get_not_after() returns bad values for dates past 2050.
RFC 5280's section 126.96.36.199 states
CAs conforming to this profile MUST always encode certificate validity dates through the year 2049 as UTCTime; certificate validity dates in 2050 or later MUST be encoded as GeneralizedTime. Conforming applications MUST be able to process validity dates that are encoded in either UTCTime or GeneralizedTime.
But the current implementation of
def get_not_after(self): assert m2.x509_type_check(self.x509), "'x509' type error" return ASN1.ASN1_UTCTIME(m2.x509_get_not_after(self.x509))
Forcing the GeneralizedTime into a UTCTime results in an erroneous value of "Bad time value" but does not throw an exception.
In : from M2Crypto import X509 In : x = X509.load_cert_string(open('x.crt').read()) In : str(x.get_not_before()) Out: 'Mar 4 14:57:46 2016 GMT' In : str(x.get_not_after()) Out: 'Bad time value' In : x.get_not_after() Out: <M2Crypto.ASN1.ASN1_UTCTIME instance at 0x7fced1b485f0>
I have uploaded x.crt
Please correct M2Crypto to either handle dates past 2050 or to immediately throw an exception so it is obvious to users where the problem is occurring. Thanks!