commit 1ca572304a8e3c7da7e7d20a36f81d4337e8f8a6
author David Benjamin <davidben@google.com> Thu Jun 08 13:06:20 2023 -0400
committer Boringssl LUCI CQ <boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com> Thu Jun 08 17:48:48 2023 +0000
tree a561843eea16ed6c97f706975f3f7e4d9544c433
parent 556a973f9b10ea11f1ce7751721f2f7a64e09632

Don't allow timezone offsets in ASN1_UTCTIME_set_string

We had to allow this when parsing certs to remain compatible with some
misissued certificates, but there's no reason to allow it when making
new values.

Update-Note: ASN1_UTCTIME_set_string and ASN1_TIME_set_string will no
longer accept times with timezone offsets, which is forbidden by RFC
5280. These functions are used when minting new certificates, rather
than parsing them. The parsing behavior is unchanged by this CL.

Change-Id: I0860deb44a49e99ce477f8cde847d20edfd29ed9
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/60608
Auto-Submit: David Benjamin <davidben@google.com>
Commit-Queue: Bob Beck <bbe@google.com>
Reviewed-by: Bob Beck <bbe@google.com>

crypto/asn1/a_utctm.c

diff --git a/crypto/asn1/a_utctm.c b/crypto/asn1/a_utctm.c
index 45c4081..82f2df6 100644
--- a/crypto/asn1/a_utctm.c
+++ b/crypto/asn1/a_utctm.c
@@ -83,11 +83,14 @@
 }
 
 int ASN1_UTCTIME_set_string(ASN1_UTCTIME *s, const char *str) {
+  // Although elsewhere we allow timezone offsets with UTCTime, to be compatible
+  // with some existing misissued certificates, this function is used to
+  // construct new certificates and can be stricter.
   size_t len = strlen(str);
   CBS cbs;
   CBS_init(&cbs, (const uint8_t *)str, len);
   if (!CBS_parse_utc_time(&cbs, /*out_tm=*/NULL,
-                          /*allow_timezone_offset=*/1)) {
+                          /*allow_timezone_offset=*/0)) {
     return 0;
   }
   if (s != NULL) {

crypto/asn1/asn1_test.cc

diff --git a/crypto/asn1/asn1_test.cc b/crypto/asn1/asn1_test.cc
index 849cfe9..c7e0bf0 100644
--- a/crypto/asn1/asn1_test.cc
+++ b/crypto/asn1/asn1_test.cc
@@ -1116,6 +1116,12 @@
   EXPECT_FALSE(ASN1_UTCTIME_set_string(nullptr, "nope"));
   EXPECT_FALSE(ASN1_GENERALIZEDTIME_set_string(nullptr, "nope"));
   EXPECT_FALSE(ASN1_TIME_set_string(nullptr, "nope"));
+
+  // Timezone offsets are not allowed by DER.
+  EXPECT_FALSE(ASN1_UTCTIME_set_string(nullptr, "700101000000-0400"));
+  EXPECT_FALSE(ASN1_TIME_set_string(nullptr, "700101000000-0400"));
+  EXPECT_FALSE(ASN1_GENERALIZEDTIME_set_string(nullptr, "19700101000000-0400"));
+  EXPECT_FALSE(ASN1_TIME_set_string(nullptr, "19700101000000-0400"));
 }
 
 TEST(ASN1Test, AdjTime) {