X509: Fix bug triggered by future CA among trusted
Fix an issue that caused valid certificates being rejected whenever an
expired or not yet valid version of the trusted certificate was before the
valid version in the trusted certificate list.
diff --git a/ChangeLog b/ChangeLog
index e9b6790..a1afbaa 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -11,6 +11,9 @@
* Fix issue in Makefile that prevented building using armar. #386
* Fix memory leak that occured only when ECJPAKE was enabled and ECDHE and
ECDSA was disabled in config.h . The leak didn't occur by default.
+ * Fix an issue that caused valid certificates being rejected whenever an
+ expired or not yet valid version of the trusted certificate was before the
+ valid version in the trusted certificate list.
Changes
* On ARM platforms, when compiling with -O0 with GCC, Clang or armcc5,
diff --git a/library/x509_crt.c b/library/x509_crt.c
index 3eaf5bc..334b8ef 100644
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@@ -1932,6 +1932,16 @@
continue;
}
+ if( mbedtls_x509_time_is_past( &trust_ca->valid_to ) )
+ {
+ continue;
+ }
+
+ if( mbedtls_x509_time_is_future( &trust_ca->valid_from ) )
+ {
+ continue;
+ }
+
if( mbedtls_pk_verify_ext( child->sig_pk, child->sig_opts, &trust_ca->pk,
child->sig_md, hash, mbedtls_md_get_size( md_info ),
child->sig.p, child->sig.len ) != 0 )
@@ -1967,12 +1977,6 @@
((void) ca_crl);
#endif
- if( mbedtls_x509_time_is_past( &trust_ca->valid_to ) )
- ca_flags |= MBEDTLS_X509_BADCERT_EXPIRED;
-
- if( mbedtls_x509_time_is_future( &trust_ca->valid_from ) )
- ca_flags |= MBEDTLS_X509_BADCERT_FUTURE;
-
if( NULL != f_vrfy )
{
if( ( ret = f_vrfy( p_vrfy, trust_ca, path_cnt + 1,