That way, expired certificates can co-exist with their replacements.
gnutls_datum_t data = {NULL, 0};
unsigned tries, i, finalized;
ck_bool_t trusted = 1;
+ time_t now;
if (info == NULL) {
gnutls_assert();
else
tries = 1;
+ now = gnutls_time(0);
for (i = 0; i < tries; i++) {
a_vals = 0;
gnutls_datum_t id =
{ a[1].value, a[1].value_len };
- if (i > 0 && priv->key_id.size > 0 &&
- !_gnutls_check_subject_key_id2(&priv->key_id, &data)) {
+ if (priv->key_id.size > 0 &&
+ !_gnutls_check_valid_key_id(&priv->key_id, &data, now)) {
gnutls_assert();
continue;
}
}
bool
-_gnutls_check_subject_key_id2(gnutls_datum_t *key_id,
- gnutls_datum_t *certbin)
+_gnutls_check_valid_key_id(gnutls_datum_t *key_id,
+ gnutls_datum_t *certbin, time_t now)
{
uint8_t id[MAX_KEY_ID_SIZE];
size_t id_size;
goto out;
}
+ if (now > gnutls_x509_crt_get_expiration_time(cert) &&
+ now < gnutls_x509_crt_get_activation_time(cert)) {
+ /* don't bother, certificate is not yet activated or expired */
+ gnutls_assert();
+ goto out;
+ }
+
if (gnutls_x509_crt_get_subject_key_id(cert, id, &id_size, NULL) < 0) {
gnutls_assert();
goto out;
gnutls_datum_t *cert2bin);
bool
-_gnutls_check_subject_key_id2(gnutls_datum_t *key_id,
- gnutls_datum_t *certbin);
+_gnutls_check_valid_key_id(gnutls_datum_t *key_id,
+ gnutls_datum_t *certbin, time_t now);
bool
_gnutls_check_if_same_cert(gnutls_x509_crt_t cert1,