aboutsummaryrefslogtreecommitdiffstats
path: root/src/lib/cert/x509/x509path.cpp
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/cert/x509/x509path.cpp')
-rw-r--r--src/lib/cert/x509/x509path.cpp34
1 files changed, 20 insertions, 14 deletions
diff --git a/src/lib/cert/x509/x509path.cpp b/src/lib/cert/x509/x509path.cpp
index a0cae2c93..f0b07e5fc 100644
--- a/src/lib/cert/x509/x509path.cpp
+++ b/src/lib/cert/x509/x509path.cpp
@@ -77,13 +77,14 @@ std::shared_ptr<const X509_CRL> find_crls_for(const X509_Certificate& cert,
std::vector<std::set<Certificate_Status_Code>>
check_chain(const std::vector<std::shared_ptr<const X509_Certificate>>& cert_path,
const Path_Validation_Restrictions& restrictions,
- const std::vector<Certificate_Store*>& certstores)
+ const std::vector<Certificate_Store*>& certstores,
+ std::chrono::system_clock::time_point ref_time)
{
const std::set<std::string>& trusted_hashes = restrictions.trusted_hashes();
const bool self_signed_ee_cert = (cert_path.size() == 1);
- X509_Time current_time(std::chrono::system_clock::now());
+ X509_Time validation_time(ref_time);
std::vector<std::future<OCSP::Response>> ocsp_responses;
@@ -109,10 +110,10 @@ check_chain(const std::vector<std::shared_ptr<const X509_Certificate>>& cert_pat
}
// Check all certs for valid time range
- if(current_time < X509_Time(subject->start_time(), ASN1_Tag::UTC_OR_GENERALIZED_TIME))
+ if(validation_time < X509_Time(subject->start_time(), ASN1_Tag::UTC_OR_GENERALIZED_TIME))
status.insert(Certificate_Status_Code::CERT_NOT_YET_VALID);
- if(current_time > X509_Time(subject->end_time(), ASN1_Tag::UTC_OR_GENERALIZED_TIME))
+ if(validation_time > X509_Time(subject->end_time(), ASN1_Tag::UTC_OR_GENERALIZED_TIME))
status.insert(Certificate_Status_Code::CERT_HAS_EXPIRED);
// Check issuer constraints
@@ -198,10 +199,10 @@ check_chain(const std::vector<std::shared_ptr<const X509_Certificate>>& cert_pat
if(!ca->allowed_usage(CRL_SIGN))
status.insert(Certificate_Status_Code::CA_CERT_NOT_FOR_CRL_ISSUER);
- if(current_time < X509_Time(crl.this_update()))
+ if(validation_time < X509_Time(crl.this_update()))
status.insert(Certificate_Status_Code::CRL_NOT_YET_VALID);
- if(current_time > X509_Time(crl.next_update()))
+ if(validation_time > X509_Time(crl.next_update()))
status.insert(Certificate_Status_Code::CRL_HAS_EXPIRED);
if(crl.check_signature(ca->subject_public_key()) == false)
@@ -224,7 +225,8 @@ Path_Validation_Result x509_path_validate(
const Path_Validation_Restrictions& restrictions,
const std::vector<Certificate_Store*>& certstores,
const std::string& hostname,
- Usage_Type usage)
+ Usage_Type usage,
+ std::chrono::system_clock::time_point validation_time)
{
if(end_certs.empty())
throw Invalid_Argument("x509_path_validate called with no subjects");
@@ -259,7 +261,8 @@ Path_Validation_Result x509_path_validate(
cert_path.push_back(cert);
}
- std::vector<std::set<Certificate_Status_Code>> res = check_chain(cert_path, restrictions, certstores);
+ std::vector<std::set<Certificate_Status_Code>> res =
+ check_chain(cert_path, restrictions, certstores, validation_time);
if(!hostname.empty() && !cert_path[0]->matches_dns_name(hostname))
res[0].insert(Certificate_Status_Code::CERT_NAME_NOMATCH);
@@ -275,11 +278,12 @@ Path_Validation_Result x509_path_validate(
const Path_Validation_Restrictions& restrictions,
const std::vector<Certificate_Store*>& certstores,
const std::string& hostname,
- Usage_Type usage)
+ Usage_Type usage,
+ std::chrono::system_clock::time_point when)
{
std::vector<X509_Certificate> certs;
certs.push_back(end_cert);
- return x509_path_validate(certs, restrictions, certstores, hostname, usage);
+ return x509_path_validate(certs, restrictions, certstores, hostname, usage, when);
}
Path_Validation_Result x509_path_validate(
@@ -287,12 +291,13 @@ Path_Validation_Result x509_path_validate(
const Path_Validation_Restrictions& restrictions,
const Certificate_Store& store,
const std::string& hostname,
- Usage_Type usage)
+ Usage_Type usage,
+ std::chrono::system_clock::time_point when)
{
std::vector<Certificate_Store*> certstores;
certstores.push_back(const_cast<Certificate_Store*>(&store));
- return x509_path_validate(end_certs, restrictions, certstores, hostname, usage);
+ return x509_path_validate(end_certs, restrictions, certstores, hostname, usage, when);
}
Path_Validation_Result x509_path_validate(
@@ -300,7 +305,8 @@ Path_Validation_Result x509_path_validate(
const Path_Validation_Restrictions& restrictions,
const Certificate_Store& store,
const std::string& hostname,
- Usage_Type usage)
+ Usage_Type usage,
+ std::chrono::system_clock::time_point when)
{
std::vector<X509_Certificate> certs;
certs.push_back(end_cert);
@@ -308,7 +314,7 @@ Path_Validation_Result x509_path_validate(
std::vector<Certificate_Store*> certstores;
certstores.push_back(const_cast<Certificate_Store*>(&store));
- return x509_path_validate(certs, restrictions, certstores, hostname, usage);
+ return x509_path_validate(certs, restrictions, certstores, hostname, usage, when);
}
Path_Validation_Restrictions::Path_Validation_Restrictions(bool require_rev,