X509: Fix bug triggered by future CA among trusted
Fix an issue that caused valid certificates being rejected whenever an
expired or not yet valid version of the trusted certificate was before the
valid version in the trusted certificate list.
diff --git a/ChangeLog b/ChangeLog
index 19aef99..58d1c39 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,12 @@
mbed TLS ChangeLog (Sorted per branch, date)
+= mbed TLS 2.1.x
+
+Bugfix
+ * Fix an issue that caused valid certificates being rejected whenever an
+ expired or not yet valid version of the trusted certificate was before the
+ valid version in the trusted certificate list.
+
= mbed TLS 2.1.5 branch released 2016-06-28
Security
diff --git a/library/x509_crt.c b/library/x509_crt.c
index a1ce254..9251aed 100644
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@@ -1947,6 +1947,16 @@
continue;
}
+ if( mbedtls_x509_time_is_past( &trust_ca->valid_to ) )
+ {
+ continue;
+ }
+
+ if( mbedtls_x509_time_is_future( &trust_ca->valid_from ) )
+ {
+ continue;
+ }
+
if( mbedtls_pk_verify_ext( child->sig_pk, child->sig_opts, &trust_ca->pk,
child->sig_md, hash, mbedtls_md_get_size( md_info ),
child->sig.p, child->sig.len ) != 0 )
@@ -1982,12 +1992,6 @@
((void) ca_crl);
#endif
- if( mbedtls_x509_time_is_past( &trust_ca->valid_to ) )
- ca_flags |= MBEDTLS_X509_BADCERT_EXPIRED;
-
- if( mbedtls_x509_time_is_future( &trust_ca->valid_from ) )
- ca_flags |= MBEDTLS_X509_BADCERT_FUTURE;
-
if( NULL != f_vrfy )
{
if( ( ret = f_vrfy( p_vrfy, trust_ca, path_cnt + 1,