Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bouncy Castle 1.79 cannot process thisUpdate field according to RFC5280 #1986

Open
onepeople158 opened this issue Feb 5, 2025 · 5 comments
Open

Bouncy Castle 1.79 cannot process thisUpdate field according to RFC5280 #1986

onepeople158 opened this issue Feb 5, 2025 · 5 comments

Comments

@onepeople158
Copy link

onepeople158 commented Feb 5, 2025
edited
Loading

Main content:
The RFC standard for X.509 CRLs restricts the thisUpdate field to only two formats, namely UTCTime (YYMMDDHHMMSSZ) and GeneralizedTime (YYYYMMDDHHMMSSZ) in ASN.1 representation, which are 13 and 15 characters wide, respectively. However, Bouncy Castle 1.79 accepts CRL with a thisUpdate field of length 11 ("0103010100Z").The openssl cannot print the information of this CRL file.

Version of Bouncy Castle used:

(bcprov-jdk18on-1.79.jar:bcpkix-jdk18on-1.79.jar)

Computer system:
Ubuntu

How reproducible:

import java.io.InputStream;
import java.io.FileInputStream;
import org.bouncycastle.asn1.x509.CertificateList;
import org.bouncycastle.cert.X509CRLHolder;

public class CRLParserExample3 {
    public static void main(String[] args) throws Exception{
            InputStream inputStream = new FileInputStream("crl_file.der");

            X509CRLHolder crlHolder = new X509CRLHolder(inputStream);
            
            System.out.println("Issuer: " + crlHolder.getIssuer());
            System.out.println("ThisUpdate: " + crlHolder.getThisUpdate());

        } 
}

Actual results:
The CRL is trusted and printed

Expected results:
The RFC standard for X.509 CRLs limits the thisUpdate field to only two formats: UTCTime (YYMMDDHHMMSSZ) and GeneralizedTime (YYYYMMDDHHMMSSZ) in ASN.1 encoding, which are 13 and 15 characters wide, respectively. Therefore, it should reject a CRL file with a thisUpdate field length of 11 (e.g., "0103010100Z").

test.zip
@winfriedgerlach
Copy link
Collaborator

@onepeople158 why was this ticket closed? I would like to assign a label but I do not understand whether you rejected your question or whether it was a bug and it was fixed somehow without the PR being linked to this issue?

@onepeople158 onepeople158 reopened this Feb 24, 2025
@onepeople158
Copy link
Author

@onepeople158 why was this ticket closed? I would like to assign a label but I do not understand whether you rejected your question or whether it was a bug and it was fixed somehow without the PR being linked to this issue?

Hello, I accidentally clicked the wrong button earlier, but now I've reopened the report.

@onepeople158
Copy link
Author

@onepeople158 why was this ticket closed? I would like to assign a label but I do not understand whether you rejected your question or whether it was a bug and it was fixed somehow without the PR being linked to this issue?

Hello Developer, this report has been reopened. Could you please assign a label?

@winfriedgerlach
Copy link
Collaborator

@onepeople158 sorry, I do not feel confident enough to classify this as "bug"; let's wait for a comment from a developer, I am just the "label janitor" ;-)

@onepeople158
Copy link
Author

I can still parse the time using Bouncy Castle 1.80.

Image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@winfriedgerlach @onepeople158