Closed Bug 1023605 Opened 10 years ago Closed 10 years ago

mozilla::pkix should only accept Generalized times that conform to RFC 5280 section 4.1.2.5.2

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1043041

People

(Reporter: cviecco, Unassigned)

Details

ASN1 (ITU-T X.680) allows many types of encodings for Generalized times however for both certificates and ocsp responses the rfc specify a single valid encoding. From RFC 5280 section 4.1.2.5.2:

   For the purposes of this profile, GeneralizedTime values MUST be
   expressed in Greenwich Mean Time (Zulu) and MUST include seconds
   (i.e., times are YYYYMMDDHHMMSSZ), even where the number of seconds
   is zero.  GeneralizedTime values MUST NOT include fractional seconds.

And from from RFC 6960 (OCSP) section 4.2.2.1:

   Responses can contain four times -- thisUpdate, nextUpdate,
   producedAt, and revocationTime.  The semantics of these fields are
   defined in Section 2.4.  The format for GeneralizedTime is as
   specified in Section 4.1.2.5.2 of [RFC5280].

We currently accept encodings using local time and not including seconds
This was fixed as part of the time-parsing rewrite in bug 1043041.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.