On Thu, 11 May 2017 18:42:17 +0200 Kurt Roeckx <k...@roeckx.be> wrote: > On Thu, May 11, 2017 at 02:59:20PM +0200, Harald Dunkel wrote: >> >> Please note the "-enddate 20451231235959Z" and compare with RFC >> 5280 section 4.1.2.5 (https://www.ietf.org/rfc/rfc5280.txt). The >> GeneralizedTime format is not allowed for 2045, but apparently >> openssl doesn't convert the string to UTCTime format. > > Please note that the manual says the format is: YYMMDDHHMMSSZ > > I guess it would be nice we converted it properly.
Just for the record, the latest openssl (1.1.1-dev from Github) accepts this (seen from the code): [SS] is optional, <+|-> = either + or - must be present 1. YYMMDDHHMM[SS]Z YYMMDDHHMM[SS]<+|->hhmm If valid, these date strings are written to ASN.1 into an UTCTime field. 2. YYYYMMDDHHMM[SS]Z or YYYYMMDDHHMMSS<+|->hhmm If valid, these date strings are written to ASN.1 into a GeneralizedTime field. Regarding RFC5280 in both cases (UTCTime and GeneralizedTime) the seconds (SS) and Z (Zulu) timezone is a MUST. See RFC5280 '4.1.2.5.1. UTCTime' and '4.1.2.5.2. GeneralizedTime'. OpenSSL relies on their ASN.1 code to check for validity, which is simply not strict enough. Other implementors do a strict check and thus might reject certificates generated by openssl. Regards, Tim
signature.asc
Description: OpenPGP digital signature