X509: Fix bug triggered by future CA among trusted

Fix an issue that caused valid certificates being rejected whenever an expired or not yet valid version of the trusted certificate was before the valid version in the trusted certificate list.
2025-02-03 22:50:59 +00:00 · 2016-02-19 15:58:21 +00:00 · 2016-02-19 15:58:21 +00:00 · af1e74be70
parent 486c4f9a33
commit af1e74be70
2 changed files with 15 additions and 6 deletions
--- a/5
+++ b/5
@ -2,6 +2,11 @@ mbed TLS ChangeLog (Sorted per branch, date)

 = mbed TLS 1.3.x

+Bugfix
+   * Fix an issue that caused valid certificates being rejected whenever an
+   expired or not yet valid version of the trusted certificate was before the
+   valid version in the trusted certificate list.
+
 Changes
   * Add compile time option for relaxed X509 time verification to enable
     accepting certificates with non-standard time format (that is without
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@ -1823,6 +1823,16 @@ static int x509_crt_verify_top(
            continue;
        }

+        if( x509_time_expired( &trust_ca->valid_to ) )
+        {
+            continue;
+        }
+
+        if( x509_time_future( &trust_ca->valid_from ) )
+        {
+            continue;
+        }
+
        if( pk_verify_ext( child->sig_pk, child->sig_opts, &trust_ca->pk,
                           child->sig_md, hash, md_info->size,
                           child->sig.p, child->sig.len ) != 0 )
@ -1854,12 +1864,6 @@ static int x509_crt_verify_top(
        ((void) ca_crl);
 #endif

-        if( x509_time_expired( &trust_ca->valid_to ) )
-            ca_flags |= BADCERT_EXPIRED;
-
-        if( x509_time_future( &trust_ca->valid_from ) )
-            ca_flags |= BADCERT_FUTURE;
-
        if( NULL != f_vrfy )
        {
            if( ( ret = f_vrfy( p_vrfy, trust_ca, path_cnt + 1,