(xmlsec-openssl) Support cert dates before unix epoch start (#767)

lsh123 · Mar 8, 2024 · d706d58 · d706d58
1 parent 8976168
commit d706d58
Show file tree

Hide file tree

Showing 3 changed files with 40 additions and 21 deletions.
diff --git a/src/openssl/private.h b/src/openssl/private.h
@@ -79,7 +79,7 @@ X509*           xmlSecOpenSSLX509CertLoadBIO                    (BIO* bio,
 X509_CRL*       xmlSecOpenSSLX509CrlLoadBIO                     (BIO* bio,
                                                                  xmlSecKeyDataFormat format);
 
-time_t          xmlSecOpenSSLX509Asn1TimeToTime                 (const ASN1_TIME * t);
+int             xmlSecOpenSSLX509Asn1TimeToTime                 (const ASN1_TIME * t, time_t * res);
 
 
 STACK_OF(X509)*        xmlSecOpenSSLKeyDataX509GetCerts         (xmlSecKeyDataPtr data);

diff --git a/src/openssl/x509.c b/src/openssl/x509.c
@@ -1457,40 +1457,43 @@ my_timegm(struct tm *t) {
 
 #ifndef XMLSEC_OPENSSL_NO_ASN1_TIME_TO_TM
 
-time_t
-xmlSecOpenSSLX509Asn1TimeToTime(const ASN1_TIME * t) {
+int
+xmlSecOpenSSLX509Asn1TimeToTime(const ASN1_TIME * t, time_t * res) {
     struct tm tm;
     int ret;
 
-    xmlSecAssert2(t != NULL, 0);
+    xmlSecAssert2(t != NULL, -1);
+    xmlSecAssert2(res != NULL, -1);
 
     if(!ASN1_TIME_check(t)) {
         xmlSecOpenSSLError("ASN1_TIME_check", NULL);
-        return(0);
+        return(-1);
     }
 
     memset(&tm, 0, sizeof(tm));
     ret = ASN1_TIME_to_tm(t, &tm);
     if(ret != 1) {
         xmlSecOpenSSLError("ASN1_TIME_to_tm", NULL);
-        return(0);
+        return(-1);
     }
 
-    return(timegm(&tm));
+    (*res) = timegm(&tm);
+    return (0);
 }
 
 #else  /* XMLSEC_OPENSSL_NO_ASN1_TIME_TO_TM */
 
-time_t
-xmlSecOpenSSLX509Asn1TimeToTime(const ASN1_TIME * t) {
+int
+xmlSecOpenSSLX509Asn1TimeToTime(const ASN1_TIME * t, time_t * res) {
     struct tm tm;
     int offset;
 
-    xmlSecAssert2(t != NULL, 0);
+    xmlSecAssert2(t != NULL, -1);
+    xmlSecAssert2(res != NULL, -1);
 
     if(!ASN1_TIME_check(t)) {
         xmlSecOpenSSLError("ASN1_TIME_check", NULL);
-        return(0);
+        return(-1);
     }
 
     memset(&tm, 0, sizeof(tm));
@@ -1542,7 +1545,9 @@ xmlSecOpenSSLX509Asn1TimeToTime(const ASN1_TIME * t) {
         tm.tm_isdst = -1;
     }
 #undef g2
-    return(timegm(&tm) - offset * 60);
+
+    (*res) = (timegm(&tm) - offset * 60);
+    return (0);
 }
 #endif /* XMLSEC_OPENSSL_NO_ASN1_TIME_TO_TM */
 
@@ -1623,17 +1628,17 @@ xmlSecOpenSSLVerifyAndAdoptX509KeyData(xmlSecKeyPtr key, xmlSecKeyDataPtr data,
 
