From 57c4096b3d23c36cc8021aa5aad7cff40f721c0c Mon Sep 17 00:00:00 2001
From: Bob Beck <beck@openssl.org>
Date: Fri, 19 Sep 2025 19:35:36 -0600
Subject: [PATCH] Stop using X509_cmp_timeframe in ossl_X509_check
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

To no longer accept invalid certificate times as valid forver.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: SaÅ¡a NedvÄdickÃ½ <sashan@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28623)
---
 crypto/cmp/cmp_genm.c  | 28 +++++++++++++++++++++++-----
 crypto/x509/x509_vfy.c |  2 +-
 2 files changed, 24 insertions(+), 6 deletions(-)

diff --git a/crypto/cmp/cmp_genm.c b/crypto/cmp/cmp_genm.c
index 40731cc4d09..963d1e4bce1 100644
--- a/crypto/cmp/cmp_genm.c
+++ b/crypto/cmp/cmp_genm.c
@@ -36,15 +36,33 @@ static int ossl_X509_check(OSSL_CMP_CTX *ctx, const char *source, X509 *cert,
                            int type_CA, const X509_VERIFY_PARAM *vpm)
 {
     uint32_t ex_flags = X509_get_extension_flags(cert);
-    int res = X509_cmp_timeframe(vpm, X509_get0_notBefore(cert),
-                                 X509_get0_notAfter(cert));
-    int ret = res == 0;
+    int ret, err;
     OSSL_CMP_severity level =
         vpm == NULL ? OSSL_CMP_LOG_WARNING : OSSL_CMP_LOG_ERR;
 
-    if (!ret)
+    ret = ossl_x509_check_certificate_times(vpm, cert, &err);
+    if (!ret) {
+        const char * msg;
+        switch (err) {
+        case X509_V_ERR_CERT_NOT_YET_VALID:
+            msg = "not yet valid";
+            break;
+        case X509_V_ERR_CERT_HAS_EXPIRED:
+            msg = "has expired";
+            break;
+        case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
+            msg = "has an invalid not before field";
+            break;
+        case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
+            msg = "has an invalid not after field";
+            break;
+        default:
+            msg = "is invalid for an unspecfied reason";
+            break;
+        }
         cert_msg(OPENSSL_FUNC, OPENSSL_FILE, OPENSSL_LINE, level, ctx,
-                 source, cert, res > 0 ? "has expired" : "not yet valid");
+                 source, cert, msg);
+    }
     if (type_CA >= 0 && (ex_flags & EXFLAG_V1) == 0) {
         int is_CA = (ex_flags & EXFLAG_CA) != 0;
 
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 5df13c6fe71..c7b4189d8eb 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -2130,7 +2130,7 @@ static int check_policy(X509_STORE_CTX *ctx)
  *
  * Return 1 on success, 0 otherwise.
  */
-static int ossl_x509_compare_asn1_time(const X509_VERIFY_PARAM *vpm,
+int ossl_x509_compare_asn1_time(const X509_VERIFY_PARAM *vpm,
                                        const ASN1_TIME *time, int *comparison)
 {
     const time_t *check_time = NULL;
-- 
2.47.3