sysadmin/ipxe
1
0
Fork 0
mirror of https://github.com/ipxe/ipxe synced 2026-01-01 09:09:32 +03:00
Code Issues Packages Projects Releases Wiki Activity

[crypto] Allow an error margin on X.509 certificate validity periods

Browse Source 
iPXE has no concept of the local time zone, mainly because there is no
viable way to obtain time zone information in the absence of local
state.  This causes potential problems with newly-issued certificates
and certificates that are about to expire.

Avoid such problems by allowing an error margin of around 12 hours on
certificate validity periods, similar to the error margin already
allowed for OCSP response timestamps.

Signed-off-by: Michael Brown <mcb30@ipxe.org>
This commit is contained in:
Michael Brown
2012-06-20 12:15:42 +01:00
parent c0942408b7
commit 4010890a39
4 changed files with 12 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
src/crypto/x509.c
View File

@@ -1264,12 +1264,12 @@ int x509_check_time ( struct x509_certificate *cert, time_t time ) {
struct x509_validity *validity = &cert->validity;
/* Check validity period */
if ( time < validity->not_before.time ) {
if ( validity->not_before.time > ( time + X509_ERROR_MARGIN_TIME ) ) {
DBGC ( cert, "X509 %p \"%s\" is not yet valid (at time %lld)\n",
cert, cert->subject.name, time );
return -EACCES_EXPIRED;
}
if ( time > validity->not_after.time ) {
if ( validity->not_after.time < ( time - X509_ERROR_MARGIN_TIME ) ) {
DBGC ( cert, "X509 %p \"%s\" has expired (at time %lld)\n",
cert, cert->subject.name, time );
return -EACCES_EXPIRED;