git.openssl.org Git - openssl.git/commit

x509_vfy.c: Restore rejection of expired trusted (root) certificate

The certificate path validation procedure specified in RFC 5280 does not
include checking the validity period of the trusted (root) certificate.
Still it is common good practice to perform this check.
Also OpenSSL did this until version 1.1.1h, yet
commit e2590c3a162eb118c36b09c2168164283aa099b4 accidentally killed it.

The current commit restores the previous behavior.
It also removes the cause of that bug, namely counter-intuitive design
of the internal function check_issued(), which was complicated by checks
that actually belong to some other internal function, namely find_issuer().

Moreover, this commit adds a regression check and proper documentation of
the root cert validity period check feature, which had been missing so far.

Fixes #13471

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13585)

author	Dr. David von Oheimb <David.von.Oheimb@siemens.com>
	Tue, 1 Dec 2020 13:22:16 +0000 (14:22 +0100)
committer	Dr. David von Oheimb <David.von.Oheimb@siemens.com>
	Thu, 3 Dec 2020 14:11:41 +0000 (15:11 +0100)
commit	315c47e00bb953abe8892a3c1272289330b29d23
tree	06306f2d8657241da73abccdb91873cbd2381916	tree \| snapshot
parent	61168b5b8dde03f3b77ddf5e4b1b81c338c01746	commit \| diff

CHANGES		diff \| blob \| history
crypto/x509/x509_cmp.c		diff \| blob \| history
crypto/x509/x509_vfy.c		diff \| blob \| history
doc/man1/verify.pod		diff \| blob \| history
doc/man3/X509_STORE_set_verify_cb_func.pod		diff \| blob \| history
test/certs/root-expired.pem	[new file with mode: 0644]	blob
test/certs/setup.sh		diff \| blob \| history
test/recipes/25-test_verify.t		diff \| blob \| history