     /* copy cert not before / not after times from the cert */
     if(X509_get0_notBefore(ctx->keyCert) != NULL) {
-        key->notValidBefore = xmlSecOpenSSLX509Asn1TimeToTime(X509_get0_notBefore(ctx->keyCert));
-        if(key->notValidBefore <= 0) {
+        ret = xmlSecOpenSSLX509Asn1TimeToTime(X509_get0_notBefore(ctx->keyCert), &(key->notValidBefore));
+        if(ret < 0) {
             xmlSecInternalError("xmlSecOpenSSLX509Asn1TimeToTime(notValidBefore)", xmlSecKeyDataGetName(data));
             return(-1);
         }
     } else {
         key->notValidBefore = 0;
     }
     if(X509_get0_notAfter(ctx->keyCert) != NULL) {
-        key->notValidAfter = xmlSecOpenSSLX509Asn1TimeToTime(X509_get0_notAfter(ctx->keyCert));
-        if(key->notValidAfter <= 0) {
+        ret = xmlSecOpenSSLX509Asn1TimeToTime(X509_get0_notAfter(ctx->keyCert), &(key->notValidAfter));
+        if(ret < 0) {
             xmlSecInternalError("xmlSecOpenSSLX509Asn1TimeToTime(notValidAfter)", xmlSecKeyDataGetName(data));
             return(-1);
         }

diff --git a/src/openssl/x509vfy.c b/src/openssl/x509vfy.c
@@ -450,18 +450,22 @@ xmlSecOpenSSLX509StoreVerifyCertAgainstRevoked(X509 * cert, STACK_OF(X509_REVOKE
                 return(-1);
             }
             ret = X509_cmp_time(revocationDate, &tt);
-            if(ret == 0) {
+            if (ret == 0) {
                 xmlSecOpenSSLError("X509_cmp_time(revocationDate)", NULL);
                 return(-1);
             }
             /* ret = 1: asn1_time is later than time */
-            if(ret > 0) {
+            if (ret > 0) {
                 X509_NAME *issuer;
                 char issuer_name[256];
                 time_t ts;
 
                 /* revocationDate > certsVerificationTime, we are good */
-                ts = xmlSecOpenSSLX509Asn1TimeToTime(revocationDate);
+                ret = xmlSecOpenSSLX509Asn1TimeToTime(revocationDate, &ts);
+                if (ret < 0) {
+                    xmlSecInternalError("xmlSecOpenSSLX509Asn1TimeToTime", NULL);
+                    return(-1);
+                }
                 issuer = X509_get_issuer_name(cert);
                 if(issuer != NULL) {
                     X509_NAME_oneline(issuer, issuer_name, sizeof(issuer_name));
@@ -524,7 +528,12 @@ xmlSecOpenSSLX509StoreFindBestCrl(X509_NAME *cert_issuer, STACK_OF(X509_CRL) *cr
 
         if((*res) == NULL) {
             (*res) = crl;
-            resLastUpdateTime = xmlSecOpenSSLX509Asn1TimeToTime(lastUpdate);
+
+            ret = xmlSecOpenSSLX509Asn1TimeToTime(lastUpdate, &resLastUpdateTime);
+            if(ret < 0) {
+                xmlSecInternalError("xmlSecOpenSSLX509Asn1TimeToTime", NULL);
+                return(-1);
+            }
             continue;
         }
 
@@ -538,7 +547,12 @@ xmlSecOpenSSLX509StoreFindBestCrl(X509_NAME *cert_issuer, STACK_OF(X509_CRL) *cr
         if(ret > 0) {
             /* asn1_time is greater than ts (i.e. crl is newer than crl in res)*/
             (*res) = crl;
-            resLastUpdateTime = xmlSecOpenSSLX509Asn1TimeToTime(lastUpdate);
+
+            ret = xmlSecOpenSSLX509Asn1TimeToTime(lastUpdate, &resLastUpdateTime);
+            if(ret < 0) {
+                xmlSecInternalError("xmlSecOpenSSLX509Asn1TimeToTime", NULL);
+                return(-1);
+            }
             continue;
         }
     }