bc-java icon indicating copy to clipboard operation
bc-java copied to clipboard
verified publisher icon bcgit

Bouncy Castle 1.79 cannot process thisUpdate field according to RFC5280

Open onepeople158 opened this issue 1 year ago • 1 comments

Main content:
The RFC standard for X.509 CRLs restricts the thisUpdate field to only two formats, namely UTCTime (YYMMDDHHMMSSZ) and GeneralizedTime (YYYYMMDDHHMMSSZ) in ASN.1 representation, which are 13 and 15 characters wide, respectively. However, Bouncy Castle 1.79 accepts CRL with a thisUpdate field of length 11 ("0103010100Z").The openssl cannot print the information of this CRL file.

Version of Bouncy Castle used:

(bcprov-jdk18on-1.79.jar:bcpkix-jdk18on-1.79.jar)

Computer system: Ubuntu

How reproducible:

import java.io.InputStream;
import java.io.FileInputStream;
import org.bouncycastle.asn1.x509.CertificateList;
import org.bouncycastle.cert.X509CRLHolder;

public class CRLParserExample3 {
    public static void main(String[] args) throws Exception{
            InputStream inputStream = new FileInputStream("crl_file.der");

            X509CRLHolder crlHolder = new X509CRLHolder(inputStream);
            
            System.out.println("Issuer: " + crlHolder.getIssuer());
            System.out.println("ThisUpdate: " + crlHolder.getThisUpdate());

        } 
}

Actual results: The CRL is trusted and printed

Expected results: The RFC standard for X.509 CRLs limits the thisUpdate field to only two formats: UTCTime (YYMMDDHHMMSSZ) and GeneralizedTime (YYYYMMDDHHMMSSZ) in ASN.1 encoding, which are 13 and 15 characters wide, respectively. Therefore, it should reject a CRL file with a thisUpdate field length of 11 (e.g., "0103010100Z").

onepeople158 avatar Jan 17 '25 02:01 onepeople158

Here is my CRL test file and code.

test.zip

onepeople158 avatar Jan 20 '25 07:01 onepeople158