From f425e116b53d84a4b7d9c49ff9840df786ef93e3 Mon Sep 17 00:00:00 2001 From: Nicolas Williams Date: Wed, 25 Aug 2021 16:48:10 -0500 Subject: [PATCH] hx509: For times before 2050 use UTCTime --- lib/hx509/ca.c | 28 ++++++++++++++++++++++++---- 1 file changed, 24 insertions(+), 4 deletions(-) diff --git a/lib/hx509/ca.c b/lib/hx509/ca.c index 08c00e179..6d222be21 100644 --- a/lib/hx509/ca.c +++ b/lib/hx509/ca.c @@ -1752,10 +1752,30 @@ ca_sign(hx509_context context, goto out; } /* validity Validity, */ - tbsc->validity.notBefore.element = choice_Time_generalTime; - tbsc->validity.notBefore.u.generalTime = notBefore; - tbsc->validity.notAfter.element = choice_Time_generalTime; - tbsc->validity.notAfter.u.generalTime = notAfter; + { + /* + * From RFC 5280, section 4.1.2.5: + * + * CAs conforming to this profile MUST always encode certificate + * validity dates through the year 2049 as UTCTime; certificate validity + * dates in 2050 or later MUST be encoded as GeneralizedTime. + * Conforming applications MUST be able to process validity dates that + * are encoded in either UTCTime or GeneralizedTime. + * + * 2524608000 is seconds since the epoch for 2050-01-01T00:00:00Z. + */ + if (notBefore < 1 || (int64_t)notBefore < 2524608000) + tbsc->validity.notBefore.element = choice_Time_utcTime; + else + tbsc->validity.notBefore.element = choice_Time_generalTime; + tbsc->validity.notBefore.u.generalTime = notBefore; + + if (notAfter < 1 || (int64_t)notBefore < 2524608000) + tbsc->validity.notAfter.element = choice_Time_utcTime; + else + tbsc->validity.notAfter.element = choice_Time_generalTime; + tbsc->validity.notAfter.u.generalTime = notAfter; + } /* subject Name, */ if (tbs->flags.proxy) { ret = build_proxy_prefix(context, &tbsc->issuer, &tbsc->subject);