From af1e74be70fe1469013ed66e8bfa305c3f278d13 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Fri, 19 Feb 2016 15:58:21 +0000 Subject: [PATCH] X509: Fix bug triggered by future CA among trusted Fix an issue that caused valid certificates being rejected whenever an expired or not yet valid version of the trusted certificate was before the valid version in the trusted certificate list. --- ChangeLog | 5 +++++ library/x509_crt.c | 16 ++++++++++------ 2 files changed, 15 insertions(+), 6 deletions(-) diff --git a/ChangeLog b/ChangeLog index 7ab61d3ca..e8294fd24 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,6 +2,11 @@ mbed TLS ChangeLog (Sorted per branch, date) = mbed TLS 1.3.x +Bugfix + * Fix an issue that caused valid certificates being rejected whenever an + expired or not yet valid version of the trusted certificate was before the + valid version in the trusted certificate list. + Changes * Add compile time option for relaxed X509 time verification to enable accepting certificates with non-standard time format (that is without diff --git a/library/x509_crt.c b/library/x509_crt.c index 5a15c74fd..b7c73df1d 100644 --- a/library/x509_crt.c +++ b/library/x509_crt.c @@ -1823,6 +1823,16 @@ static int x509_crt_verify_top( continue; } + if( x509_time_expired( &trust_ca->valid_to ) ) + { + continue; + } + + if( x509_time_future( &trust_ca->valid_from ) ) + { + continue; + } + if( pk_verify_ext( child->sig_pk, child->sig_opts, &trust_ca->pk, child->sig_md, hash, md_info->size, child->sig.p, child->sig.len ) != 0 ) @@ -1854,12 +1864,6 @@ static int x509_crt_verify_top( ((void) ca_crl); #endif - if( x509_time_expired( &trust_ca->valid_to ) ) - ca_flags |= BADCERT_EXPIRED; - - if( x509_time_future( &trust_ca->valid_from ) ) - ca_flags |= BADCERT_FUTURE; - if( NULL != f_vrfy ) { if( ( ret = f_vrfy( p_vrfy, trust_ca, path_cnt + 1,