I figured out a problem with the algorithm that checks the validity times of certificates. I got a certificate with the following UTCTime format:
As you can see, the format is YYMMDDHHmmZ. This possibility seems not to be considered in x509.c mbedtls_x509_get_time() function, as it only checks, if the length of the timestamp is > 10 and then tries to parse it as seconds.
Same (but not tested) on GeneralizedTime Format.
ARM Internal Ref: IOTSSL-806
Fix problem with omitted seconds in validity dates
I think it can be done more beautiful, but this fixes #499, so just take it as hint
The RFC on X.509/CRLs (https://tools.ietf.org/html/rfc5280#section-126.96.36.199) explicitly demands the use of seconds (MUST) for certificates and CRLs.
So please let us know if you see another reason that makes you think the current implementation is wrong, we will consider this issue closed.
For the purposes of this profile, UTCTime values MUST be expressed in
Greenwich Mean Time (Zulu) and MUST include seconds (i.e., times are
YYMMDDHHMMSSZ), even where the number of seconds is zero. Conforming
systems MUST interpret the year field (YY) as follows:
For the purposes of this profile, GeneralizedTime values MUST be
expressed in Greenwich Mean Time (Zulu) and MUST include seconds
(i.e., times are YYYYMMDDHHMMSSZ), even where the number of seconds
is zero. GeneralizedTime values MUST NOT include fractional seconds.