From 9655e4597a2248c881eb9c1828b7169153d3eeb7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= <mpg@elzevir.fr>
Date: Fri, 11 Apr 2014 12:29:49 +0200
Subject: [PATCH] Reject certificates with times not in UTC

---
 ChangeLog      | 1 +
 library/x509.c | 4 ++--
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 0c18ff7bc..694cfc313 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -17,6 +17,7 @@ Changes
    * pk_verify() now returns a specific error code when the signature is valid
      but shorter than the supplied length.
    * Use UTC time to check certificate validity.
+   * Reject certificates with times not in UTC, per RFC 5280.
 
 Security
    * Avoid potential timing leak in ecdsa_sign() by blinding modular division.
diff --git a/library/x509.c b/library/x509.c
index 54623a0d7..60e1cac81 100644
--- a/library/x509.c
+++ b/library/x509.c
@@ -274,7 +274,7 @@ int x509_get_time( unsigned char **p, const unsigned char *end,
         memcpy( date, *p, ( len < sizeof( date ) - 1 ) ?
                 len : sizeof( date ) - 1 );
 
-        if( sscanf( date, "%2d%2d%2d%2d%2d%2d",
+        if( sscanf( date, "%2d%2d%2d%2d%2d%2dZ",
                     &time->year, &time->mon, &time->day,
                     &time->hour, &time->min, &time->sec ) < 5 )
             return( POLARSSL_ERR_X509_INVALID_DATE );
@@ -298,7 +298,7 @@ int x509_get_time( unsigned char **p, const unsigned char *end,
         memcpy( date, *p, ( len < sizeof( date ) - 1 ) ?
                 len : sizeof( date ) - 1 );
 
-        if( sscanf( date, "%4d%2d%2d%2d%2d%2d",
+        if( sscanf( date, "%4d%2d%2d%2d%2d%2dZ",
                     &time->year, &time->mon, &time->day,
                     &time->hour, &time->min, &time->sec ) < 5 )
             return( POLARSSL_ERR_X509_INVALID_DATE );