Skip to content

ValueError: time data '20160812233616+0200' does not match format '%Y%m%d%H%M%SZ' #3086

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
kissgyorgy opened this issue Aug 13, 2016 · 5 comments
Closed

ValueError: time data '20160812233616+0200' does not match format '%Y%m%d%H%M%SZ' #3086

kissgyorgy opened this issue Aug 13, 2016 · 5 comments

Comments

@kissgyorgy
Copy link

Python version: CPython 3.5.1
Operating system: OS X El Capitan 10.11.6
cryptography.version: 1.4
openssl.openssl_version_text(): OpenSSL 1.0.2h 3 May 2016

I'm using Vault's PKI backend for issuing certificates. I revoked one certificate. My CRL:

$ openssl crl -in only_one.crl -text                                                                                                     [08:45:51]
Certificate Revocation List (CRL):
        Version 1 (0x0)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: /CN=walkman
        Last Update: Aug 12 21:36:16 2016 GMT
        Next Update: Aug 15 21:36:16 2016 GMT
        CRL extensions:
            X509v3 Authority Key Identifier:
                keyid:4A:BD:9A:6A:41:4E:98:AD:C7:4D:82:52:4C:7E:72:4C:FE:2E:39:90

Revoked Certificates:
    Serial Number: 22A4769F632AB01EB5AD1DC16B282033EBC5CA2B
        Revocation Date: Aug 12 23:36:16 2016
    Signature Algorithm: sha256WithRSAEncryption
        07:19:b4:ec:e4:f6:98:d9:ea:78:6a:71:6a:70:c6:02:3e:18:
        59:9e:b1:bf:6d:7a:6a:08:2c:df:35:36:8d:b9:dc:67:3f:9a:
        4d:1a:73:8f:bd:c4:ea:89:6a:86:13:02:be:4e:80:81:ab:c5:
        d4:12:91:48:eb:12:7d:99:c7:1c:46:3a:b6:ee:0a:36:6c:f7:
        c1:a4:5a:12:86:03:91:6c:3a:50:8b:ec:89:7c:f5:c3:cd:87:
        d4:f0:5b:a3:42:c9:c3:a7:17:d7:4e:d8:c2:0d:39:c1:6e:61:
        25:dd:1a:aa:7a:1b:4f:91:b8:4e:96:b5:21:8c:d7:0b:75:2c:
        b8:c1:dc:29:e2:43:fd:7c:3c:79:62:69:fc:05:1f:81:50:fe:
        36:a7:31:e7:a5:77:ba:02:52:37:f0:b9:dc:e1:f1:73:d9:26:
        d8:fc:1d:bb:ad:d0:e3:9b:f8:86:52:96:fd:62:ab:c8:33:36:
        c1:e0:fc:dd:0a:3c:7e:d4:98:14:60:bc:61:8f:43:3a:7a:65:
        9d:29:d9:f6:a5:bf:f9:88:57:cf:ee:77:f2:57:41:5d:98:47:
        c0:56:19:3a:4e:d5:62:ef:d2:82:72:c4:44:ba:89:94:96:d9:
        9f:da:bc:90:16:af:52:be:12:ea:7e:47:0e:12:de:ba:39:c8:
        6b:96:71:e2
-----BEGIN X509 CRL-----
MIIBqjCBkzANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDEwd3YWxrbWFuFw0xNjA4
MTIyMTM2MTZaFw0xNjA4MTUyMTM2MTZaMCswKQIUIqR2n2MqsB61rR3BayggM+vF
yisXETE2MDgxMjIzMzYxNiswMjAwoCMwITAfBgNVHSMEGDAWgBRKvZpqQU6YrcdN
glJMfnJM/i45kDANBgkqhkiG9w0BAQsFAAOCAQEABxm07OT2mNnqeGpxanDGAj4Y
WZ6xv216aggs3zU2jbncZz+aTRpzj73E6olqhhMCvk6AgavF1BKRSOsSfZnHHEY6
tu4KNmz3waRaEoYDkWw6UIvsiXz1w82H1PBbo0LJw6cX107Ywg05wW5hJd0aqnob
T5G4Tpa1IYzXC3UsuMHcKeJD/Xw8eWJp/AUfgVD+Nqcx56V3ugJSN/C53OHxc9km
2Pwdu63Q45v4hlKW/WKryDM2weD83Qo8ftSYFGC8YY9DOnplnSnZ9qW/+YhXz+53
8ldBXZhHwFYZOk7VYu/SgnLERLqJlJbZn9q8kBavUr4S6n5HDhLeujnIa5Zx4g==
-----END X509 CRL-----

seems fine.

