[openssl-dev] [openssl.org #3788] Bug: Certificate expiration date error for 9000+ days
Oleg Khovayko via RT
rt at openssl.org
Wed Apr 8 15:20:33 UTC 2015
Hi,
I am using FreeBSD 8.2, 32bits i386, OpenSSL package:
openssl-1.0.1_18 SSL and crypto library
During certificate generation, I found the bug:
If request CA-lifespan too long, then expiration date drops into far past, and
CA-certificate is invalid.
Moreover, this is no any error message print, everything works, and this
certicicate signs another client certificates.
But, when I rtied login with these client certs, I received error:
ssl_error_expired_cert_alert - Mozilla, Seamonkey
ssl_error_bad_cert_alert - Chrome
I assume, problem in the signed int overflow.
See bug example following:
If request 10000 days, then expiration date written in 1906!
$ openssl req -new -newkey rsa:512 -nodes -keyout emc_ca.key -x509 -days 10000
\
-subj '/O=EmerCoin/OU=EMCSSL/CN=EmerCoin World Wide Web Public Key
Infrastructure/emailAddress=team at emercoin.com/UID=EMC' \
-out emc_ca.crt
$ openssl x509 -noout -text -in emc_ca.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
c6:8e:ab:87:46:5d:8e:6d
Signature Algorithm: sha1WithRSAEncryption
Issuer: O=EmerCoin, OU=EMCSSL, CN=EmerCoin World Wide Web Public Key
Infrastructure/emailAddress=team at emercoin.com/UID=EMC
Validity
Not Before: Apr 8 13:13:06 2015 GMT
Not After : Jul 19 06:44:50 1906 GMT
Subject: O=EmerCoin, OU=EMCSSL, CN=EmerCoin World Wide Web Public Key
Infrastructure/emailAddress=team at emercoin.com/UID=EMC
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (512 bit)
Modulus (512 bit):
00:e7:16:06:11:e2:d6:cd:ec:49:a9:93:95:19:cf:
b1:fb:b5:d5:08:5c:3d:01:4a:cc:a2:20:8b:b9:0f:
d2:74:ce:14:c7:a3:eb:81:80:07:aa:8b:e4:db:8b:
42:6d:cc:e6:ae:4d:3d:39:83:f7:8f:1e:93:f3:ca:
0b:3f:71:9d:11
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
26:12:7D:02:A3:2D:3A:39:96:84:FE:F3:26:62:04:9D:26:43:E5:5E
X509v3 Authority Key Identifier:
keyid:26:12:7D:02:A3:2D:3A:39:96:84:FE:F3:26:62:04:9D:26:43:E5:5E
DirName:/O=EmerCoin/OU=EMCSSL/CN=EmerCoin World Wide Web Public Key
Infrastructure/emailAddress=team at emercoin.com/UID=EMC
serial:C6:8E:AB:87:46:5D:8E:6D
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha1WithRSAEncryption
54:0b:c2:62:76:6c:1d:a7:c8:15:b7:52:60:ee:a4:20:67:19:
47:f3:c1:ff:03:0c:9f:fa:fe:6d:b7:c6:1f:46:94:b5:38:5d:
67:93:02:d7:53:1b:f4:04:ba:56:ce:67:42:32:9c:ad:98:f1:
0c:6a:dc:01:ba:c2:ba:0b:01:e5
More information about the openssl-dev
mailing list