Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
[crypto] Allow an error margin on X.509 certificate validity periods
iPXE has no concept of the local time zone, mainly because there is no
viable way to obtain time zone information in the absence of local
state.  This causes potential problems with newly-issued certificates
and certificates that are about to expire.

Avoid such problems by allowing an error margin of around 12 hours on
certificate validity periods, similar to the error margin already
allowed for OCSP response timestamps.

Signed-off-by: Michael Brown <mcb30@ipxe.org>
  • Loading branch information
mcb30 committed Jun 20, 2012
1 parent c094240 commit 4010890
Show file tree
Hide file tree
Showing 4 changed files with 12 additions and 12 deletions.
4 changes: 2 additions & 2 deletions src/crypto/ocsp.c
Expand Up @@ -794,12 +794,12 @@ int ocsp_validate ( struct ocsp_check *ocsp, time_t time ) {
/* Check OCSP response is valid at the specified time
* (allowing for some margin of error).
*/
if ( response->this_update > ( time + OCSP_ERROR_MARGIN_TIME ) ) {
if ( response->this_update > ( time + X509_ERROR_MARGIN_TIME ) ) {
DBGC ( ocsp, "OCSP %p \"%s\" response is not yet valid (at "
"time %lld)\n", ocsp, ocsp->cert->subject.name, time );
return -EACCES_STALE;
}
if ( response->next_update < ( time - OCSP_ERROR_MARGIN_TIME ) ) {
if ( response->next_update < ( time - X509_ERROR_MARGIN_TIME ) ) {
DBGC ( ocsp, "OCSP %p \"%s\" response is stale (at time "
"%lld)\n", ocsp, ocsp->cert->subject.name, time );
return -EACCES_STALE;
Expand Down
4 changes: 2 additions & 2 deletions src/crypto/x509.c
Expand Up @@ -1264,12 +1264,12 @@ int x509_check_time ( struct x509_certificate *cert, time_t time ) {
struct x509_validity *validity = &cert->validity;

/* Check validity period */
if ( time < validity->not_before.time ) {
if ( validity->not_before.time > ( time + X509_ERROR_MARGIN_TIME ) ) {
DBGC ( cert, "X509 %p \"%s\" is not yet valid (at time %lld)\n",
cert, cert->subject.name, time );
return -EACCES_EXPIRED;
}
if ( time > validity->not_after.time ) {
if ( validity->not_after.time < ( time - X509_ERROR_MARGIN_TIME ) ) {
DBGC ( cert, "X509 %p \"%s\" has expired (at time %lld)\n",
cert, cert->subject.name, time );
return -EACCES_EXPIRED;
Expand Down
8 changes: 0 additions & 8 deletions src/include/ipxe/ocsp.h
Expand Up @@ -28,14 +28,6 @@ FILE_LICENCE ( GPL2_OR_LATER );
#define OCSP_STATUS_SIG_REQUIRED 0x05
#define OCSP_STATUS_UNAUTHORIZED 0x06

/** Margin of error allowed in OCSP response times
*
* We allow a generous margin of error: 12 hours to allow for the
* local time zone being non-GMT, plus 30 minutes to allow for general
* clock drift.
*/
#define OCSP_ERROR_MARGIN_TIME ( ( 12 * 60 + 30 ) * 60 )

/** An OCSP request */
struct ocsp_request {
/** Request builder */
Expand Down
8 changes: 8 additions & 0 deletions src/include/ipxe/x509.h
Expand Up @@ -42,6 +42,14 @@ struct x509_validity {
struct x509_time not_after;
};

/** Margin of error allowed in X.509 response times
*
* We allow a generous margin of error: 12 hours to allow for the
* local time zone being non-GMT, plus 30 minutes to allow for general
* clock drift.
*/
#define X509_ERROR_MARGIN_TIME ( ( 12 * 60 + 30 ) * 60 )

/** An X.509 certificate public key */
struct x509_public_key {
/** Raw public key information */
Expand Down

0 comments on commit 4010890

Please sign in to comment.