Home Original page

PHP :: Bug #66636 :: openssl_x509_parse warning with V_ASN1_GENERALIZEDTIME

Bug #66636 openssl_x509_parse warning with V_ASN1_GENERALIZEDTIME
Submitted: 2014-02-03 15:48 UTC Modified: 2014-06-08 21:22 UTC
Votes:7
Avg. Score:4.4 ± 0.7
Reproduced:6 of 6 (100.0%)
Same Version:0 (0.0%)
Same OS:2 (33.3%)
From: jcarter at meruetnworks dot com Assigned: stas (profile)
Status: Closed Package: OpenSSL related
PHP Version: 5.4.24 OS: Linux
Private report: No CVE-ID: None

 [2014-02-03 15:48 UTC] jcarter at meruetnworks dot com

Description:
------------
This cert in the test script causes openssl_x509_parse() to give a warning "illegal ASN1 data type for timestamp". 

The cert was generated by a Windows 2003 server. Note the "valid to" time is "Jun 21 15:59:11 2109 GMT". In openssl.c PHP checks for V_ASN1_UTCTIME, but triggers the warning when the time is V_ASN1_GENERALIZEDTIME. According to a brief search of the openssl source both are valid expressions of a valid from/to time.

We're aware this time is past the unix epoch, suggest any fix continues to set validTo_time_t to -1 in this situation.

Thanks, John


Test script:
---------------
<?php

$cert = '-----BEGIN CERTIFICATE-----
MIIDiTCCAnGgAwIBAgIQTp32u93Rer1JSevmObIqPjANBgkqhkiG9w0BAQUFADBW
MRMwEQYKCZImiZPyLGQBGRYDY29tMSAwHgYKCZImiZPyLGQBGRYQaWRlbnRpdHlu
ZXR3b3JrczEdMBsGA1UEAxMUaWRlbnRpdHluZXR3b3Jrcy5jb20wIBcNMTAwNjIx
MTU0OTEzWhgPMjEwOTA2MjExNTU5MTFaMFYxEzARBgoJkiaJk/IsZAEZFgNjb20x
IDAeBgoJkiaJk/IsZAEZFhBpZGVudGl0eW5ldHdvcmtzMR0wGwYDVQQDExRpZGVu
dGl0eW5ldHdvcmtzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AL1lcawnrOiH8Zmkk1KqX8L1HNoUuImYpi+ILX32mOO3lwKi2+1uwN9c6Gtuj8Iq
G5wPfDG9kDWCVV1YqdXVJpr1yZsMcZMtHplsOaEmYmJ1icJfWqy4fHYG945rdZEU
Nk+yxBo6/CkaBKFDw9WRLswBOaFxIPu2hTRpsaFGiFYtTMVhvKv85sE4vX22w1DZ
C4/UuxGSo5g3CNX5pA68YCA+kQAvhupX4BHINHuWItquf9vFE6Fm5byFRHiJFqZo
NNioWIi+Y67jJqBl+YOhPE3KuhZhdgi/Hm2/oB6RjVWJdlIDN2iTPaeikIAOahO6
lMt7uDDclrS/3AqpftHtDw0CAwEAAaNRME8wCwYDVR0PBAQDAgGGMA8GA1UdEwEB
/wQFMAMBAf8wHQYDVR0OBBYEFHDmc20i3LpNg4II9MDNShE49KakMBAGCSsGAQQB
gjcVAQQDAgEAMA0GCSqGSIb3DQEBBQUAA4IBAQBUNxuWYVF9sSRcu1vOG4Glhx1e
bNeUlvonMnYQvRbyh36+wD2Z2SCAhSwjzsI7JyXl9b4VONmkxKFoOyGrhSSgNfF8
+u9ZTTsB6J1C1IEcR0xvS8RJpmBkwXS08Dek91K9vIPFzVuq+tk5+YCUX704PMqJ
zpzATZPEokssc8si5onSjQT2TqoD/YcVQq8QgcRwVPAtUiFkmjfMtiHancu2DraK
hwxG2/YZ+ONUo9kpxvdMZwesj8frbyjojKqVeDTI1uJlhieFYulgI0+UNOabnKej
M+MUp3IKiKAN4mfxi4+/Wyllzq+xXLVrVqMXpD9q7RfOawBIW3TRNfU5rqb+
-----END CERTIFICATE-----';

$a = openssl_x509_parse($cert, false);


Expected result:
----------------
No error

Actual result:
--------------
Warning: openssl_x509_parse(): illegal ASN1 data type for timestamp in /root/bad.php on line 27

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

 [2014-02-05 14:24 UTC] thomas at gelf dot net

Here is another certificate triggering this erraneous warning. You can find it on every Debian Wheezy box that has the ca-certificates package installed. The certificate is provided in /usr/share/ca-certificates/mozilla as EE_Certification_Centre_Root_CA.crt and therefore available in /etc/ssl/certs/ca-certificates.crt (generated by update-ca-certificates).

