Bug #8664

open ssl not_before failure on small set of certificates

Added by Jody Nickel almost 2 years ago. Updated almost 2 years ago.

[ruby-core:56108]
Status:Closed
Priority:Normal
Assignee:Eric Hodel
ruby -v:ruby 1.9.3p448 (2013-06-27 revision 41675) [x86_64-linux] Backport:1.9.3: DONE, 2.0.0: DONE

Description

This failure only occurs on a very small percentage of certificates, during processing of ~2 million certificates, this failure only occurred 3 times. It happens on ruby-1.9.3-p448, ruby-1.8.7-p374 and ruby-2.0.0-p247 with the same error reported:

open-ssl-bug.rb:71:in not_before': bad UTCTIME format (TypeError)
from open-ssl-bug.rb:71:in
perform_cert'
from open-ssl-bug.rb:76:in `'

I've enclosed a small sample program showing a successful and failed display of the not_before time, with the good and bad certificates embedded within the code.

open-ssl-bug.rb Magnifier (3.69 KB) Jody Nickel, 07/23/2013 01:59 AM

openssl.bug_8664.patch Magnifier (1.61 KB) Eric Hodel, 07/23/2013 08:29 AM

Associated revisions

Revision 42126
Added by Eric Hodel almost 2 years ago

  • ext/openssl/ossl_asn1.c (asn1time_to_time): Implement YYMMDDhhmmZ format for ASN.1 UTCTime. [ruby-trunk - Bug #8664]
  • test/openssl/test_asn1.rb: Test for the above.

Revision 42126
Added by Eric Hodel almost 2 years ago

  • ext/openssl/ossl_asn1.c (asn1time_to_time): Implement YYMMDDhhmmZ format for ASN.1 UTCTime. [ruby-trunk - Bug #8664]
  • test/openssl/test_asn1.rb: Test for the above.

History

#1 Updated by Eric Hodel almost 2 years ago

  • Category set to ext/openssl
  • Status changed from Open to Assigned
  • Assignee set to Martin Bosslet

#2 Updated by Eric Hodel almost 2 years ago

It seems that there are multiple ways to represent a UTCTime in ASN1, but ruby's openssl extension only implements one of them.

This patch adds the format your certificate is encoded in.

Martin, can you check it? Are there other formats that are missing?

#3 Updated by Martin Bosslet almost 2 years ago

  • Assignee changed from Martin Bosslet to Eric Hodel

Unfortunately, when encoded as BER, all bets are off, as the format (with or without time zone, string representations of the time zone, ...) is not clearly specified anymore. But in this particular case I believe it makes a lot of sense to add explicit support. Please, Eric, go ahead and commit your patch! And thanks, BTW :)

#4 Updated by Eric Hodel almost 2 years ago

  • Status changed from Assigned to Closed
  • % Done changed from 0 to 100

This issue was solved with changeset r42126.
Jody, thank you for reporting this issue.
Your contribution to Ruby is greatly appreciated.
May Ruby be with you.


  • ext/openssl/ossl_asn1.c (asn1time_to_time): Implement YYMMDDhhmmZ format for ASN.1 UTCTime. [ruby-trunk - Bug #8664]
  • test/openssl/test_asn1.rb: Test for the above.

#5 Updated by Eric Hodel almost 2 years ago

  • Backport changed from 1.9.3: UNKNOWN, 2.0.0: UNKNOWN to 1.9.3: REQUIRED, 2.0.0: REQUIRED

#6 Updated by Tomoyuki Chikanaga almost 2 years ago

  • Backport changed from 1.9.3: REQUIRED, 2.0.0: REQUIRED to 1.9.3: REQUIRED, 2.0.0: DONE

Backported to ruby_2_0_0 at r42215.

#7 Updated by Usaku NAKAMURA almost 2 years ago

  • Backport changed from 1.9.3: REQUIRED, 2.0.0: DONE to 1.9.3: DONE, 2.0.0: DONE

Backported to ruby_1_9_3 at r42328.

Also available in: Atom PDF