> Hi,
>
> I am encountering an issue in ASN1_UTCTIME_adj_ex when my system time is
> set to a future date/year (Year 2085). My certificate is based on UTC time
> and I am using OpenSSL 1.0.1c on VxWorks.
>
> During validation of my certificate, openssl (X509_vfy.c) throws the error
> "X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD", though the dates in the
> certificate is valid (Jul 18 00:00:00 2012 GMT).
>
> Below is the code trace leading to this error. (I have only provided the
> relevant code and occassionally embedded comments or printf highlighting
> the flow in the scenario). The two important things to be noted in the
> scenario is a valid certificate date/year with an invalid/future system
> date/year.
>
> Code flow:
>
> static int check_cert_time(X509_STORE_CTX *ctx, X509 *x)
> {
> ...
> ..
> i=X509_cmp_time(X509_get_notBefore(x), ptime);
> ...
> ..
> }
> int X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time)
> {
> ...
> if (0 != cmp_time)
> {
> ...
> }
> else
> {
> printf("\n **** The flow hits this part as cmp_time is 0 ****\n");
> }
>
> if (X509_time_adj(&atm, offset*60, cmp_time) == NULL)
> {
> printf("\n **** X509_cmp_time, X509_time_adj returned failure ****\n");
> return 0;
> }
> ...
> ...
> }
>
> Further analyzing and debugging the X509_time_adj code leads to the
> following...
>
> ASN1_TIME *X509_time_adj(ASN1_TIME *s, long offset_sec, time_t *in_tm)
> {
> return X509_time_adj_ex(s, 0, offset_sec, in_tm);
> }
>
> ASN1_TIME *X509_time_adj_ex(ASN1_TIME *s,
> int offset_day, long offset_sec, time_t *in_tm)
> {
> ...
>
> if (in_tm)
> {
> ...
> }
> else
> {
> time(&t);
> if (0 != &t)
> {
> // Printing time (integer) here gives
> // t = -648380460; // some date in year 2085
> }
> else
> {
> ...
> }
> }
> if (s && !(s->flags & ASN1_STRING_FLAG_MSTRING))
> {
> if (s->type == V_ASN1_UTCTIME)
> {
> ....
> return ASN1_UTCTIME_adj(s,t, offset_day, offset_sec);
> }
> ....
> }
> ...
> ...
> }
>
> ASN1_UTCTIME *ASN1_UTCTIME_adj(ASN1_UTCTIME *s, time_t t,
> int offset_day, long offset_sec)
> {
> ...
>
> if((ts->tm_year < 50) || (ts->tm_year >= 150))
> return NULL;
>
> ...
> }
> The above conditional check (ts->tm_year < 50) || (ts->tm_year >= 150)
> passes (since the system time year was 2085, tm_year = 185) leading to a
> return value of NULL.
> The issue is easily reproducible if 't' is set to something like
> -648380460 as indicated in the code above.
>
> There seems to be two issues here
> 1. The error is not because of the notBefore field, but because of the
> system time. So the return type of notBefore field error is misleading.
> 2. The above logic does not consider if the system time is beyond UTC time.
>
> Kindly request you to let me know if this is a known issue and has been
> fixed in any of the future releases. If not, request you to kindly provide
> a fix for this. Any other suggestions are welcome.
>
> Thanks & Best Regards,
> Srinivas
>
