ASN1 parser too strict on time formatting/

[GoogleCodeExporter]

more quality certs from embedded systems, this time from 
http://www.marchnetworks.com/

ct.crypto.error.CertificateError: Corrupt time: Invalid time representation: 
0001010000Z

Looks like seconds are not put in.

here's the cert:

-----BEGIN CERTIFICATE-----
MIIChDCCAe2gAwIBAgIBATANBgkqhkiG9w0BAQUFADCBgDEtMCsGA1UECxMkM2E2
YWRmMjktM2VhZS00ZTA1LWJlNTctZGY5YzJmNjMwYzc1MRcwFQYDVQQKEw5NYXJj
aCBOZXR3b3JrczE2MDQGA1UEAxMtTWFyY2ggTmV0d29ya3MgUGxhdGZvcm0gQ2Vy
dGlmaWNhdGUgQXV0aG9yaXR5MBoXCzAwMDEwMTAwMDBaFwszMDAxMDEwMDAwWjCB
gDEtMCsGA1UECxMkM2E2YWRmMjktM2VhZS00ZTA1LWJlNTctZGY5YzJmNjMwYzc1
MRcwFQYDVQQKEw5NYXJjaCBOZXR3b3JrczE2MDQGA1UEAxMtTWFyY2ggTmV0d29y
a3MgUGxhdGZvcm0gQ2VydGlmaWNhdGUgQXV0aG9yaXR5MIGfMA0GCSqGSIb3DQEB
AQUAA4GNADCBiQKBgQDPN6a7xXwjMZaEq0uY3xOYtjnaMOTYIlf1L/z9vfIfSoGs
Tc+yK3WFqhVxem261IRTznUvvHH3B33tbusaBkMx5KIQa8Fnd8L0gPM6zfrY/Tm4
8+TbIqDpeI4E1Whl0bvUjkvDIBgMsfb1qlbY82mhJGU/YLbiEL/53RXZOlfBRwID
AQABoxAwDjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAEdu3q/IkyRI
h5qlm7cFXhwPHipA3F+nRJfSZdzQz+uEeFzaqFo36AR7bPzPVHs2O+7O1CnOe/yX
7hDWT3IdE9HBPaUmBVymTo6duAiNFptyphOAaYakn/iWjwzMQuy5jt8wgnu1WcCm
BRrY7i37mHlrdaZWtBge2jpVgL17EQDe
-----END CERTIFICATE-----

here's what openssl does:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: OU=3a6adf29-3eae-4e05-be57-df9c2f630c75, O=March Networks, CN=March Networks Platform Certificate Authority
        Validity
            Not Before: Jan  1 00:00:00 2000 GMT
            Not After : Jan  1 00:00:00 2030 GMT
        Subject: OU=3a6adf29-3eae-4e05-be57-df9c2f630c75, O=March Networks, CN=March Networks Platform Certificate Authority
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:cf:37:a6:bb:c5:7c:23:31:96:84:ab:4b:98:df:
                    13:98:b6:39:da:30:e4:d8:22:57:f5:2f:fc:fd:bd:
                    f2:1f:4a:81:ac:4d:cf:b2:2b:75:85:aa:15:71:7a:
                    6d:ba:d4:84:53:ce:75:2f:bc:71:f7:07:7d:ed:6e:
                    eb:1a:06:43:31:e4:a2:10:6b:c1:67:77:c2:f4:80:
                    f3:3a:cd:fa:d8:fd:39:b8:f3:e4:db:22:a0:e9:78:
                    8e:04:d5:68:65:d1:bb:d4:8e:4b:c3:20:18:0c:b1:
                    f6:f5:aa:56:d8:f3:69:a1:24:65:3f:60:b6:e2:10:
                    bf:f9:dd:15:d9:3a:57:c1:47
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:TRUE

etc...

What would you like to do here.  I'm happy to adjust x509_time and add tests.

nickg

Original issue reported on code.google.com by nickgsup...@gmail.com on 15 Oct 2013 at 12:38

[GoogleCodeExporter]

patch forthcoming.  Like the matrixssl cert issue, this shows up in maybe ~1% 
of all SSL certs on the web due to embedded systems.

Original comment by nickgsup...@gmail.com on 15 Oct 2013 at 2:16

[GoogleCodeExporter]

Sigh.

Since seconds are optional in ASN.1 UTC time, I suppose we can drop the RFC5280 
requirement that utcTime MUST include seconds. Happy to take a patch.

Original comment by ekasper@google.com on 15 Oct 2013 at 5:51

[GoogleCodeExporter]

ugh

http://codereview.appspot.com/14741043

for issue #14 and #15

all of these certs are live.. and while the major browsers (+openssl) complain 
about the certs being self-signed they are able to parse them, and accept them.

The other option is to to make the low level API that returns the string, and 
let the caller convert.

your thoughts welcome!

nickg

Original comment by nickgsup...@gmail.com on 16 Oct 2013 at 5:25

[GoogleCodeExporter]

I think we should help the caller parse the time. Patch looks good, a few 
comments on the CL.

Original comment by ekasper@google.com on 16 Oct 2013 at 7:31

• Changed state: Accepted

[GoogleCodeExporter]

updated:
https://codereview.appspot.com/14741043/

patch set 3

(I used -rev instead of --rev for patch #2 when using upload.py)

Original comment by nickgsup...@gmail.com on 17 Oct 2013 at 9:47

[GoogleCodeExporter]

Fixed in

https://code.google.com/p/certificate-transparency/source/detail?r=8e2e1301f4ab9
bb91c8cc201c45cac0863b96b79

Thanks, Nick!

Original comment by ekasper@google.com on 18 Oct 2013 at 2:13

• Changed state: Fixed