lib/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-07-14 20:01:00 +03:00
Code Activity

Always revoke certificate on CRL

Browse Source 
RFC5280 does not state that the `revocationDate` should be checked.

In addition, when no time source is available (i.e., when MBEDTLS_HAVE_TIME_DATE is not defined), `mbedtls_x509_time_is_past` always returns 0. This results in the CRL not being checked at all.

https://tools.ietf.org/html/rfc5280
Signed-off-by: Raoul Strackx <raoul.strackx@fortanix.com>
This commit is contained in:
Raoul Strackx
2020-06-15 17:03:13 +02:00
parent c60c30eb68
commit a4e86141f1
9 changed files with 66 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
library/x509_crt.c
View File

@ -2324,8 +2324,7 @@ int mbedtls_x509_crt_is_revoked( const mbedtls_x509_crt *crt, const mbedtls_x509
if( crt->serial.len == cur->serial.len &&
memcmp( crt->serial.p, cur->serial.p, crt->serial.len ) == 0 )
{
if( mbedtls_x509_time_is_past( &cur->revocation_date ) )
return( 1 );
return( 1 );
}
cur = cur->next;