From: Bob Beck <beck@openssl.org>
Date: Sat, 20 Sep 2025 02:33:09 +0000 (-0600)
Subject: Stop using X509_cmp_timeframe in cert_acceptible
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=6183a47fdc25c4bf525f82f782b286485b5c2f24;p=thirdparty%2Fopenssl.git

Stop using X509_cmp_timeframe in cert_acceptible

Again, so we don't accept invalid times as valid forever.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28623)
---

diff --git a/crypto/cmp/cmp_vfy.c b/crypto/cmp/cmp_vfy.c
index c4890f514b9..638843b346c 100644
--- a/crypto/cmp/cmp_vfy.c
+++ b/crypto/cmp/cmp_vfy.c
@@ -243,7 +243,7 @@ static int cert_acceptable(const OSSL_CMP_CTX *ctx,
     int self_issued = X509_check_issued(cert, cert) == X509_V_OK;
     char *str;
     X509_VERIFY_PARAM *vpm = ts != NULL ? X509_STORE_get0_param(ts) : NULL;
-    int time_cmp;
+    int err;
 
     ossl_cmp_log3(INFO, ctx, " considering %s%s %s with..",
                   self_issued ? "self-issued ": "", desc1, desc2);
@@ -263,14 +263,28 @@ static int cert_acceptable(const OSSL_CMP_CTX *ctx,
         return 0;
     }
 
-    time_cmp = X509_cmp_timeframe(vpm, X509_get0_notBefore(cert),
-                                  X509_get0_notAfter(cert));
-    if (time_cmp != 0) {
-        int err = time_cmp > 0 ? X509_V_ERR_CERT_HAS_EXPIRED
-                               : X509_V_ERR_CERT_NOT_YET_VALID;
+    if (!ossl_x509_check_certificate_times(vpm, cert, &err)) {
+        const char *message;
+
+        switch (err) {
+        case X509_V_ERR_CERT_NOT_YET_VALID:
+            message = "cert is not yet valid";
+            break;
+        case X509_V_ERR_CERT_HAS_EXPIRED:
+            message = "cert has expired";
+            break;
+        case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
+            message = "cert has an invalid not before field";
+            break;
+        case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
+            message = "cert has an invalid not after field";
+            break;
+        default:
+            message= "cert is invalid for an unspecfied reason";
+            break;
+        }
 
-        ossl_cmp_warn(ctx, time_cmp > 0 ? "cert has expired"
-                                        : "cert is not yet valid");
+        ossl_cmp_warn(ctx, message);
         if (ctx->log_cb != NULL /* logging not temporarily disabled */
                 && verify_cb_cert(ts, cert, err) <= 0)
             return 0;