From a77dbcdbb7022cc754ba87aea9a4fc471d1e4495 Mon Sep 17 00:00:00 2001 From: Peter Hartmann Date: Wed, 4 Aug 2010 11:59:49 +0200 Subject: QSslCertificate: support expiration dates > 2049 X509 has two time formats: UTC, where the year is in two-digit format, and generalized time with four-digit years. This patch allows dates specified generalized time. Reviewed-by: Thiago Macieira Task-number: QTBUG-12489 --- src/network/ssl/qsslsocket_openssl_symbols.cpp | 121 ++++++++++++--------- .../cert-large-expiration-date.pem | 15 +++ tests/auto/qsslcertificate/tst_qsslcertificate.cpp | 15 +++ 3 files changed, 101 insertions(+), 50 deletions(-) create mode 100644 tests/auto/qsslcertificate/more-certificates/cert-large-expiration-date.pem diff --git a/src/network/ssl/qsslsocket_openssl_symbols.cpp b/src/network/ssl/qsslsocket_openssl_symbols.cpp index 09ecd4d..d1225c1 100644 --- a/src/network/ssl/qsslsocket_openssl_symbols.cpp +++ b/src/network/ssl/qsslsocket_openssl_symbols.cpp @@ -761,74 +761,95 @@ bool q_resolveOpenSslSymbols() //============================================================================== QDateTime q_getTimeFromASN1(const ASN1_TIME *aTime) { - char lBuffer[24]; - char *pBuffer = lBuffer; - size_t lTimeLength = aTime->length; char *pString = (char *) aTime->data; if (aTime->type == V_ASN1_UTCTIME) { + + char lBuffer[24]; + char *pBuffer = lBuffer; + if ((lTimeLength < 11) || (lTimeLength > 17)) return QDateTime(); memcpy(pBuffer, pString, 10); pBuffer += 10; pString += 10; - } else { - if (lTimeLength < 13) - return QDateTime(); - - memcpy(pBuffer, pString, 12); - pBuffer += 12; - pString += 12; - } - if ((*pString == 'Z') || (*pString == '-') || (*pString == '+')) { - *pBuffer++ = '0'; - *pBuffer++ = '0'; - } else { - *pBuffer++ = *pString++; - *pBuffer++ = *pString++; - // Skip any fractional seconds... - if (*pString == '.') { - pString++; - while ((*pString >= '0') && (*pString <= '9')) + if ((*pString == 'Z') || (*pString == '-') || (*pString == '+')) { + *pBuffer++ = '0'; + *pBuffer++ = '0'; + } else { + *pBuffer++ = *pString++; + *pBuffer++ = *pString++; + // Skip any fractional seconds... + if (*pString == '.') { pString++; + while ((*pString >= '0') && (*pString <= '9')) + pString++; + } } - } - *pBuffer++ = 'Z'; - *pBuffer++ = '\0'; + *pBuffer++ = 'Z'; + *pBuffer++ = '\0'; - time_t lSecondsFromUCT; - if (*pString == 'Z') { - lSecondsFromUCT = 0; - } else { - if ((*pString != '+') && (*pString != '-')) - return QDateTime(); + time_t lSecondsFromUCT; + if (*pString == 'Z') { + lSecondsFromUCT = 0; + } else { + if ((*pString != '+') && (*pString != '-')) + return QDateTime(); + + lSecondsFromUCT = ((pString[1] - '0') * 10 + (pString[2] - '0')) * 60; + lSecondsFromUCT += (pString[3] - '0') * 10 + (pString[4] - '0'); + lSecondsFromUCT *= 60; + if (*pString == '-') + lSecondsFromUCT = -lSecondsFromUCT; + } + + tm lTime; + lTime.tm_sec = ((lBuffer[10] - '0') * 10) + (lBuffer[11] - '0'); + lTime.tm_min = ((lBuffer[8] - '0') * 10) + (lBuffer[9] - '0'); + lTime.tm_hour = ((lBuffer[6] - '0') * 10) + (lBuffer[7] - '0'); + lTime.tm_mday = ((lBuffer[4] - '0') * 10) + (lBuffer[5] - '0'); + lTime.tm_mon = (((lBuffer[2] - '0') * 10) + (lBuffer[3] - '0')) - 1; + lTime.tm_year = ((lBuffer[0] - '0') * 10) + (lBuffer[1] - '0'); + if (lTime.tm_year < 50) + lTime.tm_year += 100; // RFC 2459 + + QDate resDate(lTime.tm_year + 1900, lTime.tm_mon + 1, lTime.tm_mday); + QTime resTime(lTime.tm_hour, lTime.tm_min, lTime.tm_sec); + + QDateTime result(resDate, resTime, Qt::UTC); + result = result.addSecs(lSecondsFromUCT); + return result; + + } else if (aTime->type == V_ASN1_GENERALIZEDTIME) { - lSecondsFromUCT = ((pString[1] - '0') * 10 + (pString[2] - '0')) * 60; - lSecondsFromUCT += (pString[3] - '0') * 10 + (pString[4] - '0'); - lSecondsFromUCT *= 60; - if (*pString == '-') - lSecondsFromUCT = -lSecondsFromUCT; + if (lTimeLength < 15) + return QDateTime(); // hopefully never triggered + + // generalized time is always YYYYMMDDHHMMSSZ (RFC 2459, section 4.1.2.5.2) + tm