Reject certificates with times not in UTC
This commit is contained in:
parent
0776a43788
commit
9655e4597a
2 changed files with 3 additions and 2 deletions
|
@ -17,6 +17,7 @@ Changes
|
|||
* pk_verify() now returns a specific error code when the signature is valid
|
||||
but shorter than the supplied length.
|
||||
* Use UTC time to check certificate validity.
|
||||
* Reject certificates with times not in UTC, per RFC 5280.
|
||||
|
||||
Security
|
||||
* Avoid potential timing leak in ecdsa_sign() by blinding modular division.
|
||||
|
|
|
@ -274,7 +274,7 @@ int x509_get_time( unsigned char **p, const unsigned char *end,
|
|||
memcpy( date, *p, ( len < sizeof( date ) - 1 ) ?
|
||||
len : sizeof( date ) - 1 );
|
||||
|
||||
if( sscanf( date, "%2d%2d%2d%2d%2d%2d",
|
||||
if( sscanf( date, "%2d%2d%2d%2d%2d%2dZ",
|
||||
&time->year, &time->mon, &time->day,
|
||||
&time->hour, &time->min, &time->sec ) < 5 )
|
||||
return( POLARSSL_ERR_X509_INVALID_DATE );
|
||||
|
@ -298,7 +298,7 @@ int x509_get_time( unsigned char **p, const unsigned char *end,
|
|||
memcpy( date, *p, ( len < sizeof( date ) - 1 ) ?
|
||||
len : sizeof( date ) - 1 );
|
||||
|
||||
if( sscanf( date, "%4d%2d%2d%2d%2d%2d",
|
||||
if( sscanf( date, "%4d%2d%2d%2d%2d%2dZ",
|
||||
&time->year, &time->mon, &time->day,
|
||||
&time->hour, &time->min, &time->sec ) < 5 )
|
||||
return( POLARSSL_ERR_X509_INVALID_DATE );
|
||||
|
|
Loading…
Reference in a new issue