diff options
| author | Michael Brown | 2012-06-20 13:15:42 +0200 |
|---|---|---|
| committer | Michael Brown | 2012-06-20 13:15:42 +0200 |
| commit | 4010890a3940433927f34f71417719167ad58275 (patch) | |
| tree | fbfaf3e01cb49b0cc2bd437fb417998ba6e98346 /src/crypto | |
| parent | [dhcp] Request broadcast responses when we already have an IPv4 address (diff) | |
| download | ipxe-4010890a3940433927f34f71417719167ad58275.tar.gz ipxe-4010890a3940433927f34f71417719167ad58275.tar.xz ipxe-4010890a3940433927f34f71417719167ad58275.zip | |
[crypto] Allow an error margin on X.509 certificate validity periods
iPXE has no concept of the local time zone, mainly because there is no
viable way to obtain time zone information in the absence of local
state. This causes potential problems with newly-issued certificates
and certificates that are about to expire.
Avoid such problems by allowing an error margin of around 12 hours on
certificate validity periods, similar to the error margin already
allowed for OCSP response timestamps.
Signed-off-by: Michael Brown <mcb30@ipxe.org>
Diffstat (limited to 'src/crypto')
| -rw-r--r-- | src/crypto/ocsp.c | 4 | ||||
| -rw-r--r-- | src/crypto/x509.c | 4 |
2 files changed, 4 insertions, 4 deletions
diff --git a/src/crypto/ocsp.c b/src/crypto/ocsp.c index f5d03dc6..ab75dea3 100644 --- a/src/crypto/ocsp.c +++ b/src/crypto/ocsp.c @@ -794,12 +794,12 @@ int ocsp_validate ( struct ocsp_check *ocsp, time_t time ) { /* Check OCSP response is valid at the specified time * (allowing for some margin of error). */ - if ( response->this_update > ( time + OCSP_ERROR_MARGIN_TIME ) ) { + if ( response->this_update > ( time + X509_ERROR_MARGIN_TIME ) ) { DBGC ( ocsp, "OCSP %p \"%s\" response is not yet valid (at " "time %lld)\n", ocsp, ocsp->cert->subject.name, time ); return -EACCES_STALE; } - if ( response->next_update < ( time - OCSP_ERROR_MARGIN_TIME ) ) { + if ( response->next_update < ( time - X509_ERROR_MARGIN_TIME ) ) { DBGC ( ocsp, "OCSP %p \"%s\" response is stale (at time " "%lld)\n", ocsp, ocsp->cert->subject.name, time ); return -EACCES_STALE; diff --git a/src/crypto/x509.c b/src/crypto/x509.c index 1a27eb24..a99f6ab9 100644 --- a/src/crypto/x509.c +++ b/src/crypto/x509.c @@ -1264,12 +1264,12 @@ int x509_check_time ( struct x509_certificate *cert, time_t time ) { struct x509_validity *validity = &cert->validity; /* Check validity period */ - if ( time < validity->not_before.time ) { + if ( validity->not_before.time > ( time + X509_ERROR_MARGIN_TIME ) ) { DBGC ( cert, "X509 %p \"%s\" is not yet valid (at time %lld)\n", cert, cert->subject.name, time ); return -EACCES_EXPIRED; } - if ( time > validity->not_after.time ) { + if ( validity->not_after.time < ( time - X509_ERROR_MARGIN_TIME ) ) { DBGC ( cert, "X509 %p \"%s\" has expired (at time %lld)\n", cert, cert->subject.name, time ); return -EACCES_EXPIRED; |