lTime; + lTime.tm_sec = ((pString[12] - '0') * 10) + (pString[13] - '0'); + lTime.tm_min = ((pString[10] - '0') * 10) + (pString[11] - '0'); + lTime.tm_hour = ((pString[8] - '0') * 10) + (pString[9] - '0'); + lTime.tm_mday = ((pString[6] - '0') * 10) + (pString[7] - '0'); + lTime.tm_mon = (((pString[4] - '0') * 10) + (pString[5] - '0')); + lTime.tm_year = ((pString[0] - '0') * 1000) + ((pString[1] - '0') * 100) + + ((pString[2] - '0') * 10) + (pString[3] - '0'); + + QDate resDate(lTime.tm_year, lTime.tm_mon, lTime.tm_mday); + QTime resTime(lTime.tm_hour, lTime.tm_min, lTime.tm_sec); + + QDateTime result(resDate, resTime, Qt::UTC); + return result; + + } else { + qWarning("unsupported date format detected"); + return QDateTime(); } - tm lTime; - lTime.tm_sec = ((lBuffer[10] - '0') * 10) + (lBuffer[11] - '0'); - lTime.tm_min = ((lBuffer[8] - '0') * 10) + (lBuffer[9] - '0'); - lTime.tm_hour = ((lBuffer[6] - '0') * 10) + (lBuffer[7] - '0'); - lTime.tm_mday = ((lBuffer[4] - '0') * 10) + (lBuffer[5] - '0'); - lTime.tm_mon = (((lBuffer[2] - '0') * 10) + (lBuffer[3] - '0')) - 1; - lTime.tm_year = ((lBuffer[0] - '0') * 10) + (lBuffer[1] - '0'); - if (lTime.tm_year < 50) - lTime.tm_year += 100; // RFC 2459 - - QDate resDate(lTime.tm_year + 1900, lTime.tm_mon + 1, lTime.tm_mday); - QTime resTime(lTime.tm_hour, lTime.tm_min, lTime.tm_sec); - QDateTime result(resDate, resTime, Qt::UTC); - result = result.addSecs(lSecondsFromUCT); - return result; } QT_END_NAMESPACE diff --git a/tests/auto/qsslcertificate/more-certificates/cert-large-expiration-date.pem b/tests/auto/qsslcertificate/more-certificates/cert-large-expiration-date.pem new file mode 100644 index 0000000..416dd4d --- /dev/null +++ b/tests/auto/qsslcertificate/more-certificates/cert-large-expiration-date.pem @@ -0,0 +1,15 @@ +-----BEGIN CERTIFICATE----- +MIICWjCCAcOgAwIBAgIJAM7bMShFxAVAMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV +BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX +aWRnaXRzIFB0eSBMdGQwIBcNMTAwODA0MDk1MzQxWhgPMjA1MTA4MjkwOTUzNDFa +MEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJ +bnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ +AoGBAM2q22/WNMmn8cC+5EEYGeICySLmp9W6Ay6eKHr0Xxp3X3epETuPfvAuxp7r +OtkS18EMUegkUj8jw0IMEcbyHKFC/rTCaYOt93CxGBXMIChiMPAsFeYzGa/D6xzA +kfcRaJRQ+Ek3CDLXPnXfo7xpABXezYcPXAJrgsgBfWrwHdxzAgMBAAGjUDBOMB0G +A1UdDgQWBBSKbhnnl5uP2X+zuwFP6GovUpUN2TAfBgNVHSMEGDAWgBSKbhnnl5uP +2X+zuwFP6GovUpUN2TAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAKF0 +jl02liwFfupmzC5oxz2T3IyjEa21fm7QBMQJvQr5OTuX1/C7DAl7g/6/h7BH6JS3 +qpx5rXGet8SZmG8dODL4o3U4xOXnNzch7HtQixWwlx4XnFAXPMHflFX7YC5QQNHq +I8Y8IW+XjAYWpYJywWMUZIbr1/9y9gn1beYEE3pq +-----END CERTIFICATE----- diff --git a/tests/auto/qsslcertificate/tst_qsslcertificate.cpp b/tests/auto/qsslcertificate/tst_qsslcertificate.cpp index d0509bb..963bf11 100644 --- a/tests/auto/qsslcertificate/tst_qsslcertificate.cpp +++ b/tests/auto/qsslcertificate/tst_qsslcertificate.cpp @@ -110,6 +110,7 @@ private slots: void nulInCN(); void nulInSan(); void largeSerialNumber(); + void largeExpirationDate(); // ### add tests for certificate bundles (multiple certificates concatenated into a single // structure); both PEM and DER formatted #endif @@ -802,6 +803,20 @@ void tst_QSslCertificate::largeSerialNumber() QCOMPARE(cert.serialNumber(), QByteArray("01:02:03:04:05:06:07:08:09:10:aa:bb:cc:dd:ee:ff:17:18:19:20")); } +void tst_QSslCertificate::largeExpirationDate() // QTBUG-12489 +{ + QList certList = + QSslCertificate::fromPath(SRCDIR "more-certificates/cert-large-expiration-date.pem"); + + QCOMPARE(certList.size(), 1); + + const QSslCertificate &cert = certList.at(0); + QVERIFY(!cert.isNull()); + QCOMPARE(cert.effectiveDate().toUTC(), QDateTime(QDate(2010, 8, 4), QTime(9, 53, 41), Qt::UTC)); + // if the date is larger than 2049, then the generalized time format is used + QCOMPARE(cert.expiryDate().toUTC(), QDateTime(QDate(2051, 8, 29), QTime(9, 53, 41), Qt::UTC)); +} + #endif // QT_NO_OPENSSL QTEST_MAIN(tst_QSslCertificate) -- cgit v0.12