Your message dated Thu, 31 May 2018 20:57:40 +0200
with message-id <[email protected]>
and subject line Re: Bug#862335: openssl creates and accepts certificates with 
bad notAfter field
has caused the Debian Bug report #862335,
regarding openssl creates and accepts certificates with bad notAfter field
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
862335: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862335
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: openssl
Version: 1.1.0e-1

If I create a self-signed certificate with a bad notAfter field,
then openssl doesn't complain. Sample session:

% mkdir -p ca/root-ca/private ca/root-ca/db crl certs
% chmod 700 ca/root-ca/private
% cp /dev/null ca/root-ca/db/root-ca.db
% cp /dev/null ca/root-ca/db/root-ca.db.attr
% echo 01 > ca/root-ca/db/root-ca.crt.srl
% echo 01 > ca/root-ca/db/root-ca.crl.srl
% 
% openssl req -new \
>     -config etc/root-ca.conf \
>     -out ca/root-ca.csr \
>     -keyout ca/root-ca/private/root-ca.key
Generating a 4096 bit RSA private key
...............................................++
...........................................................................................................................................................................................++
writing new private key to 'ca/root-ca/private/root-ca.key'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
% openssl ca -selfsign \
>     -config etc/root-ca.conf \
>     -in ca/root-ca.csr \
>     -out ca/root-ca.crt \
>     -extensions root_ca_ext \
>     -enddate 20451231235959Z
Using configuration from etc/root-ca.conf
Enter pass phrase for ./ca/root-ca/private/root-ca.key:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: May 11 10:53:09 2017 GMT
            Not After : Dec 31 23:59:59 2045 GMT
        Subject:
            countryName               = DE
            organizationName          = example AG
            organizationalUnitName    = example Certificate Authority
            commonName                = example Root CA
        X509v3 extensions:
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Subject Key Identifier: 
                57:E9:EC:EB:0A:A5:F4:26:DC:1A:CF:CE:2E:E5:59:20:F0:FE:10:AD
            Authority Information Access: 
                CA Issuers - URI:http://pki.example.com/ca/root-ca.cer

            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:http://pki.example.com/ca/root-ca.crl

            X509v3 Authority Key Identifier: 
                
keyid:57:E9:EC:EB:0A:A5:F4:26:DC:1A:CF:CE:2E:E5:59:20:F0:FE:10:AD

Certificate is to be certified until Dec 31 23:59:59 2045 GMT (10461 days)
Sign the certificate? [y/n]:yes


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

% openssl verify -CAfile ca/root-ca.crt ca/root-ca.crt
ca/root-ca.crt: OK



Please note the "-enddate 20451231235959Z" and compare with RFC 5280
section 4.1.2.5 (https://www.ietf.org/rfc/rfc5280.txt). The GeneralizedTime 
format is not allowed for 2045, but apparently openssl doesn't convert 
the string to UTCTime format.


libressl rejects the certificate (created on Debian), e.g. on OpenBSD 6.0:

% openssl verify -CAfile root-ca.crt root-ca.crt 
root-ca.crt: C = DE, O = example AG, OU = example Certificate Authority, CN = 
example Root CA
error 14 at 0 depth lookup:format error in certificate's notAfter field



Regards
Harri

--- End Message ---
--- Begin Message ---
Version: 1.1.1~~pre1-1

commit 04e62715db684d83bffac53793ff4cfac51e047a

On 2017-05-15 09:29:42 [+0200], Harald Dunkel wrote:
> Please don't underestimate this problem. openssl creates bad
> certificates here without telling. It is *highly* annoying
> if you are affected by a bad root certificate you already used
> for setting up a private PKI and then detect the problem on
> a platform with a better ssl implementation.
> 
> I would highly appreciate if you could fix this for Stretch.

As far as I can tell upstream did not push this into their 1.1.0 branch
(if so please correct me). Therefore I would suggest that you convince
upstream to push this patch into their 1.1.0 branch and then I could try
to get this into Stretch.

> Thanx
> Harri

Sebastian

--- End Message ---

Reply via email to