Skip Menu |
 

This queue is for tickets about the Crypt-X509 CPAN distribution.

Report information
The Basics
Id: 79715
Status: open
Priority: 0/
Queue: Crypt-X509

People
Owner: Nobody in particular
Requestors: stephen.baynes [...] smoothwall.net
Cc:
AdminCc:

Bug Information
Severity: Important
Broken in: 0.51
Fixed in: (no value)



Subject: Certificate dates after 2038 should return something usefull for time on 32 bits.
Download (untitled) / with headers
text/plain 525b
Certificate dates after 2038 (which do not fit in a signed 32 bit POSIX time) do not return anything useful for not after times. Also produces internal diagnostics: Day too big - 25566 > 24855 Sec too small - 25566 < 74752 Sec too big - 25566 > 11647 The time should always be returned as broken down time format (year,month,...sec,tz) and optionally time_t if possible. This is a problem now as Certificate Authorities are already issueing certificates with expiry dates >2038 - see attached for example. Perl v5.8.8 i386
Subject: StartCom Certification Authority G2's CA.pem

Message body not shown because it is not plain text.

Subject: Can't parse modern certificates.
From: tlhackque [...] yahoo.com
Download (untitled) / with headers
text/plain 1.4k
Besides not handling >32-bit dates, it appears that the certificate parsing aborts when it finds them. I could live with no dates, but stopping the parse makes the module useless for modern certificates. I understand that dates >2038 won't fit in a time_t, but Perl can certainly return a 64-bit value - or even a bignum. Clearly major issuers and tools (StartSSL and OpenSSL for sure) have settled on a working definition of generalTime. This issue has been open for 3 years - is the module being maintained? Attached cert produces (in the debugger): x $c = Crypt::X509->new( cert => slurpFile( '../test-ca/NetworkCA/ca_cert.cer' ) ) x $c->Subject 0 ARRAY(0xaa6fe9c) empty array x $c->error 0 'Day too big - 31045 > 24853 Cannot handle date (00, 00, 00, 31, 11, 2054) at /usr/lib/perl5/site_perl/5.8.8/Convert/ASN1/_decode.pm line 588. ' x $c 0 Crypt::X509=HASH(0xaa52aa8) '_error' => 'Day too big - 31045 > 24853 Cannot handle date (00, 00, 00, 31, 11, 2054) at /usr/lib/perl5/site_perl/5.8.8/Convert/ASN1/_decode.pm line 588. ' 'tbsCertificate' => HASH(0xaa6fea8) 'subject' => HASH(0xacec9d8) 'dn' => ARRAY(0xaa6fe9c) empty array OpenSSL has no problem with the certificate; I've attached the text output. Not After : Dec 31 00:00:00 2054 GMT (The sample certificate can not be validated on the public network as the crl & ocsp servers aren't visible.) This is with Perl 5.8.8, i686, Crypt::X509 version 0.51 (latest release). I'd appreciate any help.
Subject: bad_date.cer
Download bad_date.cer
application/octet-stream 1.8k

Message body not shown because it is not plain text.

