return issuer;
}
+static unsigned int
+check_time (gnutls_x509_crt_t crt, time_t now)
+{
+ int status = 0;
+ time_t t;
+
+ t = gnutls_x509_crt_get_activation_time (crt);
+ if (t == (time_t) - 1 || now < t)
+ {
+ status |= GNUTLS_CERT_NOT_ACTIVATED;
+ status |= GNUTLS_CERT_INVALID;
+ return status;
+ }
+ t = gnutls_x509_crt_get_expiration_time (crt);
+ if (t == (time_t) - 1 || now > t)
+ {
+ status |= GNUTLS_CERT_EXPIRED;
+ status |= GNUTLS_CERT_INVALID;
+ return status;
+ }
+
+ return 0;
+}
/*
* Verifies the given certificate again a certificate list of
int tcas_size, unsigned int flags,
unsigned int *output,
gnutls_x509_crt_t * _issuer,
+ time_t now,
gnutls_verify_output_function func)
{
gnutls_datum_t cert_signed_data = { NULL, 0 };
}
}
+ /* Check activation/expiration times
+ */
+ if (!(flags & GNUTLS_VERIFY_DISABLE_TIME_CHECKS))
+ {
+ /* check the time of the issuer first */
+ if (!(flags & GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS))
+ {
+ out |= check_time (issuer, now);
+ if (out != 0)
+ {
+ result = 0;
+ if (output) *output |= out;
+ }
+ }
+
+ out |= check_time (cert, now);
+ if (out != 0)
+ {
+ result = 0;
+ if (output) *output |= out;
+ }
+ }
+
cleanup:
if (result >= 0 && func) func(cert, issuer, NULL, out);
-
_gnutls_free_datum (&cert_signed_data);
_gnutls_free_datum (&cert_signature);
return is_issuer (cert, issuer);
}
-static unsigned int
-check_time (gnutls_x509_crt_t crt, time_t now)
-{
- int status = 0;
- time_t t;
-
- t = gnutls_x509_crt_get_activation_time (crt);
- if (t == (time_t) - 1 || now < t)
- {
- status |= GNUTLS_CERT_NOT_ACTIVATED;
- status |= GNUTLS_CERT_INVALID;
- return status;
- }
-
- t = gnutls_x509_crt_get_expiration_time (crt);
- if (t == (time_t) - 1 || now > t)
- {
- status |= GNUTLS_CERT_EXPIRED;
- status |= GNUTLS_CERT_INVALID;
- return status;
- }
-
- return 0;
-}
-
/* Verify X.509 certificate chain.
*
* Note that the return value is an OR of GNUTLS_CERT_* elements.
* If no CAs are present returns CERT_INVALID. Thus works
* in self signed etc certificates.
*/
+ output = 0;
ret = _gnutls_verify_certificate2 (certificate_list[clist_size - 1],
trusted_cas, tcas_size, flags, &output,
- &issuer, func);
+ &issuer, now, func);
if (ret == 0)
{
/* if the last certificate in the certificate
return status;
}
- /* Check activation/expiration times
- */
- if (!(flags & GNUTLS_VERIFY_DISABLE_TIME_CHECKS))
- {
- /* check the time of the issuer first */
- if (!(flags & GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS))
- {
- if (issuer == NULL)
- {
- gnutls_assert ();
- return GNUTLS_E_INTERNAL_ERROR;
- }
-
- status |= check_time (issuer, now);
- if (status != 0)
- {
- if (func) func(certificate_list[clist_size - 1], issuer, NULL, status);
- return status;
- }
- }
-
- for (i = 0; i < clist_size; i++)
- {
- status |= check_time (certificate_list[i], now);
- if (status != 0)
- {
- if (func) func(certificate_list[i], NULL, NULL, status);
- return status;
- }
- }
- }
-
/* Verify the certificate path (chain)
*/
for (i = clist_size - 1; i > 0; i--)
{
+ output = 0;
if (i - 1 < 0)
break;
if ((ret =
_gnutls_verify_certificate2 (certificate_list[i - 1],
&certificate_list[i], 1, flags,
- NULL, NULL, func)) == 0)
+ &output, NULL, now, func)) == 0)
{
+ status |= output;
status |= GNUTLS_CERT_INVALID;
return status;
}
GNUTLS_VERIFY_DISABLE_TIME_CHECKS | GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT,
0 },
{ "rsa-md5 fail", mayfirst_chain, &mayfirst_chain[1],
- 0, GNUTLS_CERT_INSECURE_ALGORITHM | GNUTLS_CERT_INVALID },
+ 0, GNUTLS_CERT_INSECURE_ALGORITHM | GNUTLS_CERT_EXPIRED | GNUTLS_CERT_INVALID },
{ "rsa-md5 not ok", mayfirst_chain, &mayfirst_chain[1],
GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2,
- GNUTLS_CERT_INSECURE_ALGORITHM | GNUTLS_CERT_INVALID },
+ GNUTLS_CERT_INSECURE_ALGORITHM | GNUTLS_CERT_EXPIRED | GNUTLS_CERT_INVALID },
{ "rsa-md5 not ok2", mayfirst_chain, &mayfirst_chain[1],
GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5,
GNUTLS_CERT_EXPIRED | GNUTLS_CERT_INVALID },