FORT-validator icon indicating copy to clipboard operation
FORT-validator copied to clipboard
verified publisher icon NICMx

compliance issue: Fort accepts GeneralizedTime with fractional seconds

Open job opened this issue 1 year ago • 3 comments

https://github.com/NICMx/FORT-validator/blame/e6856e67ae7ced7e0945f35373a2ccf4e75dfe9b/src/asn1/asn1c/GeneralizedTime.c#L276

RPKI & RFC 5280 standards do not allow fractional seconds

job avatar Oct 29 '24 15:10 job 

feather$ /home/job/source/FORT-validator/src/fort --mode=print thisupdate_millis.mft
{
    "contentType": "pkcs7-signedData",
    "content": {
        "version": 3,
        "digestAlgorithms": [
            {
                "algorithm": "SHA256"
            }
        ],
        "encapContentInfo": {
            "eContentType": "id-ct-rpkiManifest",
            "eContent": {
                "manifestNumber": 31,
                "thisUpdate": "2024-10-29 15:50:02Z",              <----- SHOULD THROW DECODING ERROR 
                "nextUpdate": "2025-01-29 14:50:02Z",
                "fileHashAlg": "SHA256",
                "fileList": [

thisupdate_millis.mft.gz

job avatar Oct 29 '24 15:10 job

object actually contains fractional seconds, as can be seen here:

$ openssl asn1parse -in thisupdate_millis.mft -inform der  -i -strparse 62
    0:d=0  hl=4 l= 280 cons: SEQUENCE
    4:d=1  hl=2 l=   1 prim:  INTEGER           :1F
    7:d=1  hl=2 l=  19 prim:  GENERALIZEDTIME   :20241029155002.666Z
   28:d=1  hl=2 l=  15 prim:  GENERALIZEDTIME   :20250129145002Z
   45:d=1  hl=2 l=   9 prim:  OBJECT            :sha256
...

job avatar Oct 29 '24 15:10 job

~Dang. I missed the DER bug.~

~BRB~

This goes hand-in-hand with #153.

ydahhrk avatar Oct 29 '24 21:10 ydahhrk