Skip to content
This repository has been archived by the owner on Feb 19, 2020. It is now read-only.

conform to RFC5280 when extracting certificates validity dates #468

Open
wants to merge 1 commit into
base: develop
Choose a base branch
from
Open

conform to RFC5280 when extracting certificates validity dates #468

wants to merge 1 commit into from

Conversation

bdauvergne
Copy link

As per https://tools.ietf.org/html/rfc5280#section-4.1.2.5.1 :

4.1.2.5.1.  UTCTime

   The universal time type, UTCTime, is a standard ASN.1 type intended
   for representation of dates and time.  UTCTime specifies the year
   through the two low-order digits and time is specified to the
   precision of one minute or one second.  UTCTime includes either Z
   (for Zulu, or Greenwich Mean Time) or a time differential.

   For the purposes of this profile, UTCTime values MUST be expressed in
   Greenwich Mean Time (Zulu) and MUST include seconds (i.e., times are
   YYMMDDHHMMSSZ), even where the number of seconds is zero.  Conforming
   systems MUST interpret the year field (YY) as follows:

      Where YY is greater than or equal to 50, the year SHALL be
      interpreted as 19YY; and

      Where YY is less than 50, the year SHALL be interpreted as 20YY.

@bdauvergne
Copy link
Author

Without this patch I get an expired certificat warning on perfectly valid certificates.

@bdauvergne
conform to RFC5280 when extracting certificates validity dates
64f4046 
As per https://tools.ietf.org/html/rfc5280#section-4.1.2.5.1 :

	4.1.2.5.1.  UTCTime

	   The universal time type, UTCTime, is a standard ASN.1 type intended
	   for representation of dates and time.  UTCTime specifies the year
	   through the two low-order digits and time is specified to the
	   precision of one minute or one second.  UTCTime includes either Z
	   (for Zulu, or Greenwich Mean Time) or a time differential.

	   For the purposes of this profile, UTCTime values MUST be expressed in
	   Greenwich Mean Time (Zulu) and MUST include seconds (i.e., times are
	   YYMMDDHHMMSSZ), even where the number of seconds is zero.  Conforming
	   systems MUST interpret the year field (YY) as follows:

	      Where YY is greater than or equal to 50, the year SHALL be
	      interpreted as 19YY; and

	      Where YY is less than 50, the year SHALL be interpreted as 20YY.
@lpsinger
Copy link

I'm getting this error too.

@bdauvergne
Copy link
Author

Ping.

@Neustradamus
Copy link

@bdauvergne Can you look with "master"?

@bdauvergne
Copy link
Author

It seems fixed by current code but I cannot confirm it as I'm not using sleekxmpp anymore (but the code is formally false here and in pyasn1, strptime %y does not have the proper semantic of UTCTime, which is > 2000, for YY < 50 and < 2000 for YY > 50, the threshold for %y is 1969; not sure all this code will live until 2050.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@bdauvergne @lpsinger @Neustradamus