[prev in list] [next in list] [prev in thread] [next in thread]
List: bouncycastle-crypto-dev
Subject: Re: [dev-crypto] LOGGING BUG RELATED TO THAI LOCALE
From: David Hook <dgh () autochthonous ! org>
Date: 2013-09-25 22:19:09
Message-ID: 5243615D.5000900 () autochthonous ! org
[Download RAW message or body]
We offer this level of support via http://www.cryptoworkshop.com You are
welcome to get a support contract if you need fixes done in this fashion.
Other than that all I can say is, it's on the list, we will look into it
when we can.
Regards,
David
On 26/09/13 03:46, Marc-Andre Chartrand wrote:
> I'm logging a defect. Please advise of resolution time (or procedure
> to escalate this) as this is impacting one of our partners. I need
> to give an ETA for this fix.
>
>
> _Problem Description:_
>
> When creating a certificate in an English locale (which uses the
> Gregorian Calendar for dates), and then move to the Thai locale (which
> uses the Buddhist Calendar) for certificate validation, the
> certificate fails validation as Expired since the saved year of 2013
> is smaller than the current Buddhist calendar year of 2556.
>
> This should not happen as a Date() created using a Long value (ref1)
> should be independent of Locale or Calendar.
>
> ref1:
> http://docs.oracle.com/javase/6/docs/api/java/util/Date.html#Date(long) \
> <http://docs.oracle.com/javase/6/docs/api/java/util/Date.html#Date%28long%29>
>
>
> _Steps to reproduce:_
> This defect is reproducible by modifying an existing testcase :
> org\bouncycastle\jce\provider\test\CertUniqueIDTest.java which I'm
> attaching here :
>
> To reproduce using the attached file, simplybackup and replace
> org\bouncycastle\jce\provider\test\CertUniqueIDTest.java with the
> attached file, compile and run !
>
>
> _Overview and Analysis:_
>
> 1) create a certificate using an English locale
>
> Since the current date/year is 2013-MM-DD , when calling
> setNotAfter(Date date) , an DERUTCTime Time object gets created since :
>
> if (year < 1950 || year > 2049)
> {
> time = new DERGeneralizedTime(d);
> }
> else
> {
> time = new DERUTCTime(d.substring(2));
> }
>
> 2) Change the server locale to Thai, which uses the Buddhist calendar,
> meaning we are currently in the year 2556
>
> 3) Validate the cert
>
> BUG : code throws this exception :
>
> Exception: java.security.cert.CertificateExpiredException: certificate
> expired on 20130925173543GMT+00:00
>
> The validity check is done in
> org.bouncycastle.jce.provider.X509CertificateObject.checkValidity
> method.
>
> The validation fails with when comparing the year 2556 > 2013
>
> As you can see, if the cert would instead have been generated using
> the Buddhist calendar (i.e. year 2556) , it would have created a new
> DERGeneralizedTime(d) object instead ! But since it was created using
> year 2013, we're left comparing 2 different types of Time objects
> which fails.
>
> The problem is creating a cert in an english locale (which uses a
> Gregorian calendar) and then changing the locale to Thai to validate
> the cert, (which uses the buddhist calendar) we're comparing today
> (year 2556) with the value of the DERUTCTime Time, which is 2013 !!!
>
> In the
> org.bouncycastle.jce.provider.X509CertificateObject.checkValidity
> method, this line here should return the appropriate Long values :
>
> *if*(date.getTime() > *this*.getNotAfter().getTime())
>
> Thanks,
> Marc
[Attachment #3 (text/html)]
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix"><br>
We offer this level of support via <a class="moz-txt-link-freetext" \
href="http://www.cryptoworkshop.com">http://www.cryptoworkshop.com</a> You are \
welcome to get a support contract if you need fixes done in this fashion.<br>
<br>
Other than that all I can say is, it's on the list, we will look
into it when we can.<br>
<br>
Regards,<br>
<br>
David<br>
<br>
On 26/09/13 03:46, Marc-Andre Chartrand wrote:<br>
</div>
<blockquote
cite="mid:OF9CE512FE.29F2072B-ON85257BF1.0057B9F9-85257BF1.006198C6@ca.ibm.com"
type="cite"><font face="sans-serif" size="2">I'm logging a defect.
