diff options
| author | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2020-12-01 14:22:16 +0100 |
|---|---|---|
| committer | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2020-12-03 15:11:41 +0100 |
| commit | 315c47e00bb953abe8892a3c1272289330b29d23 (patch) | |
| tree | 06306f2d8657241da73abccdb91873cbd2381916 /doc | |
| parent | 61168b5b8dde03f3b77ddf5e4b1b81c338c01746 (diff) | |
x509_vfy.c: Restore rejection of expired trusted (root) certificate
The certificate path validation procedure specified in RFC 5280 does not
include checking the validity period of the trusted (root) certificate.
Still it is common good practice to perform this check.
Also OpenSSL did this until version 1.1.1h, yet
commit e2590c3a162eb118c36b09c2168164283aa099b4 accidentally killed it.
The current commit restores the previous behavior.
It also removes the cause of that bug, namely counter-intuitive design
of the internal function check_issued(), which was complicated by checks
that actually belong to some other internal function, namely find_issuer().
Moreover, this commit adds a regression check and proper documentation of
the root cert validity period check feature, which had been missing so far.
Fixes #13471
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13585)
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/man1/verify.pod | 12 | ||||
| -rw-r--r-- | doc/man3/X509_STORE_set_verify_cb_func.pod | 4 |
2 files changed, 9 insertions, 7 deletions
diff --git a/doc/man1/verify.pod b/doc/man1/verify.pod index 71288be40d..da2b702482 100644 --- a/doc/man1/verify.pod +++ b/doc/man1/verify.pod @@ -382,10 +382,14 @@ should be trusted for the supplied purpose. For compatibility with previous versions of OpenSSL, a certificate with no trust settings is considered to be valid for all purposes. -The final operation is to check the validity of the certificate chain. The validity -period is checked against the current system time and the notBefore and notAfter -dates in the certificate. The certificate signatures are also checked at this -point. +The final operation is to check the validity of the certificate chain. +For each element in the chain, including the root CA certificate, +the validity period as specified by the C<notBefore> and C<notAfter> fields +is checked against the current system time. +The B<-attime> flag may be used to use a reference time other than "now." +The certificate signature is checked as well +(except for the signature of the typically self-signed root CA certificate, +which is verified only if the B<-check_ss_sig> option is given). If all operations complete successfully then certificate is considered valid. If any operation fails then the certificate is not valid. diff --git a/doc/man3/X509_STORE_set_verify_cb_func.pod b/doc/man3/X509_STORE_set_verify_cb_func.pod index 526790938a..6d7098250d 100644 --- a/doc/man3/X509_STORE_set_verify_cb_func.pod +++ b/doc/man3/X509_STORE_set_verify_cb_func.pod @@ -137,9 +137,7 @@ I<If no function to get the issuer is provided, the internal default function will be used instead.> X509_STORE_set_check_issued() sets the function to check that a given -certificate B<x> is issued by the issuer certificate B<issuer> and -the issuer is not yet in the chain contained in <ctx>, where the exceptional -case that B<x> is self-issued and ctx->chain has just one element is allowed. +certificate B<x> is issued by the issuer certificate B<issuer>. This function must return 0 on failure (among others if B<x> hasn't been issued with B<issuer>) and 1 on success. I<If no function to get the issuer is provided, the internal default |