RT3951: Add X509_V_FLAG_NO_CHECK_TIME to suppress time check

In some environments, such as firmware, the current system time is entirely
meaningless. Provide a clean mechanism to suppress the checks against it.

Signed-off-by: Rich Salz <rsalz@akamai.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>

diff --git a/apps/apps.h b/apps/apps.h
index 48c82e884a6aae35ce63fffc299767d55c73806e..a134b8da98995f8c9f2eab30d37626af34bed839 100644 (file)
--- a/apps/apps.h
+++ b/apps/apps.h
@@ -179,7 +179,7 @@ void unbuffer(FILE *fp);
         OPT_V_X509_STRICT, OPT_V_EXTENDED_CRL, OPT_V_USE_DELTAS, \
         OPT_V_POLICY_PRINT, OPT_V_CHECK_SS_SIG, OPT_V_TRUSTED_FIRST, \
         OPT_V_SUITEB_128_ONLY, OPT_V_SUITEB_128, OPT_V_SUITEB_192, \
-        OPT_V_PARTIAL_CHAIN, OPT_V_NO_ALT_CHAINS, \
+        OPT_V_PARTIAL_CHAIN, OPT_V_NO_ALT_CHAINS, OPT_V_NO_CHECK_TIME, \
         OPT_V__LAST
 
 # define OPT_V_OPTIONS \
@@ -209,7 +209,8 @@ void unbuffer(FILE *fp);
         { "suiteB_128", OPT_V_SUITEB_128, '-' }, \
         { "suiteB_192", OPT_V_SUITEB_192, '-' }, \
         { "partial_chain", OPT_V_PARTIAL_CHAIN, '-' }, \
-        { "no_alt_chains", OPT_V_NO_ALT_CHAINS, '-', "Only use the first cert chain found" }
+        { "no_alt_chains", OPT_V_NO_ALT_CHAINS, '-', "Only use the first cert chain found" }, \
+        { "no_check_time", OPT_V_NO_CHECK_TIME, '-', "Do not check validity against current time" }
 
 # define OPT_V_CASES \
         OPT_V__FIRST: case OPT_V__LAST: break; \
@@ -239,7 +240,8 @@ void unbuffer(FILE *fp);
         case OPT_V_SUITEB_128: \
         case OPT_V_SUITEB_192: \
         case OPT_V_PARTIAL_CHAIN: \
-        case OPT_V_NO_ALT_CHAINS
+        case OPT_V_NO_ALT_CHAINS: \
+        case OPT_V_NO_CHECK_TIME
 
 /*
  * Common "extended"? options.

diff --git a/apps/opt.c b/apps/opt.c
index bfb039e872b7d5045dbb136c3da29e132b11d6f0..c7dcc434e8b2d707c7f2dca2480676c2efe8c172 100644 (file)
--- a/apps/opt.c
+++ b/apps/opt.c
@@ -543,6 +543,10 @@ int opt_verify(int opt, X509_VERIFY_PARAM *vpm)
         break;
     case OPT_V_NO_ALT_CHAINS:
         X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_NO_ALT_CHAINS);
+       break;
+    case OPT_V_NO_CHECK_TIME:
+        X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_NO_CHECK_TIME);
+       break;
     }
     return 1;
 

diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 6169db1e1c0d895fd8efbbcdf6ae7ba1557b45db..2b2d5ada3dac27bdab848e4cf5e43ab48a5162e0 100644 (file)
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -957,6 +957,8 @@ static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify)
         ctx->current_crl = crl;
     if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME)
         ptime = &ctx->param->check_time;
+    else if (ctx->param->flags & X509_V_FLAG_NO_CHECK_TIME)
+        return 1;
     else
         ptime = NULL;
 
@@ -1677,6 +1679,8 @@ int x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int quiet)
 
     if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME)
         ptime = &ctx->param->check_time;
+    else if (ctx->param->flags & X509_V_FLAG_NO_CHECK_TIME)
+        return 1;
     else
         ptime = NULL;
 

diff --git a/doc/crypto/X509_VERIFY_PARAM_set_flags.pod b/doc/crypto/X509_VERIFY_PARAM_set_flags.pod
index ec91d5dced81349fde31c644e49067223789d206..166e316a1e3224384d7e3cab8cc4fb5c3a9bddef 100644 (file)
--- a/doc/crypto/X509_VERIFY_PARAM_set_flags.pod
+++ b/doc/crypto/X509_VERIFY_PARAM_set_flags.pod
@@ -203,6 +203,10 @@ chain found is not trusted, then OpenSSL will continue to check to see if an
 alternative chain can be found that is trusted. With this flag set the behaviour
 will match that of OpenSSL versions prior to 1.1.0.
 
+The B<X509_V_FLAG_NO_CHECK_TIME> flag suppresses checking the validity period
+of certificates and CRLs against the current time. If X509_VERIFY_PARAM_set_time()
+is used to specify a verification time, the check is not suppressed.
+
 =head1 NOTES
 
 The above functions should be used to manipulate verification parameters

diff --git a/include/openssl/x509_vfy.h b/include/openssl/x509_vfy.h
index 8e0a2254009518f1e2de38d5f6e8bc137768fdfa..c78ba982326a1ebda2abb625041c1958f0e96420 100644 (file)
--- a/include/openssl/x509_vfy.h
+++ b/include/openssl/x509_vfy.h
@@ -407,6 +407,8 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth);
  * will force the behaviour to match that of previous versions.
  */
 # define X509_V_FLAG_NO_ALT_CHAINS               0x100000
+/* Do not check certificate/CRL validity against current time */
+# define X509_V_FLAG_NO_CHECK_TIME               0x200000
 
 # define X509_VP_FLAG_DEFAULT                    0x1
 # define X509_VP_FLAG_OVERWRITE                  0x2