The following program:

from cryptography import x509
from cryptography.hazmat.backends.openssl.backend import backend as openssl_backend


pem_data = open('only_one.crl').read().encode('ascii')
crl = x509.load_pem_x509_crl(pem_data, openssl_backend)

for cert in crl:
    print(cert.revocation_date)

throws this message:

$ python3.5 crl_error.py                                                                                                                                                                                                                                                                                 [09:09:52]
Traceback (most recent call last):
  File "crl_error.py", line 9, in <module>
    print(cert.revocation_date)
  File "/Users/walkman/.virtualenvs/certmaestro/lib/python3.5/site-packages/cryptography/hazmat/backends/openssl/x509.py", line 186, in revocation_date
    self._x509_revoked
  File "/Users/walkman/.virtualenvs/certmaestro/lib/python3.5/site-packages/cryptography/hazmat/backends/openssl/decode_asn1.py", line 733, in _parse_asn1_time
    return _parse_asn1_generalized_time(backend, generalized_time)
  File "/Users/walkman/.virtualenvs/certmaestro/lib/python3.5/site-packages/cryptography/hazmat/backends/openssl/decode_asn1.py", line 740, in _parse_asn1_generalized_time
    return datetime.datetime.strptime(time, "%Y%m%d%H%M%SZ")
  File "/usr/local/var/pyenv/versions/3.5.1/lib/python3.5/_strptime.py", line 500, in _strptime_datetime
    tt, fraction = _strptime(data_string, format)
  File "/usr/local/var/pyenv/versions/3.5.1/lib/python3.5/_strptime.py", line 337, in _strptime
    (data_string, format))
ValueError: time data '20160812233616+0200' does not match format '%Y%m%d%H%M%SZ'
@joernheissler
Copy link

$ dumpasn1 -hh time.der
<17 11 31 36 30 38 31 32 32 33 33 36 31 36 2B 30 32 30 30>
0 17: UTCTime '160812233616+0200'
: Error: Time is encoded incorrectly.

0 warnings, 1 error.

Is it possible that your CRL is wrong?

@kissgyorgy kissgyorgy mentioned this issue Aug 13, 2016
Closed
@jefferai
Copy link

OpenSSL seems happy:

$ openssl asn1parse -inform der -in crl.der
    0:d=0  hl=4 l= 426 cons: SEQUENCE          
    4:d=1  hl=3 l= 147 cons: SEQUENCE          
    7:d=2  hl=2 l=  13 cons: SEQUENCE          
    9:d=3  hl=2 l=   9 prim: OBJECT            :sha256WithRSAEncryption
   20:d=3  hl=2 l=   0 prim: NULL              
   22:d=2  hl=2 l=  18 cons: SEQUENCE          
   24:d=3  hl=2 l=  16 cons: SET               
   26:d=4  hl=2 l=  14 cons: SEQUENCE          
   28:d=5  hl=2 l=   3 prim: OBJECT            :commonName
   33:d=5  hl=2 l=   7 prim: PRINTABLESTRING   :walkman
   42:d=2  hl=2 l=  13 prim: UTCTIME           :160812213616Z
   57:d=2  hl=2 l=  13 prim: UTCTIME           :160815213616Z
   72:d=2  hl=2 l=  43 cons: SEQUENCE          
   74:d=3  hl=2 l=  41 cons: SEQUENCE          
   76:d=4  hl=2 l=  20 prim: INTEGER           :22A4769F632AB01EB5AD1DC16B282033EBC5CA2B
   98:d=4  hl=2 l=  17 prim: UTCTIME           :160812233616+0200
  117:d=2  hl=2 l=  35 cons: cont [ 0 ]        
  119:d=3  hl=2 l=  33 cons: SEQUENCE          
  121:d=4  hl=2 l=  31 cons: SEQUENCE          
  123:d=5  hl=2 l=   3 prim: OBJECT            :X509v3 Authority Key Identifier
  128:d=5  hl=2 l=  24 prim: OCTET STRING      [HEX DUMP]:301680144ABD9A6A414E98ADC74D82524C7E724CFE2E3990
  154:d=1  hl=2 l=  13 cons: SEQUENCE          
  156:d=2  hl=2 l=   9 prim: OBJECT            :sha256WithRSAEncryption
  167:d=2  hl=2 l=   0 prim: NULL              
  169:d=1  hl=4 l= 257 prim: BIT STRING

@jefferai
Copy link

Huh.

https://tools.ietf.org/html/rfc5280#section-4.1.2.5.1

Re-opening this on the Vault side, although I'm unsure if it's a Vault issue or an issue in Go.

It'd be nice if pyca would accept non-zulu values but that suggests that it doesn't need to.

@reaperhulk
Copy link
Member

Thanks for the report! I'm reluctant to parse values like this since it will hide bugs that should be fixed (as it appears it was in this case! Yay!). I reserve the right to pragmatically change my mind if a very large system forces us to be bug compatible in the future though. 😄

@jefferai
Copy link

As an FYI, I also opened golang/go#16686

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Aug 14, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jefferai @reaperhulk @kissgyorgy @joernheissler