mbed TLS upgraded to 2.6.0
Fork of mbedtls by
Diff: library/x509_crt.c
- Revision:
- 1:9ebc941037d5
- Parent:
- 0:cdf462088d13
- Child:
- 2:bbdeda018a3c
diff -r cdf462088d13 -r 9ebc941037d5 library/x509_crt.c --- a/library/x509_crt.c Thu Jan 05 00:18:44 2017 +0000 +++ b/library/x509_crt.c Fri Sep 29 18:41:59 2017 +0100 @@ -969,8 +969,8 @@ */ int mbedtls_x509_crt_parse( mbedtls_x509_crt *chain, const unsigned char *buf, size_t buflen ) { +#if defined(MBEDTLS_PEM_PARSE_C) int success = 0, first_error = 0, total_failed = 0; -#if defined(MBEDTLS_PEM_PARSE_C) int buf_format = MBEDTLS_X509_FORMAT_DER; #endif @@ -1904,6 +1904,7 @@ int check_path_cnt; unsigned char hash[MBEDTLS_MD_MAX_SIZE]; const mbedtls_md_info_t *md_info; + mbedtls_x509_crt *future_past_ca = NULL; if( mbedtls_x509_time_is_past( &child->valid_to ) ) *flags |= MBEDTLS_X509_BADCERT_EXPIRED; @@ -1958,16 +1959,6 @@ continue; } - if( mbedtls_x509_time_is_past( &trust_ca->valid_to ) ) - { - continue; - } - - if( mbedtls_x509_time_is_future( &trust_ca->valid_from ) ) - { - continue; - } - if( mbedtls_pk_verify_ext( child->sig_pk, child->sig_opts, &trust_ca->pk, child->sig_md, hash, mbedtls_md_get_size( md_info ), child->sig.p, child->sig.len ) != 0 ) @@ -1975,6 +1966,20 @@ continue; } + if( mbedtls_x509_time_is_past( &trust_ca->valid_to ) || + mbedtls_x509_time_is_future( &trust_ca->valid_from ) ) + { + if ( future_past_ca == NULL ) + future_past_ca = trust_ca; + + continue; + } + + break; + } + + if( trust_ca != NULL || ( trust_ca = future_past_ca ) != NULL ) + { /* * Top of chain is signed by a trusted CA */ @@ -1982,8 +1987,6 @@ if( x509_profile_check_key( profile, child->sig_pk, &trust_ca->pk ) != 0 ) *flags |= MBEDTLS_X509_BADCERT_BAD_KEY; - - break; } /* @@ -2003,6 +2006,12 @@ ((void) ca_crl); #endif + if( mbedtls_x509_time_is_past( &trust_ca->valid_to ) ) + ca_flags |= MBEDTLS_X509_BADCERT_EXPIRED; + + if( mbedtls_x509_time_is_future( &trust_ca->valid_from ) ) + ca_flags |= MBEDTLS_X509_BADCERT_FUTURE; + if( NULL != f_vrfy ) { if( ( ret = f_vrfy( p_vrfy, trust_ca, path_cnt + 1,