php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #66636 openssl_x509_parse warning with V_ASN1_GENERALIZEDTIME
Submitted: 2014-02-03 15:48 UTC Modified: 2014-06-08 21:22 UTC
Votes:7
Avg. Score:4.4 ± 0.7
Reproduced:6 of 6 (100.0%)
Same Version:0 (0.0%)
Same OS:2 (33.3%)
From: jcarter at meruetnworks dot com Assigned: stas (profile)
Status: Closed Package: OpenSSL related
PHP Version: 5.4.24 OS: Linux
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: jcarter at meruetnworks dot com
New email:
PHP Version: OS:

 

 [2014-02-03 15:48 UTC] jcarter at meruetnworks dot com
Description:
------------
This cert in the test script causes openssl_x509_parse() to give a warning "illegal ASN1 data type for timestamp". 

The cert was generated by a Windows 2003 server. Note the "valid to" time is "Jun 21 15:59:11 2109 GMT". In openssl.c PHP checks for V_ASN1_UTCTIME, but triggers the warning when the time is V_ASN1_GENERALIZEDTIME. According to a brief search of the openssl source both are valid expressions of a valid from/to time.

We're aware this time is past the unix epoch, suggest any fix continues to set validTo_time_t to -1 in this situation.

Thanks, John


Test script:
---------------
<?php

$cert = '-----BEGIN CERTIFICATE-----
MIIDiTCCAnGgAwIBAgIQTp32u93Rer1JSevmObIqPjANBgkqhkiG9w0BAQUFADBW
MRMwEQYKCZImiZPyLGQBGRYDY29tMSAwHgYKCZImiZPyLGQBGRYQaWRlbnRpdHlu
ZXR3b3JrczEdMBsGA1UEAxMUaWRlbnRpdHluZXR3b3Jrcy5jb20wIBcNMTAwNjIx
MTU0OTEzWhgPMjEwOTA2MjExNTU5MTFaMFYxEzARBgoJkiaJk/IsZAEZFgNjb20x
IDAeBgoJkiaJk/IsZAEZFhBpZGVudGl0eW5ldHdvcmtzMR0wGwYDVQQDExRpZGVu
dGl0eW5ldHdvcmtzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AL1lcawnrOiH8Zmkk1KqX8L1HNoUuImYpi+ILX32mOO3lwKi2+1uwN9c6Gtuj8Iq
G5wPfDG9kDWCVV1YqdXVJpr1yZsMcZMtHplsOaEmYmJ1icJfWqy4fHYG945rdZEU
Nk+yxBo6/CkaBKFDw9WRLswBOaFxIPu2hTRpsaFGiFYtTMVhvKv85sE4vX22w1DZ
C4/UuxGSo5g3CNX5pA68YCA+kQAvhupX4BHINHuWItquf9vFE6Fm5byFRHiJFqZo
NNioWIi+Y67jJqBl+YOhPE3KuhZhdgi/Hm2/oB6RjVWJdlIDN2iTPaeikIAOahO6
lMt7uDDclrS/3AqpftHtDw0CAwEAAaNRME8wCwYDVR0PBAQDAgGGMA8GA1UdEwEB
/wQFMAMBAf8wHQYDVR0OBBYEFHDmc20i3LpNg4II9MDNShE49KakMBAGCSsGAQQB
gjcVAQQDAgEAMA0GCSqGSIb3DQEBBQUAA4IBAQBUNxuWYVF9sSRcu1vOG4Glhx1e
bNeUlvonMnYQvRbyh36+wD2Z2SCAhSwjzsI7JyXl9b4VONmkxKFoOyGrhSSgNfF8
+u9ZTTsB6J1C1IEcR0xvS8RJpmBkwXS08Dek91K9vIPFzVuq+tk5+YCUX704PMqJ
zpzATZPEokssc8si5onSjQT2TqoD/YcVQq8QgcRwVPAtUiFkmjfMtiHancu2DraK
hwxG2/YZ+ONUo9kpxvdMZwesj8frbyjojKqVeDTI1uJlhieFYulgI0+UNOabnKej
M+MUp3IKiKAN4mfxi4+/Wyllzq+xXLVrVqMXpD9q7RfOawBIW3TRNfU5rqb+
-----END CERTIFICATE-----';

$a = openssl_x509_parse($cert, false);


Expected result:
----------------
No error

Actual result:
--------------
Warning: openssl_x509_parse(): illegal ASN1 data type for timestamp in /root/bad.php on line 27


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-02-05 14:24 UTC] thomas at gelf dot net
Here is another certificate triggering this erraneous warning. You can find it on every Debian Wheezy box that has the ca-certificates package installed. The certificate is provided in /usr/share/ca-certificates/mozilla as EE_Certification_Centre_Root_CA.crt and therefore available in /etc/ssl/certs/ca-certificates.crt (generated by update-ca-certificates).