ASN.1 timestamp format is GENERALIZEDTIME, all the other certificates using UTCTIME are working as expected:

-----BEGIN CERTIFICATE-----
MIIEAzCCAuugAwIBAgIQVID5oHPtPwBMyonY43HmSjANBgkqhkiG9w0BAQUFADB1
MQswCQYDVQQGEwJFRTEiMCAGA1UECgwZQVMgU2VydGlmaXRzZWVyaW1pc2tlc2t1
czEoMCYGA1UEAwwfRUUgQ2VydGlmaWNhdGlvbiBDZW50cmUgUm9vdCBDQTEYMBYG
CSqGSIb3DQEJARYJcGtpQHNrLmVlMCIYDzIwMTAxMDMwMTAxMDMwWhgPMjAzMDEy
MTcyMzU5NTlaMHUxCzAJBgNVBAYTAkVFMSIwIAYDVQQKDBlBUyBTZXJ0aWZpdHNl
ZXJpbWlza2Vza3VzMSgwJgYDVQQDDB9FRSBDZXJ0aWZpY2F0aW9uIENlbnRyZSBS
b290IENBMRgwFgYJKoZIhvcNAQkBFglwa2lAc2suZWUwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQDIIMDs4MVLqwd4lfNE7vsLDP90jmG7sWLqI9iroWUy
euuOF0+W2Ap7kaJjbMeMTC55v6kF/GlclY1i+blw7cNRfdCT5mzrMEvhvH2/UpvO
bntl8jixwKIy72KyaOBhU8E2lf/slLo2rpwcpzIP5Xy0xm90/XsY6KxX7QYgSzIw
WFv9zajmofxwvI6Sc9uXp3whrj3B9UiHbCe9nyV0gVWw93X2PaRka9ZP585ArQ/d
MtO8ihJTmMmJ+xAdTX7Nfh9WDSFwhfYggx/2uh8Ej+p3iDXE/+pOoYtNP2MbRMNE
1CV2yreN1x5KZmTNXMWcg+HCCIia7E6j8T4cLNlsHaFLAgMBAAGjgYowgYcwDwYD
VR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFBLyWj7qVhy/
zQas8fElyalL1BSZMEUGA1UdJQQ+MDwGCCsGAQUFBwMCBggrBgEFBQcDAQYIKwYB
BQUHAwMGCCsGAQUFBwMEBggrBgEFBQcDCAYIKwYBBQUHAwkwDQYJKoZIhvcNAQEF
BQADggEBAHv25MANqhlHt01Xo/6tu7Fq1Q+e2+RjxY6hUFaTlrg4wCQiZrxTFGGV
v9DHKpY5P30osxBAIWrEr7BSdxjhlthWXePdNl4dp1BUoMUq5KqMlIpPnTX/dqQG
E5Gion0ARD9V04I8GtVbvFZMIi5GQ4okQC3zErg7cBqklrkar4dBGmoYDQZPxz5u
uSlNDUmJEYcyW+ZLBMjkXOZ0c5RdFpgTlf7727FE5TpwrDdr5rMzcijJs1eg9gIW
iAYLtqZLICjU3j2LrTcFU3T+bsy8QxdxXvnFzBqpYe73dgzzcvRyrc9yAjYHR8/v
GVCJYMzpJJUPwssd8m92kMfMdcGWxZ0=
-----END CERTIFICATE-----

Regards,
Thomas Gelf

 [2014-03-21 15:41 UTC] oroszisam at gmail dot com

This warning was introduced as a result of fixing CVE-2013-6420.
Before that, GeneralizedTime was simply parsed incorrectly. There is a bug report for that as well, see bug #65698.

--
sam

 [2014-06-08 21:22 UTC] stas@php.net

-Status: Open +Status: Closed -Assigned To: +Assigned To: stas

 [2014-06-08 21:22 UTC] stas@php.net

The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.