updatedb expires certificates with expiration date having 4-digit years before 2100.

[arminfuerst]

In a private CA, I have some very long running certificates. In index.txt one of the expiration dates is 20730104163541Z meaning the certificate is valid until early 2073. If I run an updatedb command on this CA, this certificate is marked as "expired". I assume this is, because only the first two digits are interpreted as a year and this certificate therefore looks as if it would have been expired in 2020. I'm using openssl 1.1.1d.

[mattcaswell]

There does seem to be some dubious Y2K handling going on here, which could be the cause:

openssl/apps/ca.c

Lines 2290 to 2322 in c9603df

	if (strncmp(a_tm_s, "49", 2) <= 0)
	a_y2k = 1;
	else
	a_y2k = 0;
	for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++) {
	rrow = sk_OPENSSL_PSTRING_value(db->db->data, i);
	if (rrow[DB_type][0] == DB_TYPE_VAL) {
	/* ignore entries that are not valid */
	if (strncmp(rrow[DB_exp_date], "49", 2) <= 0)
	db_y2k = 1;
	else
	db_y2k = 0;
	if (db_y2k == a_y2k) {
	/* all on the same y2k side */
	if (strcmp(rrow[DB_exp_date], a_tm_s) <= 0) {
	rrow[DB_type][0] = DB_TYPE_EXP;
	rrow[DB_type][1] = '\0';
	cnt++;
	BIO_printf(bio_err, "%s=Expired\n", rrow[DB_serial]);
	}
	} else if (db_y2k < a_y2k) {
	rrow[DB_type][0] = DB_TYPE_EXP;
	rrow[DB_type][1] = '\0';
	cnt++;
	BIO_printf(bio_err, "%s=Expired\n", rrow[DB_serial]);
	}
	}

[arminfuerst]

I think the problem starts earlier: The current time is stored in an ASN1_UTCTIME which - according to the man pages - is limited to a year range of 1950 through 2049. This explains, why in lines 2290 - 2293 only the first two digits are used to detect whether current time is before Y2k or after Y2k. However this will be fixed, this is not the current problem - not solving it will cause major trouble in 29 years...
The current error starts in line 2300. From the database, there are also used the first two digits to detect before Y2k or after Y2k. For dates starting from 2050, the result is always "20", assuming year 2020, which explains, why this issue becomes visible now.
As a first fix, there needs to be a check whether the timestamp in the database is stored with 2 digits or with 4 digits. If it is stored with 4 digits, it always has to be after Y2k.
After this is fixed, the strcmp in line 2307 will cause trouble, because it assumes the same amount of digits for years on both sides. A first fix could be to remove the first two digits of the year from the database string if it has a 4 digit year, then the strcmp in line 2307 will work properly again.

[arminfuerst]

I tried to implement my idea described above and I could fix this issue. Since I don't have a permission to create a branch in the repo, I cannot create a pull request for this. I created a classic patch file and attach it here. Perhaps someone can check my suggested solution...
issue-13944.patch.txt

[t8m]

You have to fork the repo to your personal github account first. Then you clone the fork, do the work there (preferably in a new branch) and then create the PR against the master branchm of the parent openssl repo.