aboutsummaryrefslogtreecommitdiffstats
path: root/src/x509stor.cpp
diff options
context:
space:
mode:
authorlloyd <[email protected]>2008-04-29 17:02:00 +0000
committerlloyd <[email protected]>2008-04-29 17:02:00 +0000
commit0adb72d5264bcf3b84cf4d7385b6c8922d824a1e (patch)
tree3acacb3388b16db8ffbad0708a3e73b71228e5c3 /src/x509stor.cpp
parent271c16e52014d20e347167c1d43ddeae0707c19b (diff)
Instead of reading from the Config object every time to get the slack we
should allow when checking timestamps, just call it once and store the value in the X509_Store object, passing it to validity_check with a new argument for the allowed time slack.
Diffstat (limited to 'src/x509stor.cpp')
-rw-r--r--src/x509stor.cpp34
1 files changed, 19 insertions, 15 deletions
diff --git a/src/x509stor.cpp b/src/x509stor.cpp
index e1b498590..834fe526b 100644
--- a/src/x509stor.cpp
+++ b/src/x509stor.cpp
@@ -21,16 +21,13 @@ namespace {
* Do a validity check *
*************************************************/
s32bit validity_check(const X509_Time& start, const X509_Time& end,
- u64bit current_time)
+ u64bit current_time, u32bit slack)
{
- const u32bit ALLOWABLE_SLIP =
- global_config().option_as_time("x509/validity_slack");
-
const s32bit NOT_YET_VALID = -1, VALID_TIME = 0, EXPIRED = 1;
- if(start.cmp(current_time + ALLOWABLE_SLIP) > 0)
+ if(start.cmp(current_time + slack) > 0)
return NOT_YET_VALID;
- if(end.cmp(current_time - ALLOWABLE_SLIP) < 0)
+ if(end.cmp(current_time - slack) < 0)
return EXPIRED;
return VALID_TIME;
}
@@ -174,18 +171,20 @@ bool X509_Store::CRL_Data::operator<(const X509_Store::CRL_Data& other) const
X509_Store::X509_Store()
{
revoked_info_valid = true;
+ time_slack = global_config().option_as_time("x509/validity_slack");
}
/*************************************************
* X509_Store Copy Constructor *
*************************************************/
-X509_Store::X509_Store(const X509_Store& store)
+X509_Store::X509_Store(const X509_Store& other)
{
- certs = store.certs;
- revoked = store.revoked;
- revoked_info_valid = store.revoked_info_valid;
- for(u32bit j = 0; j != store.stores.size(); ++j)
- stores[j] = store.stores[j]->clone();
+ certs = other.certs;
+ revoked = other.revoked;
+ revoked_info_valid = other.revoked_info_valid;
+ for(u32bit j = 0; j != other.stores.size(); ++j)
+ stores[j] = other.stores[j]->clone();
+ time_slack = other.time_slack;
}
/*************************************************
@@ -213,7 +212,7 @@ X509_Code X509_Store::validate_cert(const X509_Certificate& cert,
const u64bit current_time = system_time();
s32bit time_check = validity_check(cert.start_time(), cert.end_time(),
- current_time);
+ current_time, time_slack);
if(time_check < 0) return CERT_NOT_YET_VALID;
else if(time_check > 0) return CERT_HAS_EXPIRED;
@@ -227,8 +226,12 @@ X509_Code X509_Store::validate_cert(const X509_Certificate& cert,
for(u32bit j = 0; j != indexes.size() - 1; ++j)
{
const X509_Certificate& current_cert = certs[indexes[j]].cert;
+
time_check = validity_check(current_cert.start_time(),
- current_cert.end_time(), current_time);
+ current_cert.end_time(),
+ current_time,
+ time_slack);
+
if(time_check < 0) return CERT_NOT_YET_VALID;
else if(time_check > 0) return CERT_HAS_EXPIRED;
@@ -557,7 +560,8 @@ void X509_Store::add_trusted_certs(DataSource& source)
X509_Code X509_Store::add_crl(const X509_CRL& crl)
{
s32bit time_check = validity_check(crl.this_update(), crl.next_update(),
- system_time());
+ system_time(), time_slack);
+
if(time_check < 0) return CRL_NOT_YET_VALID;
else if(time_check > 0) return CRL_HAS_EXPIRED;