Check manifest validity dates against its EE certificate. Fixes #651.

svn path=/trunk/; revision=5587

1 files changed, 23 insertions, 0 deletions

diff --git a/rcynic/rcynic.c b/rcynic/rcynic.c
index ba0b7352..f1838a80 100644
--- a/rcynic/rcynic.c
+++ b/rcynic/rcynic.c
@@ -253,6 +253,7 @@ static const struct {
   QB(malformed_roa_addressfamily,       "Malformed ROA addressFamily")	    \
   QB(malformed_tal_uri,			"Malformed TAL URI")		    \
   QB(manifest_carepository_mismatch,	"Manifest caRepository mismatch")   \
+  QB(manifest_interval_overruns_cert,   "Manifest interval overruns certificate") \
   QB(manifest_lists_missing_object,	"Manifest lists missing object")    \
   QB(manifest_not_yet_valid,		"Manifest not yet valid")	    \
   QB(missing_resources,			"Missing resources")		    \
@@ -3262,6 +3263,22 @@ static int check_allowed_time_encoding(ASN1_TIME *t)
   return 0;
 }
 
+/**
+ * Compare ASN1_TIME values.
+ */
+static int asn1_time_cmp(ASN1_TIME *t1, ASN1_TIME *t2)
+{
+  ASN1_GENERALIZEDTIME *g1 = ASN1_TIME_to_generalizedtime(t1, NULL);
+  ASN1_GENERALIZEDTIME *g2 = ASN1_TIME_to_generalizedtime(t2, NULL);
+
+  int cmp = ASN1_STRING_cmp(g1, g2);
+
+  ASN1_GENERALIZEDTIME_free(g1);
+  ASN1_GENERALIZEDTIME_free(g2);
+
+  return cmp;
+}
+
 
 
 /**
@@ -4313,6 +4330,12 @@ static Manifest *check_manifest_1(rcynic_ctx_t *rc,
       goto done;
   }
 
+  if (asn1_time_cmp(manifest->thisUpdate, X509_get_notBefore(x)) < 0 ||
+      asn1_time_cmp(manifest->nextUpdate, X509_get_notAfter(x))  > 0) {
+    log_validation_status(rc, uri, manifest_interval_overruns_cert, generation);
+    goto done;
+  }
+
   if (ASN1_INTEGER_cmp(manifest->manifestNumber, asn1_zero) < 0 ||
       ASN1_INTEGER_cmp(manifest->manifestNumber, asn1_twenty_octets) > 0) {
     log_validation_status(rc, uri, bad_manifest_number, generation);