[gnutls-devel] GnuTLS | Gnutls3.6.7 accepts a certificate whose notbefore field is a non-digits string while openssl rejects such certificates (#870)

Development of GNU's TLS library gnutls-devel at lists.gnutls.org
Sat Dec 14 14:12:13 CET 2019

llqll commented:

@nmav hello,thanks for your advice. I verify the certificate by reverting [https://gitlab.com/gnutls/gnutls/commit/8e7bc8fec48bf5748b08426ea183d18c2d7b52a9](https://gitlab.com/gnutls/gnutls/commit/8e7bc8fec48bf5748b08426ea183d18c2d7b52a9). And I used the new version of gnutls (gnutls3.6.11) to verify the certificate. The result is the same. gnutls3.6.11 accept the certificate with invalid notbefore field.

I think this problem is different from [https://gitlab.com/gnutls/gnutls/issues/207](https://gitlab.com/gnutls/gnutls/issues/207) because the notbefore field of the certificate conforms to der syntax.

Through debugging I found the reason.

gnutls uses atoi(x) to get the year, month and day values. When x cannot be converted to int, return 0 instead of error.  In this case, x=" #" , after year=atoi(x), the value of year is 0. [https://baike.baidu.com/item/atoi](https://baike.baidu.com/item/atoi).

the gnutls code is:
![image text](https://github.com/llqll/image/raw/master/certtooltime.png)
 In this case, x=" #" , after year=atoi(x), the value of year is 0. [https://baike.baidu.com/item/atoi](https://baike.baidu.com/item/atoi).

Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/870#note_260357431
You're receiving this email because of your account on gitlab.com.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20191214/89214610/attachment.html>

More information about the Gnutls-devel mailing list