Bug #8664

open ssl not_before failure on small set of certificates

Added by Jody Nickel 9 months ago. Updated 9 months ago.

[ruby-core:56108]
Status:Closed
Priority:Normal
Assignee:Eric Hodel
Category:ext/openssl
Target version:-
ruby -v:ruby 1.9.3p448 (2013-06-27 revision 41675) [x86_64-linux] Backport:1.9.3: DONE, 2.0.0: DONE

Description

This failure only occurs on a very small percentage of certificates, during processing of ~2 million certificates, this failure only occurred 3 times. It happens on ruby-1.9.3-p448, ruby-1.8.7-p374 and ruby-2.0.0-p247 with the same error reported:

open-ssl-bug.rb:71:in not_before': bad UTCTIME format (TypeError)
from open-ssl-bug.rb:71:in
perform_cert'
from open-ssl-bug.rb:76:in `'

I've enclosed a small sample program showing a successful and failed display of the not_before time, with the good and bad certificates embedded within the code.

open-ssl-bug.rb Magnifier (3.69 KB) Jody Nickel, 07/23/2013 01:59 AM

openssl.bug_8664.patch Magnifier (1.61 KB) Eric Hodel, 07/23/2013 08:29 AM

Associated revisions

Revision 42126
Added by Eric Hodel 9 months ago

  • ext/openssl/osslasn1.c (asn1timeto_time): Implement YYMMDDhhmmZ format for ASN.1 UTCTime. [ruby-trunk - Bug #8664]
  • test/openssl/test_asn1.rb: Test for the above.

History

#1 Updated by Eric Hodel 9 months ago

  • Category set to ext/openssl
  • Status changed from Open to Assigned
  • Assignee set to Martin Bosslet

#2 Updated by Eric Hodel 9 months ago

It seems that there are multiple ways to represent a UTCTime in ASN1, but ruby's openssl extension only implements one of them.

This patch adds the format your certificate is encoded in.

Martin, can you check it? Are there other formats that are missing?

#3 Updated by Martin Bosslet 9 months ago

  • Assignee changed from Martin Bosslet to Eric Hodel

Unfortunately, when encoded as BER, all bets are off, as the format (with or without time zone, string representations of the time zone, ...) is not clearly specified anymore. But in this particular case I believe it makes a lot of sense to add explicit support. Please, Eric, go ahead and commit your patch! And thanks, BTW :)

#4 Updated by Eric Hodel 9 months ago

  • Status changed from Assigned to Closed
  • % Done changed from 0 to 100

This issue was solved with changeset r42126.
Jody, thank you for reporting this issue.
Your contribution to Ruby is greatly appreciated.
May Ruby be with you.


  • ext/openssl/osslasn1.c (asn1timeto_time): Implement YYMMDDhhmmZ format for ASN.1 UTCTime. [ruby-trunk - Bug #8664]
  • test/openssl/test_asn1.rb: Test for the above.

#5 Updated by Eric Hodel 9 months ago

  • Backport changed from 1.9.3: UNKNOWN, 2.0.0: UNKNOWN to 1.9.3: REQUIRED, 2.0.0: REQUIRED

#6 Updated by Tomoyuki Chikanaga 9 months ago

  • Backport changed from 1.9.3: REQUIRED, 2.0.0: REQUIRED to 1.9.3: REQUIRED, 2.0.0: DONE

Backported to ruby20_0 at r42215.

#7 Updated by Usaku NAKAMURA 9 months ago

  • Backport changed from 1.9.3: REQUIRED, 2.0.0: DONE to 1.9.3: DONE, 2.0.0: DONE

Backported to ruby19_3 at r42328.

Also available in: Atom PDF