X509: Fix bug triggered by future CA among trusted
Fix an issue that caused valid certificates being rejected whenever an
expired or not yet valid version of the trusted certificate was before the
valid version in the trusted certificate list.
diff --git a/ChangeLog b/ChangeLog
index 7ab61d3..e8294fd 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -2,6 +2,11 @@
= mbed TLS 1.3.x
+Bugfix
+ * Fix an issue that caused valid certificates being rejected whenever an
+ expired or not yet valid version of the trusted certificate was before the
+ valid version in the trusted certificate list.
+
Changes
* Add compile time option for relaxed X509 time verification to enable
accepting certificates with non-standard time format (that is without
diff --git a/library/x509_crt.c b/library/x509_crt.c
index 5a15c74..b7c73df 100644
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@@ -1823,6 +1823,16 @@
continue;
}
+ if( x509_time_expired( &trust_ca->valid_to ) )
+ {
+ continue;
+ }
+
+ if( x509_time_future( &trust_ca->valid_from ) )
+ {
+ continue;
+ }
+
if( pk_verify_ext( child->sig_pk, child->sig_opts, &trust_ca->pk,
child->sig_md, hash, md_info->size,
child->sig.p, child->sig.len ) != 0 )
@@ -1854,12 +1864,6 @@
((void) ca_crl);
#endif
- if( x509_time_expired( &trust_ca->valid_to ) )
- ca_flags |= BADCERT_EXPIRED;
-
- if( x509_time_future( &trust_ca->valid_from ) )
- ca_flags |= BADCERT_FUTURE;
-
if( NULL != f_vrfy )
{
if( ( ret = f_vrfy( p_vrfy, trust_ca, path_cnt + 1,