From 52a3d591b59351b308b574fe19c84fdf6f57c971 Mon Sep 17 00:00:00 2001 From: Sean Parkinson Date: Mon, 10 Jul 2023 09:10:52 +1000 Subject: [PATCH] Fix check of date to respect VERIFY_SKIP_DATE in ASN.1 template DecodeCertInternal was not recognizing VERIFY_SKIP_DATE. --- tests/api.c | 3 ++- wolfcrypt/src/asn.c | 6 ++++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/tests/api.c b/tests/api.c index 527cfc3c5..a9bbcf8bc 100644 --- a/tests/api.c +++ b/tests/api.c @@ -2037,7 +2037,8 @@ static int test_wolfSSL_CertManagerLoadCABuffer_ex(void) #elif defined(NO_RSA) ExpectIntEQ(ret, ASN_UNKNOWN_OID_E); #elif !(WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS & WOLFSSL_LOAD_FLAG_DATE_ERR_OKAY) && \ - !defined(NO_ASN_TIME) + !defined(NO_ASN_TIME) && defined(WOLFSSL_TRUST_PEER_CERT) && \ + defined(OPENSSL_COMPATIBLE_DEFAULTS) ExpectIntEQ(ret, ASN_AFTER_DATE_E); #else ExpectIntEQ(ret, WOLFSSL_SUCCESS); diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 30424cf72..7231f0e58 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -20818,7 +20818,8 @@ static int DecodeCertInternal(DecodedCert* cert, int verify, int* criticalExt, i = (dataASN[X509CERTASN_IDX_TBS_VALIDITY_NOTB_UTC].tag != 0) ? X509CERTASN_IDX_TBS_VALIDITY_NOTB_UTC : X509CERTASN_IDX_TBS_VALIDITY_NOTB_GT; - if ((CheckDate(&dataASN[i], BEFORE) < 0) && verify) { + if ((CheckDate(&dataASN[i], BEFORE) < 0) && (verify != NO_VERIFY) && + (verify != VERIFY_SKIP_DATE)) { badDate = ASN_BEFORE_DATE_E; } /* Store reference to BEFOREdate. */ @@ -20829,7 +20830,8 @@ static int DecodeCertInternal(DecodedCert* cert, int verify, int* criticalExt, i = (dataASN[X509CERTASN_IDX_TBS_VALIDITY_NOTA_UTC].tag != 0) ? X509CERTASN_IDX_TBS_VALIDITY_NOTA_UTC : X509CERTASN_IDX_TBS_VALIDITY_NOTA_GT; - if ((CheckDate(&dataASN[i], AFTER) < 0) && verify) { + if ((CheckDate(&dataASN[i], AFTER) < 0) && (verify != NO_VERIFY) && + (verify != VERIFY_SKIP_DATE)) { badDate = ASN_AFTER_DATE_E; } /* Store reference to AFTER date. */