Please advise
of resolution time (or procedure to escalate this) as this is
impacting
one of our partners. I need to give an ETA for this fix.</font>
<br>
<br>
<br>
<font face="sans-serif" size="2"><u>Problem Description:</u></font>
<br>
<br>
<font face="sans-serif" size="2">When creating a certificate in an
English
locale (which uses the Gregorian Calendar for dates), and then
move to
the Thai locale (which uses the Buddhist Calendar) for
certificate validation,
the certificate fails validation as Expired since the saved year
of 2013
is smaller than the current Buddhist calendar year of 2556. </font>
<br>
<br>
<font face="sans-serif" size="2">This should not happen as a
Date() created
using a Long value (ref1) should be independent of Locale or
Calendar.</font>
<br>
<br>
<font face="sans-serif" size="2">ref1: </font><a
moz-do-not-send="true"
href="http://docs.oracle.com/javase/6/docs/api/java/util/Date.html#Date%28long%29"><font
face="sans-serif" \
size="2">http://docs.oracle.com/javase/6/docs/api/java/util/Date.html#Date(long)</font></a>
<br>
<br>
<br>
<font face="sans-serif" size="2"><u>Steps to reproduce:</u></font>
<br>
<font face="sans-serif" size="2">This defect is reproducible by
modifying
an existing testcase :
org\bouncycastle\jce\provider\test\CertUniqueIDTest.java
which I'm attaching here : </font>
<br>
<br>
<font face="sans-serif" size="2">To reproduce using the attached
file,
simplybackup and replace
org\bouncycastle\jce\provider\test\CertUniqueIDTest.java
with the attached file, compile and run !</font>
<br>
<br>
<br>
<font face="sans-serif" size="2"><u>Overview and Analysis:</u></font>
<br>
<br>
<font face="sans-serif" size="2">1) create a certificate using an
English
locale</font>
<br>
<br>
<font face="sans-serif" size="2">Since the current date/year is
2013-MM-DD
, when calling setNotAfter(Date date) , an DERUTCTime Time
object gets created since :</font>
<br>
<br>
<font color="blue" face="sans-serif" size="2">if (year < 1950
|| year
> 2049)</font>
<br>
<font color="blue" face="sans-serif" size="2">{</font>
<br>
<font color="blue" face="sans-serif" size="2"> time = new
DERGeneralizedTime(d);</font>
<br>
<font color="blue" face="sans-serif" size="2">}</font>
<br>
<font color="blue" face="sans-serif" size="2">else</font>
<br>
<font color="blue" face="sans-serif" size="2">{</font>
<br>
<font color="blue" face="sans-serif" size="2"> time = new
DERUTCTime(d.substring(2));</font>
<br>
<font color="blue" face="sans-serif" size="2">}</font>
<br>
<br>
<font face="sans-serif" size="2">2) Change the server locale to
Thai,
which uses the Buddhist calendar, meaning we are currently in
the year
2556</font>
<br>
<br>
<font face="sans-serif" size="2">3) Validate the cert</font>
<br>
<br>
<font face="sans-serif" size="2">BUG : code throws this
exception
:</font>
<br>
<br>
<font face="sans-serif" size="2">Exception:
java.security.cert.CertificateExpiredException:
certificate expired on 20130925173543GMT+00:00</font>
<br>
<br>
<font face="sans-serif" size="2">The validity check is done in
org.bouncycastle.jce.provider.X509CertificateObject.checkValidity
method.</font>
<br>
<br>
<font face="sans-serif" size="2">The validation fails with when
comparing
the year 2556 > 2013 </font>
<br>
<br>
<font face="sans-serif" size="2">As you can see, if the cert would
instead
have been generated using the Buddhist calendar (i.e. year 2556)
, it would
have created a new DERGeneralizedTime(d) object instead ! But
since it was created using year 2013, we're left comparing 2
different
types of Time objects which fails.</font>
<br>
<br>
<font face="sans-serif" size="2">The problem is creating a cert in
an
english locale (which uses a Gregorian calendar) and then
changing the
locale to Thai to validate the cert, (which uses the buddhist
calendar)
we're comparing today (year 2556) with the value of the
DERUTCTime
Time, which is 2013 !!! </font>
<br>
<br>
<font face="sans-serif" size="2">In the
org.bouncycastle.jce.provider.X509CertificateObject.checkValidity
method, this line here should return the appropriate Long
values
:</font>
<br>
<br>
<font color="#820040" face="Consolas" size="2"><b>if</b></font><font
face="Consolas" size="2">
(date.getTime() > </font><font color="#820040"
face="Consolas" size="2"><b>this</b></font><font face="Consolas"
size="2">.getNotAfter().getTime())</font>
<br>
<br>
<font face="sans-serif" size="2">Thanks,</font>
<br>
<font face="sans-serif" size="2">Marc</font>
</blockquote>
<br>
</body>
</html>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic