubuntu
## How reproducible:
Steps to reproduce:
Use the following command: certtool --crl-info --inder --infile crl_file.der to reproduce the issue.
crl_file.der is a CRL with a thisUpdate field length of 11.
## Actual results:
The CRL is trusted and printed
## Expected results:
The RFC standard for X.509 CRLs limits the thisUpdate field to only two formats: UTCTime (YYMMDDHHMMSSZ) and GeneralizedTime (YYYYMMDDHHMMSSZ) in ASN.1 encoding, which are 13 and 15 characters wide, respectively. Therefore, it should reject a CRL file with a thisUpdate field length of 11 (e.g., "0103010100Z").[crl_file.der](/uploads/a0678daac2315cae8d57fc74b8886b81/crl_file.der)
--
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1638
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20250101/5e214589/attachment-0001.html>
More information about the Gnutls-devel
mailing list