diff --git a/include/polarssl/x509.h b/include/polarssl/x509.h index 6dabf3735..9cc757b58 100644 --- a/include/polarssl/x509.h +++ b/include/polarssl/x509.h @@ -669,15 +669,26 @@ int x509_oid_get_numeric_string( char *buf, size_t size, x509_buf *oid ); /** * \brief Check a given x509_time against the system time and check - * if it is valid. + * if it is not expired. * * \param time x509_time to check * - * \return Return 0 if the x509_time is still valid, + * \return 0 if the x509_time is still valid, * or 1 otherwise. */ int x509parse_time_expired( const x509_time *time ); +/** + * \brief Check a given x509_time against the system time and check + * if it is not from the future. + * + * \param time x509_time to check + * + * \return 0 if the x509_time is already valid, + * or 1 otherwise. + */ +int x509parse_time_future( const x509_time *time ); + /** * \name Functions to verify a certificate * \{ diff --git a/library/x509parse.c b/library/x509parse.c index d3174c32d..8de0d9815 100644 --- a/library/x509parse.c +++ b/library/x509parse.c @@ -3078,22 +3078,19 @@ int x509parse_crl_info( char *buf, size_t size, const char *prefix, /* * Return 0 if the x509_time is still valid, or 1 otherwise. */ -int x509parse_time_expired( const x509_time *to ) +static void x509_get_current_time( x509_time *now ) { - int year, mon, day; - int hour, min, sec; - #if defined(_WIN32) SYSTEMTIME st; GetLocalTime(&st); - year = st.wYear; - mon = st.wMonth; - day = st.wDay; - hour = st.wHour; - min = st.wMinute; - sec = st.wSecond; + now->year = st.wYear; + now->mon = st.wMonth; + now->day = st.wDay; + now->hour = st.wHour; + now->min = st.wMinute; + now->sec = st.wSecond; #else struct tm *lt; time_t tt; @@ -3101,50 +3098,74 @@ int x509parse_time_expired( const x509_time *to ) tt = time( NULL ); lt = localtime( &tt ); - year = lt->tm_year + 1900; - mon = lt->tm_mon + 1; - day = lt->tm_mday; - hour = lt->tm_hour; - min = lt->tm_min; - sec = lt->tm_sec; + now->year = lt->tm_year + 1900; + now->mon = lt->tm_mon + 1; + now->day = lt->tm_mday; + now->hour = lt->tm_hour; + now->min = lt->tm_min; + now->sec = lt->tm_sec; #endif +} - if( year > to->year ) +/* + * Return 0 if before <= after, 1 otherwise + */ +static int x509_check_time( const x509_time *before, const x509_time *after ) +{ + if( before->year > after->year ) return( 1 ); - if( year == to->year && - mon > to->mon ) + if( before->year == after->year && + before->mon > after->mon ) return( 1 ); - if( year == to->year && - mon == to->mon && - day > to->day ) + if( before->year == after->year && + before->mon == after->mon && + before->day > after->day ) return( 1 ); - if( year == to->year && - mon == to->mon && - day == to->day && - hour > to->hour ) + if( before->year == after->year && + before->mon == after->mon && + before->day == after->day && + before->hour > after->hour ) return( 1 ); - if( year == to->year && - mon == to->mon && - day == to->day && - hour == to->hour && - min > to->min ) + if( before->year == after->year && + before->mon == after->mon && + before->day == after->day && + before->hour == after->hour && + before->min > after->min ) return( 1 ); - if( year == to->year && - mon == to->mon && - day == to->day && - hour == to->hour && - min == to->min && - sec > to->sec ) + if( before->year == after->year && + before->mon == after->mon && + before->day == after->day && + before->hour == after->hour && + before->min == after->min && + before->sec > after->sec ) return( 1 ); return( 0 ); } +int x509parse_time_expired( const x509_time *to ) +{ + x509_time now; + + x509_get_current_time( &now ); + + return( x509_check_time( &now, to ) ); +} + +int x509parse_time_future( const x509_time *from ) +{ + x509_time now; + + x509_get_current_time( &now ); + + return( x509_check_time( from, &now ) ); +} + /* * Return 1 if the certificate is revoked, or 0 otherwise. */ diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data index 1b87f8d7b..22f63551a 100644 --- a/tests/suites/test_suite_x509parse.data +++ b/tests/suites/test_suite_x509parse.data @@ -226,6 +226,14 @@ X509 Time Expired #6:POLARSSL_FS_IO depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO x509_time_expired:"data_files/test-ca.crt":valid_to:0 +X509 Time Future #1 +depends_on:POLARSSL_FS_IO +x509_time_future:"data_files/server2.crt":valid_from:0 + +X509 Time Future #2 +depends_on:POLARSSL_FS_IO +x509_time_future:"data_files/server2.crt":valid_to:1 + X509 Certificate verification #1 (Revoked Cert, Expired CRL) depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO x509_verify:"data_files/server1.crt":"data_files/test-ca.crt":"data_files/crl_expired.pem":NULL:POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCERT_REVOKED | BADCRL_EXPIRED:NULL diff --git a/tests/suites/test_suite_x509parse.function b/tests/suites/test_suite_x509parse.function index 26f5c4c10..637d13c66 100644 --- a/tests/suites/test_suite_x509parse.function +++ b/tests/suites/test_suite_x509parse.function @@ -136,6 +136,20 @@ x509_time_expired:crt_file:entity:result } END_CASE +BEGIN_CASE +x509_time_future:crt_file:entity:result +{ + x509_cert crt; + + memset( &crt, 0, sizeof( x509_cert ) ); + + TEST_ASSERT( x509parse_crtfile( &crt, {crt_file} ) == 0 ); + TEST_ASSERT( x509parse_time_future( &crt.{entity} ) == {result} ); + + x509_free( &crt ); +} +END_CASE + BEGIN_CASE x509parse_keyfile:key_file:password:result {