projects / openssl.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 902161e) | patch
x509_vfy.c: Restore rejection of expired trusted (root) certificate
authorDr. David von Oheimb <David.von.Oheimb@siemens.com>
Tue, 1 Dec 2020 13:22:16 +0000 (14:22 +0100)
committerDr. David von Oheimb <David.von.Oheimb@siemens.com>
Thu, 3 Dec 2020 13:06:49 +0000 (14:06 +0100)
commit3bed88a3970605a2ff817065f93b08e965d89e5f
treee7d169ec545cbee70c5043ec2a5bc7f62233706btree | snapshot
parent902161e8ec7b81849f6dc4d449e17fcaee2d49b1commit | diff
x509_vfy.c: Restore rejection of expired trusted (root) certificate

The certificate path validation procedure specified in RFC 5280 does not
include checking the validity period of the trusted (root) certificate.
Still it is common good practice to perform this check.
Also OpenSSL did this until commit 0e7b1383e, which accidentally killed it.

The current commit restores the previous behavior.
It also removes the cause of that bug, namely counter-intuitive design
of the internal function check_issued(), which was complicated by checks
that actually belong to some other internal function, namely find_issuer().

Moreover, this commit adds a regression check and proper documentation of
the root cert validity period check feature, which had been missing so far.

Fixes #13427

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13590)
crypto/x509/x509_cmp.c diff | blob | history
crypto/x509/x509_vfy.c diff | blob | history
doc/man1/openssl.pod diff | blob | history
doc/man3/X509_STORE_set_verify_cb_func.pod diff | blob | history
test/certs/root-expired.pem [new file with mode: 0644] blob
test/certs/setup.sh diff | blob | history
test/recipes/25-test_verify.t diff | blob | history
Unnamed repository; edit this file 'description' to name the repository.