Visolve Security Consulting Group wrote:
Hello Development Team,When a certificate with a value of "11499" as days argument is created. It is working fine. But when a certificate with the value of "11500" for days argument an invalid certificate is created . Not Before: Jul 26 12:53:48 2006 GMT Not After : Dec 14 06:25:32 1901 GMT On verification the certificate is considered as expired. error 10 at 0 depth lookup:certificate has expired OK The same thing is happening for the negative values. Is it a bug ..? Without preventing the creation of such invalid certificate with expiry dates.
I just checked ca.c, line 1995 contains the statement
if (enddate == NULL)
X509_gmtime_adj(X509_get_notAfter(ret),(long)60*60*24*days);
So there is an obvious problem if days>24855.
A similar problem exists with the enddate parameter since it looks like
in the ASN1 timestamp format of YYMMDDHHMMSSZ years > 50 are considered
to be years since 1900...
IMHO that's not a real problem for some years, but I'll try to write a patch for ca.c which at least issues a warning message if the Not Before of a certificate is before the Not After.
Ted ;) -- PGP Public Key Information Download complete Key from http://www.convey.de/ted/tedkey_convey.asc Key fingerprint = 31B0 E029 BCF9 6605 DAC1 B2E1 0CC8 70F4 7AFB 8D26
smime.p7s
Description: S/MIME Cryptographic Signature
