1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
|
Index: gnutls-2.6.5/includes/gnutls/gnutls.h.in
===================================================================
--- gnutls-2.6.5.orig/includes/gnutls/gnutls.h.in
+++ gnutls-2.6.5/includes/gnutls/gnutls.h.in
@@ -251,7 +251,13 @@ extern "C"
*/
GNUTLS_CERT_SIGNER_NOT_FOUND = 64,
GNUTLS_CERT_SIGNER_NOT_CA = 128,
- GNUTLS_CERT_INSECURE_ALGORITHM = 256
+ GNUTLS_CERT_INSECURE_ALGORITHM = 256,
+
+ /* Time verification.
+ */
+ GNUTLS_CERT_NOT_ACTIVATED = 512,
+ GNUTLS_CERT_EXPIRED = 1024
+
} gnutls_certificate_status_t;
typedef enum
Index: gnutls-2.6.5/includes/gnutls/x509.h
===================================================================
--- gnutls-2.6.5.orig/includes/gnutls/x509.h
+++ gnutls-2.6.5/includes/gnutls/x509.h
@@ -481,7 +481,13 @@ extern "C"
/* Allow certificates to be signed using the broken MD5 algorithm.
*/
- GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5 = 32
+ GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5 = 32,
+
+ /* Disable checking of activation and expiration validity
+ * periods of certificate chains. Don't set this unless you
+ * understand the security implications.
+ */
+ GNUTLS_VERIFY_DISABLE_TIME_CHECKS = 64
} gnutls_certificate_verify_flags;
int gnutls_x509_crt_check_issuer (gnutls_x509_crt_t cert,
Index: gnutls-2.6.5/lib/x509/verify.c
===================================================================
--- gnutls-2.6.5.orig/lib/x509/verify.c
+++ gnutls-2.6.5/lib/x509/verify.c
@@ -493,6 +493,32 @@ _gnutls_x509_verify_certificate (const g
}
#endif
+ /* Check activation/expiration times
+ */
+ if (!(flags & GNUTLS_VERIFY_DISABLE_TIME_CHECKS))
+ {
+ time_t t, now = time (0);
+
+ for (i = 0; i < clist_size; i++)
+ {
+ t = gnutls_x509_crt_get_activation_time (certificate_list[i]);
+ if (t == (time_t) -1 || now < t)
+ {
+ status |= GNUTLS_CERT_NOT_ACTIVATED;
+ status |= GNUTLS_CERT_INVALID;
+ return status;
+ }
+
+ t = gnutls_x509_crt_get_expiration_time (certificate_list[i]);
+ if (t == (time_t) -1 || now > t)
+ {
+ status |= GNUTLS_CERT_EXPIRED;
+ status |= GNUTLS_CERT_INVALID;
+ return status;
+ }
+ }
+ }
+
/* Verify the certificate path (chain)
*/
for (i = clist_size - 1; i > 0; i--)
Index: gnutls-2.6.5/src/common.c
===================================================================
--- gnutls-2.6.5.orig/src/common.c
+++ gnutls-2.6.5/src/common.c
@@ -427,6 +427,10 @@ print_cert_vrfy (gnutls_session_t sessio
{
if (status & GNUTLS_CERT_SIGNER_NOT_FOUND)
printf ("- Peer's certificate issuer is unknown\n");
+ if (status & GNUTLS_CERT_NOT_ACTIVATED)
+ printf ("- Peer's certificate chain uses not yet valid certificate\n");
+ if (status & GNUTLS_CERT_EXPIRED)
+ printf ("- Peer's certificate chain uses expired certificate\n");
if (status & GNUTLS_CERT_INVALID)
printf ("- Peer's certificate is NOT trusted\n");
else
|
GitWeb