openssl icon indicating copy to clipboard operation
openssl copied to clipboard
verified publisher icon ruby

OpenSSL::ASN1.decode doesn't correctly parse UTCTime or GeneralizedTime with fractional seconds or a timezone

Open rhenium opened this issue 1 year ago • 0 comments

https://github.com/ruby/openssl/issues/724 reminded me of this issue.

Due to an insufficient error check with sscanf() in asn1time_to_time(), OpenSSL::ASN1.decode ignores any fractional seconds or time zone information in DER/BER.

$  ruby -ropenssl -e'p OpenSSL::ASN1.decode("\x18\x13" + "20161208193439.123Z").value'
2016-12-08 19:34:39 UTC # <- The fractional seconds is lost
$  ruby -ropenssl -e'p OpenSSL::ASN1.decode("\x18\x13" + "20161208193439+0900").value'
2016-12-08 19:34:39 UTC # <- Timezone is lost

https://github.com/ruby/openssl/blob/1e8e2467d771fa82b967914db51f0128a718586f/ext/openssl/ossl_asn1.c#L19-L70

https://github.com/ruby/openssl/blob/1e8e2467d771fa82b967914db51f0128a718586f/test/openssl/test_asn1.rb#L435-L452

rhenium avatar Mar 11 '24 16:03 rhenium