X509: Fix bug triggered by future CA among trusted

Fix an issue that caused valid certificates being rejected whenever an
expired or not yet valid version of the trusted certificate was before the
valid version in the trusted certificate list.
This commit is contained in:
Janos Follath 2016-02-19 15:58:21 +00:00 committed by Andres AG
parent aeff929a5a
commit 8a8445415f
2 changed files with 17 additions and 6 deletions

View file

@ -1,5 +1,12 @@
mbed TLS ChangeLog (Sorted per branch, date)
= mbed TLS 1.3.x
Bugfix
* Fix an issue that caused valid certificates being rejected whenever an
expired or not yet valid version of the trusted certificate was before the
valid version in the trusted certificate list.
= mbed TLS 1.3.17 branch 2016-06-28
Security

View file

@ -1823,6 +1823,16 @@ static int x509_crt_verify_top(
continue;
}
if( x509_time_expired( &trust_ca->valid_to ) )
{
continue;
}
if( x509_time_future( &trust_ca->valid_from ) )
{
continue;
}
if( pk_verify_ext( child->sig_pk, child->sig_opts, &trust_ca->pk,
child->sig_md, hash, md_info->size,
child->sig.p, child->sig.len ) != 0 )
@ -1854,12 +1864,6 @@ static int x509_crt_verify_top(
((void) ca_crl);
#endif
if( x509_time_expired( &trust_ca->valid_to ) )
ca_flags |= BADCERT_EXPIRED;
if( x509_time_future( &trust_ca->valid_from ) )
ca_flags |= BADCERT_FUTURE;
if( NULL != f_vrfy )
{
if( ( ret = f_vrfy( p_vrfy, trust_ca, path_cnt + 1,