Allow application to customize cert verification slop time.

Default is 24 hours. Bug 48300. Reviewed by wtc. Modified Files: lib/nss/nss.def lib/certdb/cert.h lib/certdb/certdb.c
author: nelsonb%netscape.com <devnull@localhost> 2001-02-09 01:06:41 +0000
committer: nelsonb%netscape.com <devnull@localhost> 2001-02-09 01:06:41 +0000
commit: 151caf69d7596a25b7c5bdf290500b3a5cc68925 (patch)
tree: cf0e520a32a42e098fdddad80b8eec21294952f3 /security/nss
parent: 45bbff674594f34bb1df8b10dcbda1c87394ea9c (diff)
download: nss-hg-151caf69d7596a25b7c5bdf290500b3a5cc68925.tar.gz
3 files changed, 41 insertions, 10 deletions
diff --git a/security/nss/lib/certdb/cert.h b/security/nss/lib/certdb/cert.h
index 0a59e1e29..da12103f9 100644
--- a/security/nss/lib/certdb/cert.h
+++ b/security/nss/lib/certdb/cert.h
@@ -155,11 +155,11 @@ extern char *CERT_FormatName (CERTName *name);
 */
 extern char *CERT_Hexify (SECItem *i, int do_colon);
 
-/**************************************************************************************
+/******************************************************************************
  *
  * Certificate handling operations
  *
- **************************************************************************************/
+ *****************************************************************************/
 
 /*
 ** Create a new validity object given two unix time values.
@@ -185,6 +185,19 @@ extern SECStatus CERT_CopyValidity
    (PRArenaPool *arena, CERTValidity *dest, CERTValidity *src);
 
 /*
+** The cert lib considers a cert or CRL valid if the "notBefore" time is
+** in the not-too-distant future, e.g. within the next 24 hours. This 
+** prevents freshly issued certificates from being considered invalid
+** because the local system's time zone is incorrectly set.  
+** The amount of "pending slop time" is adjustable by the application.
+** Units of SlopTime are seconds.  Default is 86400  (24 hours).
+** Negative SlopTime values are not allowed.
+*/
+PRInt32 CERT_GetSlopTime(void);
+
+SECStatus CERT_SetSlopTime(PRInt32 slop);
+
+/*
 ** Create a new certificate object. The result must be wrapped with an
 ** CERTSignedData to create a signed certificate.
 **	"serialNumber" the serial number
@@ -264,11 +277,11 @@ extern CERTCertList *CERT_GetCertChainFromCert(CERTCertificate *cert,
 					       int64 time, 
 					       SECCertUsage usage);
 
-/************************************************************************************
+/******************************************************************************
  *
  * X.500 Name handling operations
  *
- ************************************************************************************/
+ *****************************************************************************/
 
 /*
 ** Create an AVA (attribute-value-assertion)
diff --git a/security/nss/lib/certdb/certdb.c b/security/nss/lib/certdb/certdb.c
index 9a201a6cc..f70f7893e 100644
--- a/security/nss/lib/certdb/certdb.c
+++ b/security/nss/lib/certdb/certdb.c
@@ -856,6 +856,22 @@ CERT_DecodeDERCertificate(SECItem *derSignedCert, PRBool copyDER,
 ** of the machine checking the certificate.
 */
 #define PENDING_SLOP (24L*60L*60L)
+static PRInt32 pendingSlop = PENDING_SLOP;
+
+PRInt32
+CERT_GetSlopTime(void)
+{
+    return pendingSlop;
+}
+
+SECStatus
+CERT_SetSlopTime(PRInt32 slop)
+{
+    if (slop < 0)
+	return SECFailure;
+    pendingSlop = slop;
+    return SECSuccess;
+}
 
 SECStatus
 CERT_GetCertTimes(CERTCertificate *c, int64 *notBefore, int64 *notAfter)
@@ -883,7 +899,7 @@ CERT_GetCertTimes(CERTCertificate *c, int64 *notBefore, int64 *notAfter)
 SECCertTimeValidity
 CERT_CheckCertValidTimes(CERTCertificate *c, int64 t, PRBool allowOverride)
 {
-    int64 notBefore, notAfter, pendingSlop;
+    int64 notBefore, notAfter, llPendingSlop;
     SECStatus rv;
 
     /* if cert is already marked OK, then don't bother to check */
@@ -897,8 +913,8 @@ CERT_CheckCertValidTimes(CERTCertificate *c, int64 t, PRBool allowOverride)
 	return(secCertTimeExpired); /*XXX is this the right thing to do here?*/
     }
     
-    LL_I2L(pendingSlop, PENDING_SLOP);
-    LL_SUB(notBefore, notBefore, pendingSlop);
+    LL_I2L(llPendingSlop, pendingSlop);
+    LL_SUB(notBefore, notBefore, llPendingSlop);
     if ( LL_CMP( t, <, notBefore ) ) {
 	PORT_SetError(SEC_ERROR_EXPIRED_CERTIFICATE);
 	return(secCertTimeNotValidYet);
@@ -940,7 +956,7 @@ SEC_GetCrlTimes(CERTCrl *date, int64 *notBefore, int64 *notAfter)
  */
 SECCertTimeValidity
 SEC_CheckCrlTimes(CERTCrl *crl, int64 t) {
-    int64 notBefore, notAfter, pendingSlop;
+    int64 notBefore, notAfter, llPendingSlop;
     SECStatus rv;
 
     rv = SEC_GetCrlTimes(crl, &notBefore, &notAfter);
@@ -949,8 +965,8 @@ SEC_CheckCrlTimes(CERTCrl *crl, int64 t) {
 	return(secCertTimeExpired); 
     }
 
-    LL_I2L(pendingSlop, PENDING_SLOP);
-    LL_SUB(notBefore, notBefore, pendingSlop);
+    LL_I2L(llPendingSlop, pendingSlop);
+    LL_SUB(notBefore, notBefore, llPendingSlop);
     if ( LL_CMP( t, <, notBefore ) ) {
 	return(secCertTimeNotValidYet);
     }
diff --git a/security/nss/lib/nss/nss.def b/security/nss/lib/nss/nss.def
index ebf5d53da..755fec374 100644
--- a/security/nss/lib/nss/nss.def
+++ b/security/nss/lib/nss/nss.def
@@ -80,10 +80,12 @@ CERT_GetLocalityName;
 CERT_GetOrgName;
 CERT_GetOrgUnitName;
 CERT_GetSSLCACerts;
+CERT_GetSlopTime;
 CERT_GetStateName;
 CERT_ImportCAChain;
 CERT_NameToAscii;
 CERT_RFC1485_EscapeAndQuote;
+CERT_SetSlopTime;
 CERT_VerifyCertName;
 CERT_VerifyCertNow;
 DER_UTCDayToAscii;
author	nelsonb%netscape.com <devnull@localhost>	2001-02-09 01:06:41 +0000
committer	nelsonb%netscape.com <devnull@localhost>	2001-02-09 01:06:41 +0000
commit	151caf69d7596a25b7c5bdf290500b3a5cc68925 (patch)
tree	cf0e520a32a42e098fdddad80b8eec21294952f3 /security/nss
parent	45bbff674594f34bb1df8b10dcbda1c87394ea9c (diff)
download	nss-hg-151caf69d7596a25b7c5bdf290500b3a5cc68925.tar.gz