X509: Fix bug triggered by future CA among trusted

Fix an issue that caused valid certificates being rejected whenever an expired or not yet valid version of the trusted certificate was before the valid version in the trusted certificate list.
2024-11-22 23:45:49 +01:00 · 2016-02-19 15:58:21 +00:00 · 2016-02-19 15:58:21 +00:00 · c72d642595
commit c72d642595
parent 884b4fc2e9
2 changed files with 13 additions and 6 deletions
--- a/3
+++ b/3
@ -11,6 +11,9 @@ Bugfix
   * Fix issue in Makefile that prevented building using armar. #386
   * Fix memory leak that occured only when ECJPAKE was enabled and ECDHE and
     ECDSA was disabled in config.h . The leak didn't occur by default.
+   * Fix an issue that caused valid certificates being rejected whenever an
+   expired or not yet valid version of the trusted certificate was before the
+   valid version in the trusted certificate list.

 Changes
   * On ARM platforms, when compiling with -O0 with GCC, Clang or armcc5,
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@ -1932,6 +1932,16 @@ static int x509_crt_verify_top(
            continue;
        }

+        if( mbedtls_x509_time_is_past( &trust_ca->valid_to ) )
+        {
+            continue;
+        }
+
+        if( mbedtls_x509_time_is_future( &trust_ca->valid_from ) )
+        {
+            continue;
+        }
+
        if( mbedtls_pk_verify_ext( child->sig_pk, child->sig_opts, &trust_ca->pk,
                           child->sig_md, hash, mbedtls_md_get_size( md_info ),
                           child->sig.p, child->sig.len ) != 0 )
@ -1967,12 +1977,6 @@ static int x509_crt_verify_top(
        ((void) ca_crl);
 #endif

-        if( mbedtls_x509_time_is_past( &trust_ca->valid_to ) )
-            ca_flags |= MBEDTLS_X509_BADCERT_EXPIRED;
-
-        if( mbedtls_x509_time_is_future( &trust_ca->valid_from ) )
-            ca_flags |= MBEDTLS_X509_BADCERT_FUTURE;
-
        if( NULL != f_vrfy )
        {
            if( ( ret = f_vrfy( p_vrfy, trust_ca, path_cnt + 1,