Fencepost errors in certificate and OCSP validity

Jakob Bohm jb-openssl at wisemo.com
Wed Oct 28 15:32:56 UTC 2020


Recently, the EJBCA developers publicly warned (via the Mozilla root store
policy mailing list) other CA vendors that they had incorrectly implemented
the handling of the "notAfter" X509 field, resulting in certificates that
lasted 1 second longer than intended.

Prompted by this warning, I checked what the OpenSSL code does, and it 
seems
to be a bit more buggy:

x509_vfy.c seems to be a bit ambivalent if certificate validity should be
inclusive or exclusive of the time values in the certificate.

apps.c seems to convert the validity duration in days as if the notAfter
field is exclusive, but the notBefore field is inclusive.

PKIX (RFC5280) says that both timestamps are inclusive, X.509 (10/2012) 
says
nothing about this aspect of the interpretation of the validity structure.

Enjoy

Jakob
-- 
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded 	



More information about the openssl-users mailing list