Have time check come after root certificate check

Thinking is that if the *CA* certificate is the certificate signing the server, then they can say whatever they want. Given the propensity of firmware clocks to be off, this seems like a reasonably comfortable compromise.
ipxe · Mar 7, 2014 · 6962fae · 6962fae
1 parent ab7d5e8
commit 6962fae
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 8 deletions.
diff --git a/src/config/general.h b/src/config/general.h
@@ -111,12 +111,12 @@ FILE_LICENCE ( GPL2_OR_LATER );
 #undef	AUTOBOOT_CMD		/* Automatic booting */
 #define	NVO_CMD			/* Non-volatile option storage commands */
 #undef	CONFIG_CMD		/* Option configuration console */
-#undef	IFMGMT_CMD		/* Interface management commands */
+#define	IFMGMT_CMD		/* Interface management commands */
 #undef	IWMGMT_CMD		/* Wireless interface management commands */
 #undef FCMGMT_CMD		/* Fibre Channel management commands */
-#undef	ROUTE_CMD		/* Routing table management commands */
+#define	ROUTE_CMD		/* Routing table management commands */
 #define IMAGE_CMD		/* Image management commands */
-#undef DHCP_CMD		/* DHCP management commands */
+#define DHCP_CMD		/* DHCP management commands */
 #define SANBOOT_CMD		/* SAN boot commands */
 #undef MENU_CMD		/* Menu commands */
 #undef LOGIN_CMD		/* Login command */
@@ -125,7 +125,7 @@ FILE_LICENCE ( GPL2_OR_LATER );
 #undef	LOTEST_CMD		/* Loopback testing commands */
 #undef	VLAN_CMD		/* VLAN commands */
 #undef	PXE_CMD			/* PXE commands */
-#undef	REBOOT_CMD		/* Reboot command */
+#define	REBOOT_CMD		/* Reboot command */
 #define IMAGE_TRUST_CMD	/* Image trust management commands */
 #undef  SYNC_CMD		/* Sync command */
 #undef  NSLOOKUP_CMD		/* DNS resolving command */

diff --git a/src/crypto/x509.c b/src/crypto/x509.c
@@ -1310,17 +1310,17 @@ int x509_validate ( struct x509_certificate *cert,
 	if ( cert->valid )
 		return 0;
 
-	/* Fail if certificate is invalid at specified time */
-	if ( ( rc = x509_check_time ( cert, time ) ) != 0 )
-		return rc;
-
 	/* Succeed if certificate is a trusted root certificate */
 	if ( x509_check_root ( cert, root ) == 0 ) {
 		cert->valid = 1;
 		cert->path_remaining = ( cert->extensions.basic.path_len + 1 );
 		return 0;
 	}
 
+	/* Fail if certificate is invalid at specified time */
+	if ( ( rc = x509_check_time ( cert, time ) ) != 0 )
+		return rc;
+
 	/* Fail unless we have an issuer */
 	if ( ! issuer ) {
 		DBGC2 ( cert, "X509 %p \"%s\" has no issuer\n",