diff options
author | nelsonb%netscape.com <devnull@localhost> | 2001-02-09 01:06:41 +0000 |
---|---|---|
committer | nelsonb%netscape.com <devnull@localhost> | 2001-02-09 01:06:41 +0000 |
commit | 151caf69d7596a25b7c5bdf290500b3a5cc68925 (patch) | |
tree | cf0e520a32a42e098fdddad80b8eec21294952f3 /security/nss | |
parent | 45bbff674594f34bb1df8b10dcbda1c87394ea9c (diff) | |
download | nss-hg-151caf69d7596a25b7c5bdf290500b3a5cc68925.tar.gz |
Allow application to customize cert verification slop time.
Default is 24 hours. Bug 48300. Reviewed by wtc.
Modified Files:
lib/nss/nss.def lib/certdb/cert.h lib/certdb/certdb.c
Diffstat (limited to 'security/nss')
-rw-r--r-- | security/nss/lib/certdb/cert.h | 21 | ||||
-rw-r--r-- | security/nss/lib/certdb/certdb.c | 28 | ||||
-rw-r--r-- | security/nss/lib/nss/nss.def | 2 |
3 files changed, 41 insertions, 10 deletions
diff --git a/security/nss/lib/certdb/cert.h b/security/nss/lib/certdb/cert.h index 0a59e1e29..da12103f9 100644 --- a/security/nss/lib/certdb/cert.h +++ b/security/nss/lib/certdb/cert.h @@ -155,11 +155,11 @@ extern char *CERT_FormatName (CERTName *name); */ extern char *CERT_Hexify (SECItem *i, int do_colon); -/************************************************************************************** +/****************************************************************************** * * Certificate handling operations * - **************************************************************************************/ + *****************************************************************************/ /* ** Create a new validity object given two unix time values. @@ -185,6 +185,19 @@ extern SECStatus CERT_CopyValidity (PRArenaPool *arena, CERTValidity *dest, CERTValidity *src); /* +** The cert lib considers a cert or CRL valid if the "notBefore" time is +** in the not-too-distant future, e.g. within the next 24 hours. This +** prevents freshly issued certificates from being considered invalid +** because the local system's time zone is incorrectly set. +** The amount of "pending slop time" is adjustable by the application. +** Units of SlopTime are seconds. Default is 86400 (24 hours). +** Negative SlopTime values are not allowed. +*/ +PRInt32 CERT_GetSlopTime(void); + +SECStatus CERT_SetSlopTime(PRInt32 slop); + +/* ** Create a new certificate object. The result must be wrapped with an ** CERTSignedData to create a signed certificate. ** "serialNumber" the serial number @@ -264,11 +277,11 @@ extern CERTCertList *CERT_GetCertChainFromCert(CERTCertificate *cert, int64 time, SECCertUsage usage); -/************************************************************************************ +/****************************************************************************** * * X.500 Name handling operations * - ************************************************************************************/ + *****************************************************************************/ /* ** Create an AVA (attribute-value-assertion) diff --git a/security/nss/lib/certdb/certdb.c b/security/nss/lib/certdb/certdb.c index 9a201a6cc..f70f7893e 100644 --- a/security/nss/lib/certdb/certdb.c +++ b/security/nss/lib/certdb/certdb.c @@ -856,6 +856,22 @@ CERT_DecodeDERCertificate(SECItem *derSignedCert, PRBool copyDER, ** of the machine checking the certificate. */ #define PENDING_SLOP (24L*60L*60L) +static PRInt32 pendingSlop = PENDING_SLOP; + +PRInt32 +CERT_GetSlopTime(void) +{ + return pendingSlop; +} + +SECStatus +CERT_SetSlopTime(PRInt32 slop) +{ + if (slop < 0) + return SECFailure; + pendingSlop = slop; + return SECSuccess; +} SECStatus CERT_GetCertTimes(CERTCertificate *c, int64 *notBefore, int64 *notAfter) @@ -883,7 +899,7 @@ CERT_GetCertTimes(CERTCertificate *c, int64 *notBefore, int64 *notAfter) SECCertTimeValidity CERT_CheckCertValidTimes(CERTCertificate *c, int64 t, PRBool allowOverride) { - int64 notBefore, notAfter, pendingSlop; + int64 notBefore, notAfter, llPendingSlop; SECStatus rv; /* if cert is already marked OK, then don't bother to check */ @@ -897,8 +913,8 @@ CERT_CheckCertValidTimes(CERTCertificate *c, int64 t, PRBool allowOverride) return(secCertTimeExpired); /*XXX is this the right thing to do here?*/ } - LL_I2L(pendingSlop, PENDING_SLOP); - LL_SUB(notBefore, notBefore, pendingSlop); + LL_I2L(llPendingSlop, pendingSlop); + LL_SUB(notBefore, notBefore, llPendingSlop); if ( LL_CMP( t, <, notBefore ) ) { PORT_SetError(SEC_ERROR_EXPIRED_CERTIFICATE); return(secCertTimeNotValidYet); @@ -940,7 +956,7 @@ SEC_GetCrlTimes(CERTCrl *date, int64 *notBefore, int64 *notAfter) */ SECCertTimeValidity SEC_CheckCrlTimes(CERTCrl *crl, int64 t) { - int64 notBefore, notAfter, pendingSlop; + int64 notBefore, notAfter, llPendingSlop; SECStatus rv; rv = SEC_GetCrlTimes(crl, ¬Before, ¬After); @@ -949,8 +965,8 @@ SEC_CheckCrlTimes(CERTCrl *crl, int64 t) { return(secCertTimeExpired); } - LL_I2L(pendingSlop, PENDING_SLOP); - LL_SUB(notBefore, notBefore, pendingSlop); + LL_I2L(llPendingSlop, pendingSlop); + LL_SUB(notBefore, notBefore, llPendingSlop); if ( LL_CMP( t, <, notBefore ) ) { return(secCertTimeNotValidYet); } diff --git a/security/nss/lib/nss/nss.def b/security/nss/lib/nss/nss.def index ebf5d53da..755fec374 100644 --- a/security/nss/lib/nss/nss.def +++ b/security/nss/lib/nss/nss.def @@ -80,10 +80,12 @@ CERT_GetLocalityName; CERT_GetOrgName; CERT_GetOrgUnitName; CERT_GetSSLCACerts; +CERT_GetSlopTime; CERT_GetStateName; CERT_ImportCAChain; CERT_NameToAscii; CERT_RFC1485_EscapeAndQuote; +CERT_SetSlopTime; CERT_VerifyCertName; CERT_VerifyCertNow; DER_UTCDayToAscii; |