From: Simon Josefsson Date: Thu, 30 Apr 2009 10:05:58 +0000 (+0200) Subject: libgnutls: Check activation/expiration times on untrusted certificates. X-Git-Tag: gnutls_2_7_8~8 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=72c14e1018e896a2e0adbb6c3a1448f47efcfaeb;p=thirdparty%2Fgnutls.git libgnutls: Check activation/expiration times on untrusted certificates. Reported by Romain Francoise. --- diff --git a/lib/gnutls_cert.c b/lib/gnutls_cert.c index 7872f203ea..24ad07bc06 100644 --- a/lib/gnutls_cert.c +++ b/lib/gnutls_cert.c @@ -655,6 +655,8 @@ gnutls_certificate_verify_peers (gnutls_session_t session) * This function will return the peer's certificate expiration time. * * Returns: (time_t)-1 on error. + * + * Deprecated: gnutls_certificate_verify_peers2() now verifies expiration times. **/ time_t gnutls_certificate_expiration_time_peers (gnutls_session_t session) @@ -700,6 +702,8 @@ gnutls_certificate_expiration_time_peers (gnutls_session_t session) * This is the creation time for openpgp keys. * * Returns: (time_t)-1 on error. + * + * Deprecated: gnutls_certificate_verify_peers2() now verifies activation times. **/ time_t gnutls_certificate_activation_time_peers (gnutls_session_t session) diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in index 3d8370b5a7..46ef722959 100644 --- a/lib/includes/gnutls/gnutls.h.in +++ b/lib/includes/gnutls/gnutls.h.in @@ -248,7 +248,13 @@ extern "C" { */ GNUTLS_CERT_SIGNER_NOT_FOUND = 64, GNUTLS_CERT_SIGNER_NOT_CA = 128, - GNUTLS_CERT_INSECURE_ALGORITHM = 256 + GNUTLS_CERT_INSECURE_ALGORITHM = 256, + + /* Time verification. + */ + GNUTLS_CERT_NOT_ACTIVATED = 512, + GNUTLS_CERT_EXPIRED = 1024 + } gnutls_certificate_status_t; typedef enum diff --git a/lib/includes/gnutls/x509.h b/lib/includes/gnutls/x509.h index 9c2800e5b3..f554e47665 100644 --- a/lib/includes/gnutls/x509.h +++ b/lib/includes/gnutls/x509.h @@ -504,7 +504,13 @@ extern "C" /* Allow certificates to be signed using the broken MD5 algorithm. */ - GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5 = 32 + GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5 = 32, + + /* Disable checking of activation and expiration validity + * periods of certificate chains. Don't set this unless you + * understand the security implications. + */ + GNUTLS_VERIFY_DISABLE_TIME_CHECKS = 64 } gnutls_certificate_verify_flags; int gnutls_x509_crt_check_issuer (gnutls_x509_crt_t cert, diff --git a/lib/x509/verify.c b/lib/x509/verify.c index 599eff7e71..2f90ff63ec 100644 --- a/lib/x509/verify.c +++ b/lib/x509/verify.c @@ -493,6 +493,32 @@ _gnutls_x509_verify_certificate (const gnutls_x509_crt_t * certificate_list, } #endif + /* Check activation/expiration times + */ + if (!(flags & GNUTLS_VERIFY_DISABLE_TIME_CHECKS)) + { + time_t t, now = time (0); + + for (i = 0; i < clist_size; i++) + { + t = gnutls_x509_crt_get_activation_time (certificate_list[i]); + if (t == (time_t) -1 || now < t) + { + status |= GNUTLS_CERT_NOT_ACTIVATED; + status |= GNUTLS_CERT_INVALID; + return status; + } + + t = gnutls_x509_crt_get_expiration_time (certificate_list[i]); + if (t == (time_t) -1 || now > t) + { + status |= GNUTLS_CERT_EXPIRED; + status |= GNUTLS_CERT_INVALID; + return status; + } + } + } + /* Verify the certificate path (chain) */ for (i = clist_size - 1; i > 0; i--) @@ -903,9 +929,6 @@ _gnutls_x509_privkey_verify_signature (const gnutls_datum_t * tbs, * @verify: will hold the certificate verification output. * * This function will try to verify the given certificate list and return its status. - * Note that expiration and activation dates are not checked - * by this function, you should check them using the appropriate functions. - * * If no flags are specified (0), this function will use the * basicConstraints (2.5.29.19) PKIX extension. This means that only a certificate * authority is allowed to sign a certificate. diff --git a/src/common.c b/src/common.c index c383d7daf2..226fdb750b 100644 --- a/src/common.c +++ b/src/common.c @@ -272,6 +272,10 @@ print_cert_vrfy (gnutls_session_t session) printf ("- Peer's certificate issuer is not a CA\n"); if (status & GNUTLS_CERT_INSECURE_ALGORITHM) printf ("- Peer's certificate chain uses insecure algorithm\n"); + if (status & GNUTLS_CERT_NOT_ACTIVATED) + printf ("- Peer's certificate chain uses not yet valid certificate\n"); + if (status & GNUTLS_CERT_EXPIRED) + printf ("- Peer's certificate chain uses expired certificate\n"); if (status & GNUTLS_CERT_INVALID) printf ("- Peer's certificate is NOT trusted\n"); else