summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/x509/x509_verify.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/libcrypto/x509/x509_verify.c')
-rw-r--r--src/lib/libcrypto/x509/x509_verify.c46
1 files changed, 11 insertions, 35 deletions
diff --git a/src/lib/libcrypto/x509/x509_verify.c b/src/lib/libcrypto/x509/x509_verify.c
index 19bb925d9c..c7b2219fa9 100644
--- a/src/lib/libcrypto/x509/x509_verify.c
+++ b/src/lib/libcrypto/x509/x509_verify.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: x509_verify.c,v 1.68 2024/02/01 23:16:38 beck Exp $ */ 1/* $OpenBSD: x509_verify.c,v 1.69 2024/04/08 23:46:21 beck Exp $ */
2/* 2/*
3 * Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org> 3 * Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org>
4 * 4 *
@@ -52,6 +52,9 @@ x509_verify_asn1_time_to_time_t(const ASN1_TIME *atime, int notAfter,
52 struct tm tm = { 0 }; 52 struct tm tm = { 0 };
53 int type; 53 int type;
54 54
55 if (atime == NULL)
56 return 0;
57
55 type = ASN1_time_parse(atime->data, atime->length, &tm, atime->type); 58 type = ASN1_time_parse(atime->data, atime->length, &tm, atime->type);
56 if (type == -1) 59 if (type == -1)
57 return 0; 60 return 0;
@@ -80,35 +83,6 @@ x509_verify_asn1_time_to_time_t(const ASN1_TIME *atime, int notAfter,
80 return asn1_time_tm_to_time_t(&tm, out); 83 return asn1_time_tm_to_time_t(&tm, out);
81} 84}
82 85
83/*
84 * Cache certificate hash, and values parsed out of an X509.
85 * called from cache_extensions()
86 */
87int
88x509_verify_cert_info_populate(X509 *cert)
89{
90 const ASN1_TIME *notBefore, *notAfter;
91
92 /*
93 * Parse and save the cert times, or remember that they
94 * are unacceptable/unparsable.
95 */
96
97 cert->not_before = cert->not_after = -1;
98
99 if ((notBefore = X509_get_notBefore(cert)) == NULL)
100 return 0;
101 if ((notAfter = X509_get_notAfter(cert)) == NULL)
102 return 0;
103
104 if (!x509_verify_asn1_time_to_time_t(notBefore, 0, &cert->not_before))
105 return 0;
106 if (!x509_verify_asn1_time_to_time_t(notAfter, 1, &cert->not_after))
107 return 0;
108
109 return 1;
110}
111
112struct x509_verify_chain * 86struct x509_verify_chain *
113x509_verify_chain_new(void) 87x509_verify_chain_new(void)
114{ 88{
@@ -840,26 +814,28 @@ x509_verify_set_check_time(struct x509_verify_ctx *ctx)
840static int 814static int
841x509_verify_cert_times(X509 *cert, time_t *cmp_time, int *error) 815x509_verify_cert_times(X509 *cert, time_t *cmp_time, int *error)
842{ 816{
843 time_t when; 817 time_t when, not_before, not_after;
844 818
845 if (cmp_time == NULL) 819 if (cmp_time == NULL)
846 when = time(NULL); 820 when = time(NULL);
847 else 821 else
848 when = *cmp_time; 822 when = *cmp_time;
849 823
850 if (cert->not_before == -1) { 824 if (!x509_verify_asn1_time_to_time_t(X509_get_notBefore(cert), 0,
825 &not_before)) {
851 *error = X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD; 826 *error = X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD;
852 return 0; 827 return 0;
853 } 828 }
854 if (when < cert->not_before) { 829 if (when < not_before) {
855 *error = X509_V_ERR_CERT_NOT_YET_VALID; 830 *error = X509_V_ERR_CERT_NOT_YET_VALID;
856 return 0; 831 return 0;
857 } 832 }
858 if (cert->not_after == -1) { 833 if (!x509_verify_asn1_time_to_time_t(X509_get_notAfter(cert), 1,
834 &not_after)) {
859 *error = X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD; 835 *error = X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD;
860 return 0; 836 return 0;
861 } 837 }
862 if (when > cert->not_after) { 838 if (when > not_after) {
863 *error = X509_V_ERR_CERT_HAS_EXPIRED; 839 *error = X509_V_ERR_CERT_HAS_EXPIRED;
864 return 0; 840 return 0;
865 } 841 }
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-08-15 13:23:23 +0000