Subject: bad_date.txt
Download bad_date.txt
text/plain 8.4k
Certificate: Data: Version: 3 (0x2) Serial Number: 12:9f:68:f2:1f:30:aa:5f:ed:ad:23:5a:a2:a6:f3:b6 Signature Algorithm: sha512WithRSAEncryption Issuer: O=litts.net, OU=Network Administration, CN=litts.net Primary CA Validity Not Before: Jan 2 22:12:12 2016 GMT Not After : Dec 31 00:00:00 2054 GMT Subject: O=litts.net, OU=Network Administration, CN=litts.net Network CA Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (4096 bit) Modulus: 00:c7:f8:fc:f4:f5:5f:fc:aa:23:3e:4c:02:ae:50: e2:24:fc:c7:ea:99:c8:7e:71:9a:90:1b:af:ce:27: bf:d4:13:52:39:70:22:af:4d:4a:c9:e0:7a:f4:82: a5:ad:01:c0:5f:bf:77:8e:b0:e2:c8:7d:8d:03:b6: cc:c3:31:7d:b0:dc:80:06:0a:8b:c0:d2:12:07:ea: 95:d0:5a:81:b2:10:a6:c8:71:c7:97:b0:0f:8f:07: ee:a4:33:64:3d:19:c2:d8:98:b5:9d:c6:7a:81:43: 88:45:e8:a1:b7:45:f9:e1:45:b6:49:1b:27:21:20: 42:2f:fa:64:6f:f8:79:75:20:f8:cc:dd:e6:17:d3: 99:6e:07:6b:3f:d1:88:bb:71:ce:52:70:4d:0e:b2: 85:38:6e:49:94:ab:fe:e0:62:02:62:6e:8a:08:cc: 12:67:3a:aa:37:b5:27:94:fd:08:7f:14:d7:b3:97: 80:17:a6:8a:48:d8:46:29:9b:07:79:6f:e9:cc:76: 91:c1:83:93:9a:2b:3f:a9:2d:16:43:53:52:c2:18: ce:df:74:07:a9:8a:09:80:1e:12:4a:35:fa:52:70: ca:83:60:bf:09:89:0d:cc:4b:8c:2e:85:8c:10:43: 5e:00:20:2e:64:28:be:84:92:b4:c2:8d:93:fc:25: 64:de:62:d3:a6:89:3e:8e:98:8b:a6:a9:5e:eb:cd: a4:f2:21:19:48:8b:f4:6b:4a:1e:aa:36:40:9a:9f: 6c:59:b0:72:30:10:6a:18:32:f9:7a:46:0b:67:37: ed:9d:a0:69:3e:1f:91:75:9d:c8:e1:ba:ad:ed:fb: 5d:fa:77:98:08:96:b2:f9:b0:f5:31:78:8d:6f:4b: 46:4a:1b:d0:55:04:80:45:5a:63:4b:e2:3d:22:16: 0d:ba:bd:0b:65:ab:9b:32:0f:01:37:fc:f8:53:53: 39:cd:b1:91:73:98:54:b3:3c:53:5b:ee:e4:96:ab: b5:98:91:fb:47:52:ad:4c:f8:7f:3e:35:e5:30:4e: 03:4a:4e:fc:5b:ef:87:19:a7:3e:24:71:30:bf:56: 99:57:c9:4f:bf:4a:44:a7:c1:49:98:42:ec:90:e8: 89:47:e7:75:9a:c0:43:25:f7:45:6e:00:4b:84:fc: 33:5b:24:1d:df:be:b6:5f:16:26:c8:9a:f6:f7:82: ef:7f:99:65:9d:cc:bf:db:1b:cb:79:df:f5:e5:c3: 27:7a:67:3b:34:33:70:67:9a:f2:64:0f:34:4a:f7: 6d:d0:a4:32:fb:e9:02:c5:d5:b5:68:72:04:b0:1b: b6:47:48:4a:43:59:6d:c8:7b:87:90:8c:91:a4:7d: 68:5a:79 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Issuer Alternative Name: email:security@litts.net X509v3 Subject Alternative Name: email:security@litts.net X509v3 Basic Constraints: critical CA:TRUE X509v3 Subject Key Identifier: 25:27:76:E6:7E:92:A3:36:FB:89:CA:EA:53:EC:B9:AA:C7:59:B2:3B X509v3 Key Usage: critical Certificate Sign, CRL Sign Authority Information Access: OCSP - URI:http://security2.litts.net:2560/ocsp/root CA Issuers - URI:http://security.litts.net/ca/68edd9aa5e247f89661b83c4c43ef278.cer OCSP - URI:http://security1.litts.net:2560/ocsp/root X509v3 CRL Distribution Points: Full Name: URI:http://security1.litts.net/crl/root.crl Full Name: URI:http://security2.litts.net/crl/root.crl X509v3 Certificate Policies: Policy: 1.3.6.1.4.1.25043.1.1.1.1 CPS: http://security.litts.net/certpolicy.pdf X509v3 Authority Key Identifier: keyid:F1:B6:16:35:A9:D7:43:21:F1:F7:3B:A5:7E:4F:CC:6B:D9:B3:24:21 Signature Algorithm: sha512WithRSAEncryption 41:eb:35:11:3f:bc:5a:07:f7:97:23:8d:2f:2a:65:ff:85:cf: 92:db:e6:0f:7b:08:21:42:6a:91:ee:9d:9c:4c:78:73:62:2b: 67:38:e4:20:03:65:4b:33:05:89:c7:e6:28:d1:ac:08:fe:32: 21:1f:1f:5b:c3:8d:57:d1:62:f5:52:f4:50:a3:e3:fc:d2:41: d5:ad:e6:56:f2:1a:60:28:15:39:c5:02:24:6f:6a:ab:65:36: 11:d1:f5:63:b0:a4:61:2d:59:00:17:91:3d:dc:c8:2b:6c:1d: 6b:75:66:94:69:5b:e7:43:71:91:99:c6:fc:46:bf:5b:60:a7: a3:09:3d:4b:6c:92:12:81:0a:b3:b4:6f:a0:f1:5e:9f:ab:c2: 51:7f:a1:26:cb:07:0d:e2:1f:1e:65:99:2c:af:90:16:77:af: c5:70:3b:e8:74:83:f4:20:69:36:91:4c:7e:13:da:47:54:40: 48:34:65:6b:35:81:e9:cd:f7:61:d5:7d:e8:4c:0f:79:94:8f: fe:45:0b:37:8e:85:65:b9:d5:d8:f7:ba:13:66:9c:ca:9f:4a: 94:b3:02:14:8f:2c:ae:32:b6:68:79:f7:ea:26:ea:a2:42:75: 75:9b:f2:df:d0:56:d2:26:b9:19:4a:1e:da:6d:08:02:74:18: d4:57:fa:91:e0:d5:6c:c4:3b:3c:9d:a1:a3:5d:fa:9d:fa:5f: d5:4e:b9:95:cc:2d:8a:cb:23:6b:d4:76:a4:a1:05:73:d7:c2: ef:37:09:c0:41:d4:a0:6d:f1:ac:52:b5:ba:46:98:a7:8b:49: 25:97:8c:19:0a:28:1b:44:57:48:64:77:c7:1d:44:ac:5d:d2: 37:b5:b5:c6:f9:54:aa:54:98:c3:72:91:db:e1:d6:c5:10:da: 83:26:52:0f:f5:e4:6b:77:e8:08:f6:86:96:97:6e:ee:36:49: 1c:17:6b:db:4d:1e:97:10:c3:b5:0e:52:81:e6:10:68:ed:69: 62:61:98:61:2e:0e:e0:94:42:86:ef:19:2d:40:b2:be:99:35: 06:3e:75:b7:9d:2a:d1:2d:13:d6:bd:1f:68:3f:e4:8f:71:73: c6:a7:4e:50:b7:f9:85:6f:06:64:de:10:c4:d2:a9:e3:a2:b0: fd:07:f4:7c:08:67:00:40:87:c5:15:fc:37:c6:3b:b6:e6:cc: fe:ab:5e:30:64:22:30:51:f6:45:11:0b:86:1b:03:01:46:a3: 6a:7d:1d:59:4b:5c:be:82:e7:e9:cc:3c:b2:9b:26:76:66:11: 8e:b0:ed:48:d6:84:38:49:04:30:22:60:b4:55:8d:4d:53:99: 5d:8f:be:4e:bc:06:ee:92 -----BEGIN CERTIFICATE----- MIIHZTCCBU2gAwIBAgIQEp9o8h8wql/trSNaoqbztjANBgkqhkiG9w0BAQ0FADBU MRIwEAYDVQQKDAlsaXR0cy5uZXQxHzAdBgNVBAsMFk5ldHdvcmsgQWRtaW5pc3Ry YXRpb24xHTAbBgNVBAMMFGxpdHRzLm5ldCBQcmltYXJ5IENBMCAXDTE2MDEwMjIy MTIxMloYDzIwNTQxMjMxMDAwMDAwWjBUMRIwEAYDVQQKDAlsaXR0cy5uZXQxHzAd BgNVBAsMFk5ldHdvcmsgQWRtaW5pc3RyYXRpb24xHTAbBgNVBAMMFGxpdHRzLm5l dCBOZXR3b3JrIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAx/j8 9PVf/KojPkwCrlDiJPzH6pnIfnGakBuvzie/1BNSOXAir01KyeB69IKlrQHAX793 