int type_CA, const X509_VERIFY_PARAM *vpm)
{
uint32_t ex_flags = X509_get_extension_flags(cert);
- int res = X509_cmp_timeframe(vpm, X509_get0_notBefore(cert),
- X509_get0_notAfter(cert));
- int ret = res == 0;
+ int ret, err;
OSSL_CMP_severity level =
vpm == NULL ? OSSL_CMP_LOG_WARNING : OSSL_CMP_LOG_ERR;
- if (!ret)
+ ret = ossl_x509_check_certificate_times(vpm, cert, &err);
+ if (!ret) {
+ const char * msg;
+ switch (err) {
+ case X509_V_ERR_CERT_NOT_YET_VALID:
+ msg = "not yet valid";
+ break;
+ case X509_V_ERR_CERT_HAS_EXPIRED:
+ msg = "has expired";
+ break;
+ case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
+ msg = "has an invalid not before field";
+ break;
+ case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
+ msg = "has an invalid not after field";
+ break;
+ default:
+ msg = "is invalid for an unspecfied reason";
+ break;
+ }
cert_msg(OPENSSL_FUNC, OPENSSL_FILE, OPENSSL_LINE, level, ctx,
- source, cert, res > 0 ? "has expired" : "not yet valid");
+ source, cert, msg);
+ }
if (type_CA >= 0 && (ex_flags & EXFLAG_V1) == 0) {
int is_CA = (ex_flags & EXFLAG_CA) != 0;
*
* Return 1 on success, 0 otherwise.
*/
-static int ossl_x509_compare_asn1_time(const X509_VERIFY_PARAM *vpm,
+int ossl_x509_compare_asn1_time(const X509_VERIFY_PARAM *vpm,
const ASN1_TIME *time, int *comparison)
{
const time_t *check_time = NULL;
projects / thirdparty / openssl.git / commitdiff
