Generating certificate chains with examples/Gimlet_RoT_Stage0_Code_Signing/config.kdl, I attempted to validate them with OpenSSL.
This required converting them from der to pem
$ openssl x509 -inform der -in "TEST USE ONLY - Gimlet RoT Stage0 Code Signing Engineering Offline CA A Trust Anchor.cert.der" -outform pem -out "TEST USE ONLY - Gimlet RoT Stage0 Code Signing Engineering Offline CA A Trust Anchor.cert.pem"
$ openssl x509 -inform der -in "TEST USE ONLY - Gimlet RoT Stage0 Code Signing Engineering Online Signer A1.cert.der" -outform pem -out "TEST USE ONLY - Gimlet RoT Stage0 Code Signing Engineering Online Signer A1.cert.pem"
$ openssl verify -verbose -CAfile "TEST USE ONLY - Gimlet RoT Stage0 Code Signing Engineering Offline CA A Trust Anchor.cert.pem" "TEST USE ONLY - Gimlet RoT Stage0 Code Signing Engineering Online Signer A1.cert.pem"
CN = US, ST = California, L = Emeryville, O = Oxide Computer Company, OU = Manufacturing, CN = TEST USE ONLY - Gimlet RoT Stage0 Code Signing Engineering Offline CA A
error 13 at 1 depth lookup:format error in certificate's notBefore field
CN = US, ST = California, L = Emeryville, O = Oxide Computer Company, OU = Manufacturing, CN = TEST USE ONLY - Gimlet RoT Stage0 Code Signing Engineering Offline CA A
error 13 at 1 depth lookup:format error in certificate's notBefore field
CN = US, ST = California, L = Emeryville, O = Oxide Computer Company, OU = Manufacturing, CN = TEST USE ONLY - Gimlet RoT Stage0 Code Signing Engineering Offline CA A
error 13 at 1 depth lookup:format error in certificate's notBefore field
CN = US, ST = California, L = Emeryville, O = Oxide Computer Company, OU = Manufacturing, CN = TEST USE ONLY - Gimlet RoT Stage0 Code Signing Engineering Offline CA A
error 13 at 1 depth lookup:format error in certificate's notBefore field
CN = US, ST = California, L = Emeryville, O = Oxide Computer Company, OU = Manufacturing, CN = TEST USE ONLY - Gimlet RoT Stage0 Code Signing Engineering Offline CA A
error 13 at 1 depth lookup:format error in certificate's notBefore field
TEST USE ONLY - Gimlet RoT Stage0 Code Signing Engineering Online Signer A1.cert.pem: verification failed: 13 (format error in certificate's notBefore field)
It looks like the certificate does not use the correct encoding type for the notBefore field. RFC5280 specifies that dates before the year 2050 must use UTCTIME not GENERALIZEDTIME:
CAs conforming to this profile MUST always encode certificate
validity dates through the year 2049 as UTCTime; certificate validity
dates in 2050 or later MUST be encoded as GeneralizedTime.
Generating certificate chains with
examples/Gimlet_RoT_Stage0_Code_Signing/config.kdl
, I attempted to validate them with OpenSSL.This required converting them from
der
topem
It looks like the certificate does not use the correct encoding type for the
notBefore
field. RFC5280 specifies that dates before the year 2050 must use UTCTIME not GENERALIZEDTIME:(4.1.2.5)
However, I see
GENERALIZEDTIME
used for bothnotBefore
andnotAfter
:Here's another example of this issue in the wild