TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 243d61894caed8938c6a13d2b666e6df28a98c18^! / .
commit243d61894caed8938c6a13d2b666e6df28a98c18[log] [tgz]
authorPaul Bakker <p.j.bakker@polarssl.org>Tue Jul 08 14:40:58 2014 +0200
committerPaul Bakker <p.j.bakker@polarssl.org>Tue Jul 08 14:40:58 2014 +0200
treea6e791a53e5d6007ea8342ec13bb399dd2b0a4be
parentf48de9579f562bd28fefb60925321eda9bc58530 [diff]
Reject certificates with times not in UTC

diff --git a/ChangeLog b/ChangeLog
index 8c064ad..e24494a 100644
--- a/ChangeLog
+++ b/ChangeLog

@@ -11,6 +11,7 @@
      that prevented bignum.c from compiling. (Reported by Rafael Baptista.)
    * Improvements to tests/Makefile, contributed by Oden Eriksson.
    * Use UTC time to check certificate validity.
+   * Reject certificates with times not in UTC, per RFC 5280.
 
 Security
    * Forbid change of server certificate during renegotiation to prevent

diff --git a/library/x509parse.c b/library/x509parse.c
index f3e7831..31699b0 100644
--- a/library/x509parse.c
+++ b/library/x509parse.c

@@ -370,7 +370,7 @@
         memcpy( date, *p, ( len < sizeof( date ) - 1 ) ?
                 len : sizeof( date ) - 1 );
 
-        if( sscanf( date, "%2d%2d%2d%2d%2d%2d",
+        if( sscanf( date, "%2d%2d%2d%2d%2d%2dZ",
                     &time->year, &time->mon, &time->day,
                     &time->hour, &time->min, &time->sec ) < 5 )
             return( POLARSSL_ERR_X509_CERT_INVALID_DATE );
@@ -394,7 +394,7 @@
         memcpy( date, *p, ( len < sizeof( date ) - 1 ) ?
                 len : sizeof( date ) - 1 );
 
-        if( sscanf( date, "%4d%2d%2d%2d%2d%2d",
+        if( sscanf( date, "%4d%2d%2d%2d%2d%2dZ",
                     &time->year, &time->mon, &time->day,
                     &time->hour, &time->min, &time->sec ) < 5 )
             return( POLARSSL_ERR_X509_CERT_INVALID_DATE );