unsigned char *ip; /* If not NULL IP address to match */
size_t iplen; /* Length of IP address */
};
+
+int x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int quiet);
#include <openssl/lhash.h>
#include <openssl/x509.h>
#include <openssl/x509v3.h>
+#include "x509_lcl.h"
X509_LOOKUP *X509_LOOKUP_new(X509_LOOKUP_METHOD *method)
{
X509_NAME *xn;
X509_OBJECT obj, *pobj;
int i, ok, idx, ret;
+ *issuer = NULL;
xn=X509_get_issuer_name(x);
ok=X509_STORE_get_by_subject(ctx,X509_LU_X509,xn,&obj);
if (ok != X509_LU_X509)
/* If certificate matches all OK */
if (ctx->check_issued(ctx, x, obj.data.x509))
{
- *issuer = obj.data.x509;
- return 1;
+ if (x509_check_cert_time(ctx, obj.data.x509, 1))
+ {
+ *issuer = obj.data.x509;
+ return 1;
+ }
}
X509_OBJECT_free_contents(&obj);
if (ctx->check_issued(ctx, x, pobj->data.x509))
{
*issuer = pobj->data.x509;
- X509_OBJECT_up_ref_count(pobj);
ret = 1;
- break;
+ /*
+ * If times check, exit with match,
+ * otherwise keep looking. Leave last
+ * match in issuer so we return nearest
+ * match if no certificate time is OK.
+ */
+
+ if (x509_check_cert_time(ctx, *issuer, 1))
+ break;
}
}
}
CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
+ if (*issuer)
+ CRYPTO_add(&(*issuer)->references,1,CRYPTO_LOCK_X509);
return ret;
}
static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x)
{
int i;
- X509 *issuer;
+ X509 *issuer, *rv = NULL;;
for (i = 0; i < sk_X509_num(sk); i++)
{
issuer = sk_X509_value(sk, i);
if (ctx->check_issued(ctx, x, issuer))
- return issuer;
+ {
+ rv = issuer;
+ if (x509_check_cert_time(ctx, rv, 1))
+ break;
+ }
}
- return NULL;
+ return rv;
}
/* Given a possible certificate and issuer check them */
return 1;
}
-static int check_cert_time(X509_STORE_CTX *ctx, X509 *x)
+int x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int quiet)
{
time_t *ptime;
int i;
i=X509_cmp_time(X509_get_notBefore(x), ptime);
if (i == 0)
{
+ if (quiet)
+ return 0;
ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD;
ctx->current_cert=x;
if (!ctx->verify_cb(0, ctx))
if (i > 0)
{
+ if (quiet)
+ return 0;
ctx->error=X509_V_ERR_CERT_NOT_YET_VALID;
ctx->current_cert=x;
if (!ctx->verify_cb(0, ctx))
i=X509_cmp_time(X509_get_notAfter(x), ptime);
if (i == 0)
{
+ if (quiet)
+ return 0;
ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD;
ctx->current_cert=x;
if (!ctx->verify_cb(0, ctx))
if (i < 0)
{
+ if (quiet)
+ return 0;
ctx->error=X509_V_ERR_CERT_HAS_EXPIRED;
ctx->current_cert=x;
if (!ctx->verify_cb(0, ctx))
xs->valid = 1;
check_cert:
- ok = check_cert_time(ctx, xs);
+ ok = x509_check_cert_time(ctx, xs, 0);
if (!ok)
goto end;