jrDiyH2NA7bMwzF9sNyABgqLwNISB+qV0FqBshCmyHHHl7APjwfupDNkPRnC2Ji1 ncZ6gUOIReiht0X54UW2SRsnISBCL/pkb/h5dSD4zN3mF9OZbgdrP9GIu3HOUnBN DrKFOG5JlKv+4GICYm6KCMwSZzqqN7UnlP0IfxTXs5eAF6aKSNhGKZsHeW/pzHaR wYOTmis/qS0WQ1NSwhjO33QHqYoJgB4SSjX6UnDKg2C/CYkNzEuMLoWMEENeACAu ZCi+hJK0wo2T/CVk3mLTpok+jpiLpqle682k8iEZSIv0a0oeqjZAmp9sWbByMBBq GDL5ekYLZzftnaBpPh+RdZ3I4bqt7ftd+neYCJay+bD1MXiNb0tGShvQVQSARVpj S+I9IhYNur0LZaubMg8BN/z4U1M5zbGRc5hUszxTW+7klqu1mJH7R1KtTPh/PjXl ME4DSk78W++HGac+JHEwv1aZV8lPv0pEp8FJmELskOiJR+d1msBDJfdFbgBLhPwz WyQd3762XxYmyJr294Lvf5llncy/2xvLed/15cMnemc7NDNwZ5ryZA80Svdt0KQy ++kCxdW1aHIEsBu2R0hKQ1ltyHuHkIyRpH1oWnkCAwEAAaOCAi8wggIrMB0GA1Ud EgQWMBSBEnNlY3VyaXR5QGxpdHRzLm5ldDAdBgNVHREEFjAUgRJzZWN1cml0eUBs aXR0cy5uZXQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUJSd25n6Sozb7icrq U+y5qsdZsjswDgYDVR0PAQH/BAQDAgEGMIHNBggrBgEFBQcBAQSBwDCBvTA1Bggr BgEFBQcwAYYpaHR0cDovL3NlY3VyaXR5Mi5saXR0cy5uZXQ6MjU2MC9vY3NwL3Jv b3QwTQYIKwYBBQUHMAKGQWh0dHA6Ly9zZWN1cml0eS5saXR0cy5uZXQvY2EvNjhl ZGQ5YWE1ZTI0N2Y4OTY2MWI4M2M0YzQzZWYyNzguY2VyMDUGCCsGAQUFBzABhilo dHRwOi8vc2VjdXJpdHkxLmxpdHRzLm5ldDoyNTYwL29jc3Avcm9vdDBnBgNVHR8E YDBeMC2gK6AphidodHRwOi8vc2VjdXJpdHkxLmxpdHRzLm5ldC9jcmwvcm9vdC5j cmwwLaAroCmGJ2h0dHA6Ly9zZWN1cml0eTIubGl0dHMubmV0L2NybC9yb290LmNy bDBRBgNVHSAESjBIMEYGDCsGAQQBgcNTAQEBATA2MDQGCCsGAQUFBwIBFihodHRw Oi8vc2VjdXJpdHkubGl0dHMubmV0L2NlcnRwb2xpY3kucGRmMB8GA1UdIwQYMBaA FPG2FjWp10Mh8fc7pX5PzGvZsyQhMA0GCSqGSIb3DQEBDQUAA4ICAQBB6zURP7xa B/eXI40vKmX/hc+S2+YPewghQmqR7p2cTHhzYitnOOQgA2VLMwWJx+Yo0awI/jIh Hx9bw41X0WL1UvRQo+P80kHVreZW8hpgKBU5xQIkb2qrZTYR0fVjsKRhLVkAF5E9 3MgrbB1rdWaUaVvnQ3GRmcb8Rr9bYKejCT1LbJISgQqztG+g8V6fq8JRf6EmywcN 4h8eZZksr5AWd6/FcDvodIP0IGk2kUx+E9pHVEBINGVrNYHpzfdh1X3oTA95lI/+ RQs3joVludXY97oTZpzKn0qUswIUjyyuMrZoeffqJuqiQnV1m/Lf0FbSJrkZSh7a bQgCdBjUV/qR4NVsxDs8naGjXfqd+l/VTrmVzC2KyyNr1HakoQVz18LvNwnAQdSg bfGsUrW6Rpini0kll4wZCigbRFdIZHfHHUSsXdI3tbXG+VSqVJjDcpHb4dbFENqD JlIP9eRrd+gI9oaWl27uNkkcF2vbTR6XEMO1DlKB5hBo7WliYZhhLg7glEKG7xkt QLK+mTUGPnW3nSrRLRPWvR9oP+SPcXPGp05Qt/mFbwZk3hDE0qnjorD9B/R8CGcA QIfFFfw3xju25sz+q14wZCIwUfZFEQuGGwMBRqNqfR1ZS1y+gufpzDyymyZ2ZhGO sO1I1oQ4SQQwImC0VY1NU5ldj75OvAbukg== -----END CERTIFICATE-----
Subject: Y2038 module
From: tlhackque [...] yahoo.com
Download (untitled) / with headers
text/plain 240b
Note that recent Perl now handles dates well beyond 2038. Older Perls can use Time::y2038::Everywhere from CPAN. It's limited to something like +/- 140 million years. But I don't expect to live long enough to worry about that limit.


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.