-/* $OpenBSD: x509_internal.h,v 1.26 2023/09/29 15:53:59 beck Exp $ */
+/* $OpenBSD: x509_internal.h,v 1.27 2023/11/13 10:33:00 tb Exp $ */
/*
* Copyright (c) 2020 Bob Beck <beck@openbsd.org>
*
int x509v3_cache_extensions(X509 *x);
X509 *x509_vfy_lookup_cert_match(X509_STORE_CTX *ctx, X509 *x);
-time_t x509_verify_asn1_time_to_time_t(const ASN1_TIME *atime, int notafter);
+int x509_verify_asn1_time_to_time_t(const ASN1_TIME *atime, int notafter,
+ time_t *out);
struct x509_verify_ctx *x509_verify_ctx_new_from_xsc(X509_STORE_CTX *xsc);
struct x509_constraints_names *excluded, int *error);
int x509_constraints_chain(STACK_OF(X509) *chain, int *error,
int *depth);
-void x509_verify_cert_info_populate(X509 *cert);
+int x509_verify_cert_info_populate(X509 *cert);
int x509_vfy_check_security_level(X509_STORE_CTX *ctx);
__END_HIDDEN_DECLS
-/* $OpenBSD: x509_purp.c,v 1.29 2023/08/18 08:42:41 tb Exp $ */
+/* $OpenBSD: x509_purp.c,v 1.30 2023/11/13 10:33:00 tb Exp $ */
/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
* project 2001.
*/
if (!x509_extension_oids_are_unique(x))
x->ex_flags |= EXFLAG_INVALID;
- x509_verify_cert_info_populate(x);
+ if (!x509_verify_cert_info_populate(x))
+ x->ex_flags |= EXFLAG_INVALID;
x->ex_flags |= EXFLAG_SET;
}
-/* $OpenBSD: x509_verify.c,v 1.66 2023/05/07 07:11:50 tb Exp $ */
+/* $OpenBSD: x509_verify.c,v 1.67 2023/11/13 10:33:00 tb Exp $ */
/*
* Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org>
*
#include <openssl/x509.h>
#include <openssl/x509v3.h>
+#include "asn1_local.h"
#include "x509_internal.h"
#include "x509_issuer_cache.h"
* Parse an asn1 to a representable time_t as per RFC 5280 rules.
* Returns -1 if that can't be done for any reason.
*/
-time_t
-x509_verify_asn1_time_to_time_t(const ASN1_TIME *atime, int notAfter)
+int
+x509_verify_asn1_time_to_time_t(const ASN1_TIME *atime, int notAfter,
+ time_t *out)
{
struct tm tm = { 0 };
int type;
type = ASN1_time_parse(atime->data, atime->length, &tm, atime->type);
if (type == -1)
- return -1;
+ return 0;
/* RFC 5280 section 4.1.2.5 */
if (tm.tm_year < 150 && type != V_ASN1_UTCTIME)
- return -1;
+ return 0;
if (tm.tm_year >= 150 && type != V_ASN1_GENERALIZEDTIME)
- return -1;
+ return 0;
if (notAfter) {
/*
* date, limit the date to a 32 bit representable value.
*/
if (!ASN1_time_tm_clamp_notafter(&tm))
- return -1;
+ return 0;
}
/*
* a time_t. A time_t must be sane if you care about times after
* Jan 19 2038.
*/
- return timegm(&tm);
+ return asn1_time_tm_to_time_t(&tm, out);
}
/*
* Cache certificate hash, and values parsed out of an X509.
* called from cache_extensions()
*/
-void
+int
x509_verify_cert_info_populate(X509 *cert)
{
+ const ASN1_TIME *notBefore, *notAfter;
+
/*
* Parse and save the cert times, or remember that they
* are unacceptable/unparsable.
*/
- cert->not_before = x509_verify_asn1_time_to_time_t(X509_get_notBefore(cert), 0);
- cert->not_after = x509_verify_asn1_time_to_time_t(X509_get_notAfter(cert), 1);
+
+ cert->not_before = cert->not_after = -1;
+
+ if ((notBefore = X509_get_notBefore(cert)) == NULL)
+ return 0;
+ if ((notAfter = X509_get_notAfter(cert)) == NULL)
+ return 0;
+
+ if (!x509_verify_asn1_time_to_time_t(notBefore, 0, &cert->not_before))
+ return 0;
+ if (!x509_verify_asn1_time_to_time_t(notAfter, 1, &cert->not_after))
+ return 0;
+
+ return 1;
}
struct x509_verify_chain *
-/* $OpenBSD: x509_vfy.c,v 1.125 2023/06/08 22:02:40 beck Exp $ */
+/* $OpenBSD: x509_vfy.c,v 1.126 2023/11/13 10:33:00 tb Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
else
compare = *cmp_time;
- if ((cert_time = x509_verify_asn1_time_to_time_t(ctm, is_notafter)) ==
- -1)
+ if (!x509_verify_asn1_time_to_time_t(ctm, is_notafter, &cert_time))
return 0; /* invalid time */
if (cert_time <= compare)
projects / openbsd / commitdiff