open ssl not_before failure on small set of certificates
This failure only occurs on a very small percentage of certificates, during processing of ~2 million certificates, this failure only occurred 3 times. It happens on ruby-1.9.3-p448, ruby-1.8.7-p374 and ruby-2.0.0-p247 with the same error reported:
not_before': bad UTCTIME format (TypeError)perform_cert'
from open-ssl-bug.rb:76:in `'
I've enclosed a small sample program showing a successful and failed display of the not_before time, with the good and bad certificates embedded within the code.
#2 [ruby-core:56114] Updated by drbrain (Eric Hodel) over 4 years ago
It seems that there are multiple ways to represent a UTCTime in ASN1, but ruby's openssl extension only implements one of them.
This patch adds the format your certificate is encoded in.
Martin, can you check it? Are there other formats that are missing?
#3 [ruby-core:56115] Updated by MartinBosslet (Martin Bosslet) over 4 years ago
- Assignee changed from MartinBosslet (Martin Bosslet) to drbrain (Eric Hodel)
Unfortunately, when encoded as BER, all bets are off, as the format (with or without time zone, string representations of the time zone, ...) is not clearly specified anymore. But in this particular case I believe it makes a lot of sense to add explicit support. Please, Eric, go ahead and commit your patch! And thanks, BTW :)
#4 Updated by drbrain (Eric Hodel) over 4 years ago
- Status changed from Assigned to Closed
- % Done changed from 0 to 100
This issue was solved with changeset r42126.
Jody, thank you for reporting this issue.
Your contribution to Ruby is greatly appreciated.
May Ruby be with you.
- ext/openssl/ossl_asn1.c (asn1time_to_time): Implement YYMMDDhhmmZ format for ASN.1 UTCTime. [ruby-trunk - Bug #8664]
- test/openssl/test_asn1.rb: Test for the above.