[crypto] Allow an error margin on X.509 certificate validity periods

iPXE has no concept of the local time zone, mainly because there is no
viable way to obtain time zone information in the absence of local
state.  This causes potential problems with newly-issued certificates
and certificates that are about to expire.

Avoid such problems by allowing an error margin of around 12 hours on
certificate validity periods, similar to the error margin already
allowed for OCSP response timestamps.

Signed-off-by: Michael Brown <mcb30@ipxe.org>

diff --git a/src/crypto/ocsp.c b/src/crypto/ocsp.c
index f5d03dc686498cb21b8fb2893a5a8c70e172da1d..ab75dea35ad866128c669a1f8b03f03141bedd0c 100644 (file)
--- a/src/crypto/ocsp.c
+++ b/src/crypto/ocsp.c
@@ -794,12 +794,12 @@ int ocsp_validate ( struct ocsp_check *ocsp, time_t time ) {
        /* Check OCSP response is valid at the specified time
         * (allowing for some margin of error).
         */
-       if ( response->this_update > ( time + OCSP_ERROR_MARGIN_TIME ) ) {
+       if ( response->this_update > ( time + X509_ERROR_MARGIN_TIME ) ) {
                DBGC ( ocsp, "OCSP %p \"%s\" response is not yet valid (at "
                       "time %lld)\n", ocsp, ocsp->cert->subject.name, time );
                return -EACCES_STALE;
        }
-       if ( response->next_update < ( time - OCSP_ERROR_MARGIN_TIME ) ) {
+       if ( response->next_update < ( time - X509_ERROR_MARGIN_TIME ) ) {
                DBGC ( ocsp, "OCSP %p \"%s\" response is stale (at time "
                       "%lld)\n", ocsp, ocsp->cert->subject.name, time );
                return -EACCES_STALE;

diff --git a/src/crypto/x509.c b/src/crypto/x509.c
index 1a27eb24ca0621c12d7d962e5c656a952932d566..a99f6ab93436dae91003048de87e4617e021df1a 100644 (file)
--- a/src/crypto/x509.c
+++ b/src/crypto/x509.c
@@ -1264,12 +1264,12 @@ int x509_check_time ( struct x509_certificate *cert, time_t time ) {
        struct x509_validity *validity = &cert->validity;
 
        /* Check validity period */
-       if ( time < validity->not_before.time ) {
+       if ( validity->not_before.time > ( time + X509_ERROR_MARGIN_TIME ) ) {
                DBGC ( cert, "X509 %p \"%s\" is not yet valid (at time %lld)\n",
                       cert, cert->subject.name, time );
                return -EACCES_EXPIRED;
        }
-       if ( time > validity->not_after.time ) {
+       if ( validity->not_after.time < ( time - X509_ERROR_MARGIN_TIME ) ) {
                DBGC ( cert, "X509 %p \"%s\" has expired (at time %lld)\n",
                       cert, cert->subject.name, time );
                return -EACCES_EXPIRED;

diff --git a/src/include/ipxe/ocsp.h b/src/include/ipxe/ocsp.h
index 2521681c010be2a17b34a85313c7b44a97625d80..fe825fd063d866bad7cce6affcfeee50b1827a04 100644 (file)
--- a/src/include/ipxe/ocsp.h
+++ b/src/include/ipxe/ocsp.h
@@ -28,14 +28,6 @@ FILE_LICENCE ( GPL2_OR_LATER );
 #define OCSP_STATUS_SIG_REQUIRED       0x05
 #define OCSP_STATUS_UNAUTHORIZED       0x06
 
-/** Margin of error allowed in OCSP response times
- *
- * We allow a generous margin of error: 12 hours to allow for the
- * local time zone being non-GMT, plus 30 minutes to allow for general
- * clock drift.
- */
-#define OCSP_ERROR_MARGIN_TIME ( ( 12 * 60 + 30 ) * 60 )
-
 /** An OCSP request */
 struct ocsp_request {
        /** Request builder */

diff --git a/src/include/ipxe/x509.h b/src/include/ipxe/x509.h
index a5626c8a8b59adf7f9d7cb34309f22192ac42729..a47942a75e992ad7f0b71ed5b01d09f7a16aa489 100644 (file)
--- a/src/include/ipxe/x509.h
+++ b/src/include/ipxe/x509.h
@@ -42,6 +42,14 @@ struct x509_validity {
        struct x509_time not_after;
 };
 
+/** Margin of error allowed in X.509 response times
+ *
+ * We allow a generous margin of error: 12 hours to allow for the
+ * local time zone being non-GMT, plus 30 minutes to allow for general
+ * clock drift.
+ */
+#define X509_ERROR_MARGIN_TIME ( ( 12 * 60 + 30 ) * 60 )
+
 /** An X.509 certificate public key */
 struct x509_public_key {
        /** Raw public key information */