Closed Bug 465246 Opened 17 years ago Closed 17 years ago

Ensure that NSS validates certs with indefinite expiration dates

Categories

(NSS :: Libraries, enhancement)

Product:
NSS
Component:
Libraries
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WORKSFORME

People

(Reporter: nelson, Unassigned)

Details

RFC 5280 defines an indefinite expiration date value to be used in certs whose lifetime is expected to be long, and no definite expiration date can be established for it, such as certs that go into ROMs for equipment. That value is defined as "the GeneralizedTime value of 99991231235959Z." That's one second before midnight, at the end of Dec 31, year 9999. We should make sure that NSS will do the right thing with certs bearing that notAfter date, and not have a problem with it. If that date comes after the date that corresponds to the maximum value of a PRTime, then it may be necessary to special case that date (or, say, all dates in the year 9999) for that purpose, by converting such dates to the maximum PRTime value.
Version: 3.4 → trunk
I see that January 1st, year 10000, is already defined as a PRTime value and it's well within the range of PRTime. In util/dertime.c, we see: 57 static const PRTime January1st10000 = LL_INIT(0x0384440c, 0xcc736000); So, there is nothing to do for this bug, I think.
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → WORKSFORME
Yes, both PRTime and PRExplodedTime (which has PRInt16 tm_year) can handle the date 99991231235959Z.
You need to log in before you can comment on or make changes to this bug.