Simplify x509 time checking #28987
Closed
Simplify x509 time checking #28987
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
bob-beck
force-pushed
the
time_t-considered-harmful
branch
from
1a37822 to
e5a0687
Compare
bob-beck
force-pushed
the
time_t-considered-harmful
branch
2 times, most recently
from
a77b1c4 to
bd81a6e
Compare
paulidale
previously approved these changes
Oct 26, 2025
paulidale
added
branch: master
Sashan
previously approved these changes
Oct 27, 2025
Contributor
Sashan
left a comment
Sashan
left a comment
There was a problem hiding this comment.
looks good to me as far as I can tell.
Sashan
added
approval: done
FdaSilvaYY
reviewed
Oct 27, 2025
FdaSilvaYY
reviewed
Oct 27, 2025
Contributor
nhorman
requested changes
Oct 29, 2025
Contributor
nhorman
left a comment
nhorman
left a comment
There was a problem hiding this comment.
see comment above, building for 32 bit platforms (specifically with a 32 bit time_t), the x509_test_internal tests still fail.
Collaborator
|
24 hours has passed since 'approval: done' was set, but as this PR has been updated in that time the label 'approval: ready to merge' is not being automatically set. Please review the updates and set the label manually. |
nhorman
added
approval: review pending
Contributor
Author
I think this should now work on those, I was still using ASN1_TIME_adj() in the internal test which is time_t dependent. |
Contributor
|
sorry, no dice. building at commit 64af80f for linux-x86: |
bob-beck
force-pushed
the
time_t-considered-harmful
branch
from
7d7a422 to
e92b08e
Compare
Contributor
Author
Bah, I'm an idiot, I was using X509_VERIFY_PARAM_set_time(...) to set the test verification time in the test, Now fixed. And rebased because this was becoming unwieldy. |
This changes x509 verification to use int64 values of epoch seconds internally instead of time_t. While time values from a system will still come from/to a platform dependant time_t which could be range constrained, we can simplify this to convert the certificate time to a posix time and then just do a normal comparison of the int64_t values. This removes the need to do further computation to compare values which potentially do not cover the range of certificate times, and makes the internal functions a bit more readable. This also modifies the tests to ensure the full range of times are tested, without depending on time_t, and adds tests for checking CRL expiry, which were lacking before.
bob-beck
force-pushed
the
time_t-considered-harmful
branch
from
e92b08e to
d355f59
Compare
2 tasks
nhorman
previously approved these changes
Oct 31, 2025
Contributor
nhorman
left a comment
nhorman
left a comment
There was a problem hiding this comment.
works on x86 now, thanks!
t8m
requested changes
Nov 10, 2025
paulidale
requested changes
Nov 11, 2025
nhorman
approved these changes
Nov 13, 2025
paulidale
approved these changes
Nov 13, 2025
paulidale
added
approval: done
t8m
approved these changes
Nov 13, 2025
openssl-machine
added
approval: ready to merge
Collaborator
|
This pull request is ready to merge |
Member
|
Merged to the master branch. Thank you. |
openssl-machine
pushed a commit
that referenced
this pull request
Nov 14, 2025
This changes x509 verification to use int64 values of epoch seconds internally instead of time_t. While time values from a system will still come from/to a platform dependant time_t which could be range constrained, we can simplify this to convert the certificate time to a posix time and then just do a normal comparison of the int64_t values. This removes the need to do further computation to compare values which potentially do not cover the range of certificate times, and makes the internal functions a bit more readable. This also modifies the tests to ensure the full range of times are tested, without depending on time_t, and adds tests for checking CRL expiry, which were lacking before. Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #28987)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
7 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This changes x509 verification to use int64 values of epoch seconds internally instead of time_t. While time values from a system will still come from/to a platform dependant time_t which could be range constrained, we can simplify this to convert the certificate time to a posix time and then just do a normal comparison of the int64_t values. This removes the need to do further computation to compare values which potentially do not cover the range of certificate times, and makes the internal functions a bit more readable.
This also modifies the tests to ensure the full range of times are tested, without depending on time_t, and adds tests for checking CRL expiry, which were lacking before.
Fixes: 1694
Fixes: #29021
Checklist