[gnutls-devel] GnuTLS | RFC 5280 compliance: generalTime parser accepts value without seconds field (#1688)
Read-only notification of GnuTLS library development activities
gnutls-devel at lists.gnutls.org
Thu Mar 27 02:57:48 CET 2025
One happy person created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1688
## Description of problem:
The RFC standard for X.509 CRLs restricts the thisUpdate field to only two formats, namely UTCTime (YYMMDDHHMMSSZ) and GeneralizedTime (YYYYMMDDHHMMSSZ) in ASN.1 representation, which are 13 and 15 characters wide, respectively. However, GnuTLS 3.8.9 accepts CRL with a thisUpdate field of length 13 ("240123000000Z").
## Version of gnutls used:
GnuTLS 3.8.9
## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)
certtool --crl-info --inder --infile crl_file_13gn.der
## Actual results:
Issued: Wed Dec 31 23:59:59 UTC 1969
## Expected results:
The RFC standard for X.509 CRLs limits the thisUpdate field to only two formats: UTCTime (YYMMDDHHMMSSZ) and GeneralizedTime (YYYYMMDDHHMMSSZ) in ASN.1 encoding, which are 13 and 15 characters wide, respectively. Therefore, it should reject a CRL file with a thisUpdate field length of 13 ("240123000000Z").
[crl_file_13gn.der](/uploads/38f2662a26c87d4b6d9ae78350aed2cb/crl_file_13gn.der)
--
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1688
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20250327/fa6e1dcb/attachment-0001.html>
More information about the Gnutls-devel
mailing list