Reported by Romain Francoise.
* This function will return the peer's certificate expiration time.
*
* Returns: (time_t)-1 on error.
+ *
+ * Deprecated: gnutls_certificate_verify_peers2() now verifies expiration times.
**/
time_t
gnutls_certificate_expiration_time_peers (gnutls_session_t session)
* This is the creation time for openpgp keys.
*
* Returns: (time_t)-1 on error.
+ *
+ * Deprecated: gnutls_certificate_verify_peers2() now verifies activation times.
**/
time_t
gnutls_certificate_activation_time_peers (gnutls_session_t session)
*/
GNUTLS_CERT_SIGNER_NOT_FOUND = 64,
GNUTLS_CERT_SIGNER_NOT_CA = 128,
- GNUTLS_CERT_INSECURE_ALGORITHM = 256
+ GNUTLS_CERT_INSECURE_ALGORITHM = 256,
+
+ /* Time verification.
+ */
+ GNUTLS_CERT_NOT_ACTIVATED = 512,
+ GNUTLS_CERT_EXPIRED = 1024
+
} gnutls_certificate_status_t;
typedef enum
/* Allow certificates to be signed using the broken MD5 algorithm.
*/
- GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5 = 32
+ GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5 = 32,
+
+ /* Disable checking of activation and expiration validity
+ * periods of certificate chains. Don't set this unless you
+ * understand the security implications.
+ */
+ GNUTLS_VERIFY_DISABLE_TIME_CHECKS = 64
} gnutls_certificate_verify_flags;
int gnutls_x509_crt_check_issuer (gnutls_x509_crt_t cert,
}
#endif
+ /* Check activation/expiration times
+ */
+ if (!(flags & GNUTLS_VERIFY_DISABLE_TIME_CHECKS))
+ {
+ time_t t, now = time (0);
+
+ for (i = 0; i < clist_size; i++)
+ {
+ t = gnutls_x509_crt_get_activation_time (certificate_list[i]);
+ if (t == (time_t) -1 || now < t)
+ {
+ status |= GNUTLS_CERT_NOT_ACTIVATED;
+ status |= GNUTLS_CERT_INVALID;
+ return status;
+ }
+
+ t = gnutls_x509_crt_get_expiration_time (certificate_list[i]);
+ if (t == (time_t) -1 || now > t)
+ {
+ status |= GNUTLS_CERT_EXPIRED;
+ status |= GNUTLS_CERT_INVALID;
+ return status;
+ }
+ }
+ }
+
/* Verify the certificate path (chain)
*/
for (i = clist_size - 1; i > 0; i--)
* @verify: will hold the certificate verification output.
*
* This function will try to verify the given certificate list and return its status.
- * Note that expiration and activation dates are not checked
- * by this function, you should check them using the appropriate functions.
- *
* If no flags are specified (0), this function will use the
* basicConstraints (2.5.29.19) PKIX extension. This means that only a certificate
* authority is allowed to sign a certificate.
printf ("- Peer's certificate issuer is not a CA\n");
if (status & GNUTLS_CERT_INSECURE_ALGORITHM)
printf ("- Peer's certificate chain uses insecure algorithm\n");
+ if (status & GNUTLS_CERT_NOT_ACTIVATED)
+ printf ("- Peer's certificate chain uses not yet valid certificate\n");
+ if (status & GNUTLS_CERT_EXPIRED)
+ printf ("- Peer's certificate chain uses expired certificate\n");
if (status & GNUTLS_CERT_INVALID)
printf ("- Peer's certificate is NOT trusted\n");
else