Reject certificates with times not in UTC

2024-11-22 11:15:43 +01:00 · 2014-04-11 12:29:49 +02:00 · 2014-04-11 12:29:49 +02:00 · 9655e4597a
commit 9655e4597a
parent 0776a43788
2 changed files with 3 additions and 2 deletions
--- a/1
+++ b/1
@ -17,6 +17,7 @@ Changes
   * pk_verify() now returns a specific error code when the signature is valid
     but shorter than the supplied length.
   * Use UTC time to check certificate validity.
+   * Reject certificates with times not in UTC, per RFC 5280.

 Security
   * Avoid potential timing leak in ecdsa_sign() by blinding modular division.
--- a/library/x509.c
+++ b/library/x509.c
@ -274,7 +274,7 @@ int x509_get_time( unsigned char **p, const unsigned char *end,
        memcpy( date, *p, ( len < sizeof( date ) - 1 ) ?
                len : sizeof( date ) - 1 );

-        if( sscanf( date, "%2d%2d%2d%2d%2d%2d",
+        if( sscanf( date, "%2d%2d%2d%2d%2d%2dZ",
                    &time->year, &time->mon, &time->day,
                    &time->hour, &time->min, &time->sec ) < 5 )
            return( POLARSSL_ERR_X509_INVALID_DATE );
@ -298,7 +298,7 @@ int x509_get_time( unsigned char **p, const unsigned char *end,
        memcpy( date, *p, ( len < sizeof( date ) - 1 ) ?
                len : sizeof( date ) - 1 );

-        if( sscanf( date, "%4d%2d%2d%2d%2d%2d",
+        if( sscanf( date, "%4d%2d%2d%2d%2d%2dZ",
                    &time->year, &time->mon, &time->day,
                    &time->hour, &time->min, &time->sec ) < 5 )
            return( POLARSSL_ERR_X509_INVALID_DATE );