lib/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-07-29 11:41:15 +03:00
Code Activity

X509: Fix bug triggered by future CA among trusted

Browse Source 
Fix an issue that caused valid certificates being rejected whenever an
expired or not yet valid version of the trusted certificate was before the
valid version in the trusted certificate list.
This commit is contained in:
Janos Follath
2016-02-19 15:58:21 +00:00
committed by Simon Butcher
parent df4bca2029
commit b437b4b125
2 changed files with 13 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
library/x509_crt.c
View File

@ -1932,6 +1932,16 @@ static int x509_crt_verify_top(
continue;
}
if( mbedtls_x509_time_is_past( &trust_ca->valid_to ) )
{
continue;
}
if( mbedtls_x509_time_is_future( &trust_ca->valid_from ) )
{
continue;
}
if( mbedtls_pk_verify_ext( child->sig_pk, child->sig_opts, &trust_ca->pk,
child->sig_md, hash, mbedtls_md_get_size( md_info ),
child->sig.p, child->sig.len ) != 0 )
@ -1967,12 +1977,6 @@ static int x509_crt_verify_top(
((void) ca_crl);
#endif
if( mbedtls_x509_time_is_past( &trust_ca->valid_to ) )
ca_flags |= MBEDTLS_X509_BADCERT_EXPIRED;
if( mbedtls_x509_time_is_future( &trust_ca->valid_from ) )
ca_flags |= MBEDTLS_X509_BADCERT_FUTURE;
if( NULL != f_vrfy )
{
if( ( ret = f_vrfy( p_vrfy, trust_ca, path_cnt + 1,