aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--rcynic/rcynic.c23
1 files changed, 23 insertions, 0 deletions
diff --git a/rcynic/rcynic.c b/rcynic/rcynic.c
index ba0b7352..f1838a80 100644
--- a/rcynic/rcynic.c
+++ b/rcynic/rcynic.c
@@ -253,6 +253,7 @@ static const struct {
QB(malformed_roa_addressfamily, "Malformed ROA addressFamily") \
QB(malformed_tal_uri, "Malformed TAL URI") \
QB(manifest_carepository_mismatch, "Manifest caRepository mismatch") \
+ QB(manifest_interval_overruns_cert, "Manifest interval overruns certificate") \
QB(manifest_lists_missing_object, "Manifest lists missing object") \
QB(manifest_not_yet_valid, "Manifest not yet valid") \
QB(missing_resources, "Missing resources") \
@@ -3262,6 +3263,22 @@ static int check_allowed_time_encoding(ASN1_TIME *t)
return 0;
}
+/**
+ * Compare ASN1_TIME values.
+ */
+static int asn1_time_cmp(ASN1_TIME *t1, ASN1_TIME *t2)
+{
+ ASN1_GENERALIZEDTIME *g1 = ASN1_TIME_to_generalizedtime(t1, NULL);
+ ASN1_GENERALIZEDTIME *g2 = ASN1_TIME_to_generalizedtime(t2, NULL);
+
+ int cmp = ASN1_STRING_cmp(g1, g2);
+
+ ASN1_GENERALIZEDTIME_free(g1);
+ ASN1_GENERALIZEDTIME_free(g2);
+
+ return cmp;
+}
+
/**
@@ -4313,6 +4330,12 @@ static Manifest *check_manifest_1(rcynic_ctx_t *rc,
goto done;
}
+ if (asn1_time_cmp(manifest->thisUpdate, X509_get_notBefore(x)) < 0 ||
+ asn1_time_cmp(manifest->nextUpdate, X509_get_notAfter(x)) > 0) {
+ log_validation_status(rc, uri, manifest_interval_overruns_cert, generation);
+ goto done;
+ }
+
if (ASN1_INTEGER_cmp(manifest->manifestNumber, asn1_zero) < 0 ||
ASN1_INTEGER_cmp(manifest->manifestNumber, asn1_twenty_octets) > 0) {
log_validation_status(rc, uri, bad_manifest_number, generation);