commit af1e74be70fe1469013ed66e8bfa305c3f278d13
author Janos Follath <janos.follath@arm.com> Fri Feb 19 15:58:21 2016 +0000
committer Simon Butcher <simon.butcher@arm.com> Thu Oct 13 12:44:19 2016 +0100
tree 8f1d706531b4d5f6eb447a863227eb10c562d244
parent 486c4f9a33bc2831b924f05731452aab907902bc

X509: Fix bug triggered by future CA among trusted

Fix an issue that caused valid certificates being rejected whenever an
expired or not yet valid version of the trusted certificate was before the
valid version in the trusted certificate list.

library/x509_crt.c

diff --git a/library/x509_crt.c b/library/x509_crt.c
index 5a15c74..b7c73df 100644
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@@ -1823,6 +1823,16 @@
             continue;
         }
 
+        if( x509_time_expired( &trust_ca->valid_to ) )
+        {
+            continue;
+        }
+
+        if( x509_time_future( &trust_ca->valid_from ) )
+        {
+            continue;
+        }
+
         if( pk_verify_ext( child->sig_pk, child->sig_opts, &trust_ca->pk,
                            child->sig_md, hash, md_info->size,
                            child->sig.p, child->sig.len ) != 0 )
@@ -1854,12 +1864,6 @@
         ((void) ca_crl);
 #endif
 
-        if( x509_time_expired( &trust_ca->valid_to ) )
-            ca_flags |= BADCERT_EXPIRED;
-
-        if( x509_time_future( &trust_ca->valid_from ) )
-            ca_flags |= BADCERT_FUTURE;
-
         if( NULL != f_vrfy )
         {
             if( ( ret = f_vrfy( p_vrfy, trust_ca, path_cnt + 1,