Fix certificate validity checking logic to work with !TIME_DATE

If MBEDTLS_HAVE_TIME_DATE is undefined, the functions `mbedtls_x509_time_is_past()` and `mbedtls_x509_time_is_future()` are still defined but return `0` (that is, no time is seen to in the past or future). To maintain functional correctness, this means that these functions have to be called in a way where the condition being checked for is the erroneous one: Concretely, one shouldn't check that a CRT's `validFrom` is in the past, or that its `validTo` is in the future, because that would fail if !MBEDTLS_HAVE_TIME_DATE. Instead, one should check that `validFrom` is NOT in the future, and `validTo` is NOT in the past. That was the logic previously, but an uncautious change during transition to X.509 on-demand parsing has changed it. This commit fixes this.
2024-11-27 00:15:45 +01:00 · 2019-06-10 11:14:24 +01:00 · 2019-06-10 11:14:24 +01:00 · 040c564888
commit 040c564888
parent 97aa4363e1
1 changed files with 2 additions and 2 deletions
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@ -2849,8 +2849,8 @@ check_signature:
            if( ret != 0 )
                return( MBEDTLS_ERR_X509_FATAL_ERROR );

-            if( mbedtls_x509_time_is_past( &parent->valid_from ) &&
-                mbedtls_x509_time_is_future( &parent->valid_to ) )
+            if( !mbedtls_x509_time_is_past( &parent->valid_to ) &&
+                !mbedtls_x509_time_is_future( &parent->valid_from ) )
            {
                parent_valid = 1;
            }