ASN.1 timestamp format is GENERALIZEDTIME, all the other certificates using UTCTIME are working as expected:

-----BEGIN CERTIFICATE-----
MIIEAzCCAuugAwIBAgIQVID5oHPtPwBMyonY43HmSjANBgkqhkiG9w0BAQUFADB1
MQswCQYDVQQGEwJFRTEiMCAGA1UECgwZQVMgU2VydGlmaXRzZWVyaW1pc2tlc2t1
czEoMCYGA1UEAwwfRUUgQ2VydGlmaWNhdGlvbiBDZW50cmUgUm9vdCBDQTEYMBYG
CSqGSIb3DQEJARYJcGtpQHNrLmVlMCIYDzIwMTAxMDMwMTAxMDMwWhgPMjAzMDEy
MTcyMzU5NTlaMHUxCzAJBgNVBAYTAkVFMSIwIAYDVQQKDBlBUyBTZXJ0aWZpdHNl
ZXJpbWlza2Vza3VzMSgwJgYDVQQDDB9FRSBDZXJ0aWZpY2F0aW9uIENlbnRyZSBS
b290IENBMRgwFgYJKoZIhvcNAQkBFglwa2lAc2suZWUwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQDIIMDs4MVLqwd4lfNE7vsLDP90jmG7sWLqI9iroWUy
euuOF0+W2Ap7kaJjbMeMTC55v6kF/GlclY1i+blw7cNRfdCT5mzrMEvhvH2/UpvO
bntl8jixwKIy72KyaOBhU8E2lf/slLo2rpwcpzIP5Xy0xm90/XsY6KxX7QYgSzIw
WFv9zajmofxwvI6Sc9uXp3whrj3B9UiHbCe9nyV0gVWw93X2PaRka9ZP585ArQ/d
MtO8ihJTmMmJ+xAdTX7Nfh9WDSFwhfYggx/2uh8Ej+p3iDXE/+pOoYtNP2MbRMNE
1CV2yreN1x5KZmTNXMWcg+HCCIia7E6j8T4cLNlsHaFLAgMBAAGjgYowgYcwDwYD
VR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFBLyWj7qVhy/
zQas8fElyalL1BSZMEUGA1UdJQQ+MDwGCCsGAQUFBwMCBggrBgEFBQcDAQYIKwYB
BQUHAwMGCCsGAQUFBwMEBggrBgEFBQcDCAYIKwYBBQUHAwkwDQYJKoZIhvcNAQEF
BQADggEBAHv25MANqhlHt01Xo/6tu7Fq1Q+e2+RjxY6hUFaTlrg4wCQiZrxTFGGV
v9DHKpY5P30osxBAIWrEr7BSdxjhlthWXePdNl4dp1BUoMUq5KqMlIpPnTX/dqQG
E5Gion0ARD9V04I8GtVbvFZMIi5GQ4okQC3zErg7cBqklrkar4dBGmoYDQZPxz5u
uSlNDUmJEYcyW+ZLBMjkXOZ0c5RdFpgTlf7727FE5TpwrDdr5rMzcijJs1eg9gIW
iAYLtqZLICjU3j2LrTcFU3T+bsy8QxdxXvnFzBqpYe73dgzzcvRyrc9yAjYHR8/v
GVCJYMzpJJUPwssd8m92kMfMdcGWxZ0=
-----END CERTIFICATE-----

Regards,
Thomas Gelf
 [2014-03-21 15:41 UTC] oroszisam at gmail dot com
This warning was introduced as a result of fixing CVE-2013-6420.
Before that, GeneralizedTime was simply parsed incorrectly. There is a bug report for that as well, see bug #65698.

--
sam
 [2014-06-08 21:22 UTC] stas@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: stas
 [2014-06-08 21:22 UTC] stas@php.net
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Wed Dec 04 21:01:29 2024 UTC