X509: Fix bug triggered by future CA among trusted

Fix an issue that caused valid certificates being rejected whenever an expired or not yet valid version of the trusted certificate was before the valid version in the trusted certificate list.
2024-11-23 00:15:40 +01:00 · 2016-02-19 15:58:21 +00:00 · 2016-02-19 15:58:21 +00:00 · 7b26865529
commit 7b26865529
parent e223527da0
2 changed files with 17 additions and 6 deletions
--- a/7
+++ b/7
@ -1,5 +1,12 @@
 mbed TLS ChangeLog (Sorted per branch, date)

+= mbed TLS 2.1.x
+
+Bugfix
+   * Fix an issue that caused valid certificates being rejected whenever an
+   expired or not yet valid version of the trusted certificate was before the
+   valid version in the trusted certificate list.
+
 = mbed TLS 2.1.5 branch released 2016-06-28

 Security
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@ -1947,6 +1947,16 @@ static int x509_crt_verify_top(
            continue;
        }

+        if( mbedtls_x509_time_is_past( &trust_ca->valid_to ) )
+        {
+            continue;
+        }
+
+        if( mbedtls_x509_time_is_future( &trust_ca->valid_from ) )
+        {
+            continue;
+        }
+
        if( mbedtls_pk_verify_ext( child->sig_pk, child->sig_opts, &trust_ca->pk,
                           child->sig_md, hash, mbedtls_md_get_size( md_info ),
                           child->sig.p, child->sig.len ) != 0 )
@ -1982,12 +1992,6 @@ static int x509_crt_verify_top(
        ((void) ca_crl);
 #endif

-        if( mbedtls_x509_time_is_past( &trust_ca->valid_to ) )
-            ca_flags |= MBEDTLS_X509_BADCERT_EXPIRED;
-
-        if( mbedtls_x509_time_is_future( &trust_ca->valid_from ) )
-            ca_flags |= MBEDTLS_X509_BADCERT_FUTURE;
-
        if( NULL != f_vrfy )
        {
            if( ( ret = f_vrfy( p_vrfy, trust_ca, path_cnt + 1,