From a503e78be693b4c624ec30af15552a0f99738bc9 Mon Sep 17 00:00:00 2001 From: Bob Beck Date: Mon, 6 Oct 2025 10:50:31 -0600 Subject: [PATCH] Also be pedantically RFC5280 compliant in ossl_x509_check_certificate_times. MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Reviewed-by: Neil Horman Reviewed-by: Saša Nedvědický (Merged from https://github.com/openssl/openssl/pull/28623) --- crypto/x509/x509_vfy.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index fda538834cc..08af5e0db32 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -2154,6 +2154,7 @@ int ossl_x509_check_certificate_times(const X509_VERIFY_PARAM *vpm, X509 *x, { int err = 0, ret = 0; int comparison; + const ASN1_TIME *notafter; if (!ossl_x509_compare_asn1_time(vpm, X509_get0_notBefore(x), &comparison)) { err = X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD; @@ -2163,7 +2164,18 @@ int ossl_x509_check_certificate_times(const X509_VERIFY_PARAM *vpm, X509 *x, err = X509_V_ERR_CERT_NOT_YET_VALID; goto done; } - if (!ossl_x509_compare_asn1_time(vpm, X509_get0_notAfter(x), &comparison)) { + /* + * RFC 5280 4.1.2.5: + * To indicate that a certificate has no well-defined expiration date, + * the notAfter SHOULD be assigned the GeneralizedTime value of + * 99991231235959Z. + */ + notafter = X509_get0_notAfter(x); + if (strcmp((const char *)ASN1_STRING_get0_data(notafter), "99991231235959Z") + == 0) + return 1; + + if (!ossl_x509_compare_asn1_time(vpm, notafter, &comparison)) { err = X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD; goto done; } -- 2.47.3