aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--rcynic/rcynic.c25
1 files changed, 25 insertions, 0 deletions
diff --git a/rcynic/rcynic.c b/rcynic/rcynic.c
index c7245f47..1e3f6414 100644
--- a/rcynic/rcynic.c
+++ b/rcynic/rcynic.c
@@ -225,6 +225,7 @@ static const struct {
QB(manifest_carepository_mismatch, "Manifest caRepository mismatch") \
QB(manifest_lists_missing_object, "Manifest lists missing object") \
QB(manifest_not_yet_valid, "Manifest not yet valid") \
+ QB(nonconformant_asn1_time_value, "Nonconformant ASN.1 time value") \
QB(object_rejected, "Object rejected") \
QB(roa_contains_bad_afi_value, "ROA contains bad AFI value") \
QB(roa_resource_not_in_ee, "ROA resource not in EE") \
@@ -2954,6 +2955,24 @@ static int check_allowed_dn(X509_NAME *dn)
}
}
+/**
+ * Check whether an ASN.1 TIME value conforms to RFC 5280 4.1.2.5.
+ */
+static int check_allowed_time_encoding(ASN1_TIME *t)
+{
+ switch (t->type) {
+
+ case V_ASN1_UTCTIME:
+ return t->length == sizeof("yymmddHHMMSSZ") - 1;
+
+ case V_ASN1_GENERALIZEDTIME:
+ return (t->length == sizeof("yyyymmddHHMMSSZ") - 1 &&
+ strcmp("205", (char *) t->data) <= 0);
+
+ }
+ return 0;
+}
+
/**
@@ -2983,6 +3002,12 @@ static X509_CRL *check_crl_1(rcynic_ctx_t *rc,
goto punt;
}
+ if (!check_allowed_time_encoding(X509_CRL_get_lastUpdate(crl)) ||
+ !check_allowed_time_encoding(X509_CRL_get_nextUpdate(crl))) {
+ log_validation_status(rc, uri, nonconformant_asn1_time_value, generation);
+ goto punt;
+ }
+
if (X509_cmp_current_time(X509_CRL_get_lastUpdate(crl)) > 0) {
log_validation_status(rc, uri, crl_not_yet_valid, generation);
goto punt;
generated by cgit v1.2.3 (git 2.25.1) at 2025-05-27 09:25:55 +0000