From: job Date: Mon, 13 Mar 2023 19:46:55 +0000 (+0000) Subject: Check that the CMS signing-time isn't after the X.509 notAfter X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=db13aa11f3bc16a0cd89fc826599dd04a111dc0d;p=openbsd Check that the CMS signing-time isn't after the X.509 notAfter The CMS signing-time is the purported 'now' from the perspective of the issuer. It doesn't make sense for an issuer to sign objects that have a validity window that falls entirely in the past (from the perspective of the signer). Although CMS signing-time is not a trusted timestamp, it should never be after X.509 notAfter. OK tb@ --- diff --git a/usr.sbin/rpki-client/cms.c b/usr.sbin/rpki-client/cms.c index 6d9a11fd965..681a9c81d20 100644 --- a/usr.sbin/rpki-client/cms.c +++ b/usr.sbin/rpki-client/cms.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cms.c,v 1.32 2023/03/12 11:45:52 tb Exp $ */ +/* $OpenBSD: cms.c,v 1.33 2023/03/13 19:46:55 job Exp $ */ /* * Copyright (c) 2019 Kristaps Dzonsons * @@ -109,6 +109,7 @@ cms_parse_validate_internal(X509 **xp, const char *fn, const unsigned char *der, int i, nattrs, nid; int has_ct = 0, has_md = 0, has_st = 0, has_bst = 0; + time_t notafter; int rc = 0; *xp = NULL; @@ -303,6 +304,14 @@ cms_parse_validate_internal(X509 **xp, const char *fn, const unsigned char *der, goto out; } + if (!x509_get_notafter(*xp, fn, ¬after)) + goto out; + if (*signtime > notafter) { + warnx("%s: dating issue: CMS signing-time after X.509 notAfter", + fn); + goto out; + } + if (CMS_SignerInfo_get0_signer_id(si, &kid, NULL, NULL) != 1 || kid == NULL) { warnx("%s: RFC 6488: could not extract SKI from SID", fn);