-/* $OpenBSD: x509_purp.c,v 1.39 2024/03/02 10:43:52 tb Exp $ */
+/* $OpenBSD: x509_purp.c,v 1.40 2024/04/08 23:46:21 beck Exp $ */
/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
* project 2001.
*/
if (!x509_extension_oids_are_unique(x))
x->ex_flags |= EXFLAG_INVALID;
- if (!x509_verify_cert_info_populate(x))
- x->ex_flags |= EXFLAG_INVALID;
-
x->ex_flags |= EXFLAG_SET;
}
-/* $OpenBSD: x509_verify.c,v 1.68 2024/02/01 23:16:38 beck Exp $ */
+/* $OpenBSD: x509_verify.c,v 1.69 2024/04/08 23:46:21 beck Exp $ */
/*
* Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org>
*
struct tm tm = { 0 };
int type;
+ if (atime == NULL)
+ return 0;
+
type = ASN1_time_parse(atime->data, atime->length, &tm, atime->type);
if (type == -1)
return 0;
return asn1_time_tm_to_time_t(&tm, out);
}
-/*
- * Cache certificate hash, and values parsed out of an X509.
- * called from cache_extensions()
- */
-int
-x509_verify_cert_info_populate(X509 *cert)
-{
- const ASN1_TIME *notBefore, *notAfter;
-
- /*
- * Parse and save the cert times, or remember that they
- * are unacceptable/unparsable.
- */
-
- cert->not_before = cert->not_after = -1;
-
- if ((notBefore = X509_get_notBefore(cert)) == NULL)
- return 0;
- if ((notAfter = X509_get_notAfter(cert)) == NULL)
- return 0;
-
- if (!x509_verify_asn1_time_to_time_t(notBefore, 0, &cert->not_before))
- return 0;
- if (!x509_verify_asn1_time_to_time_t(notAfter, 1, &cert->not_after))
- return 0;
-
- return 1;
-}
-
struct x509_verify_chain *
x509_verify_chain_new(void)
{
static int
x509_verify_cert_times(X509 *cert, time_t *cmp_time, int *error)
{
- time_t when;
+ time_t when, not_before, not_after;
if (cmp_time == NULL)
when = time(NULL);
else
when = *cmp_time;
- if (cert->not_before == -1) {
+ if (!x509_verify_asn1_time_to_time_t(X509_get_notBefore(cert), 0,
+ ¬_before)) {
*error = X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD;
return 0;
}
- if (when < cert->not_before) {
+ if (when < not_before) {
*error = X509_V_ERR_CERT_NOT_YET_VALID;
return 0;
}
- if (cert->not_after == -1) {
+ if (!x509_verify_asn1_time_to_time_t(X509_get_notAfter(cert), 1,
+ ¬_after)) {
*error = X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD;
return 0;
}
- if (when > cert->not_after) {
+ if (when > not_after) {
*error = X509_V_ERR_CERT_HAS_EXPIRED;
return 0;
}
-/* $OpenBSD: x509_vfy.c,v 1.142 2024/03/02 10:40:05 tb Exp $ */
+/* $OpenBSD: x509_vfy.c,v 1.143 2024/04/08 23:46:21 beck Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
return ctx->verify_cb(0, ctx);
}
-
-/* Mimic OpenSSL '0 for failure' ick */
-static int
-time_t_bogocmp(time_t a, time_t b)
-{
- if (a == -1 || b == -1)
- return 0;
- if (a <= b)
- return -1;
- return 1;
-}
-
/*
* Check certificate validity times.
*
else
ptime = time(NULL);
- if (x->ex_flags & EXFLAG_SET)
- i = time_t_bogocmp(x->not_before, ptime);
- else
- i = X509_cmp_time(X509_get_notBefore(x), &ptime);
+ i = X509_cmp_time(X509_get_notBefore(x), &ptime);
if (i >= 0 && depth < 0)
return 0;
X509_V_ERR_CERT_NOT_YET_VALID))
return 0;
- if (x->ex_flags & EXFLAG_SET)
- i = time_t_bogocmp(x->not_after, ptime);
- else
- i = X509_cmp_time_internal(X509_get_notAfter(x), &ptime, 1);
+ i = X509_cmp_time_internal(X509_get_notAfter(x), &ptime, 1);
if (i <= 0 && depth < 0)
return 0;
projects / openbsd / commitdiff