search

arekinath / PivApplet

PIV applet for JavaCard 2.2.2 and 3.0.4+ with full ECDSA/ECDH support
111 stars 37 forks source link

Unable to validate attestation certificate with LibreSSL #55

Closed mistial-dev closed 3 years ago

mistial-dev commented 3 years ago

Issue observed during #48 .

The generated certificates for attestation don't validate with OpenSSL, due to a malformed notBefore field.

error 13 at 1 depth lookup:format error in certificate's notBefore field

The issue is the use of GeneralizedTime for the NotBefore field, and is present from 2.8.3 to 3.3.3.

   49:d=5  hl=2 l=   3 prim: OBJECT            :commonName
   54:d=5  hl=2 l=  21 prim: UTF8STRING        :PIVApplet Attestation
   77:d=2  hl=2 l=  34 cons: SEQUENCE          
   79:d=3  hl=2 l=  15 prim: GENERALIZEDTIME   :20180101000000Z
   96:d=3  hl=2 l=  15 prim: GENERALIZEDTIME   :20500101000000Z
  113:d=2  hl=2 l=  35 cons: SEQUENCE

While this is a valid date, it's not a proper format per RFC 5280:

Both notBefore and notAfter may be encoded as UTCTime or
   GeneralizedTime.

   CAs conforming to this profile MUST always encode certificate
   validity dates through the year 2049 as UTCTime; certificate validity
   dates in 2050 or later MUST be encoded as GeneralizedTime.
   Conforming applications MUST be able to process validity dates that
   are encoded in either UTCTime or GeneralizedTime.

Changing the certificate generation to UTCTIME resolves the issue.