Skip to content

Commit

Permalink
validation/policy: fix validity_date GeneralizedTime check
Browse files Browse the repository at this point in the history 
Signed-off-by: William Woodruff <[email protected]>
  • Loading branch information
@woodruffw
woodruffw committed Dec 22, 2023
1 parent 6aa642c commit 0fc7327
Showing 1 changed file with 4 additions and 5 deletions.
9 changes: 4 additions & 5 deletions src/rust/cryptography-x509-validation/src/policy/mod.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@
mod extension;

use std::collections::HashSet;
use std::ops::Range;

use asn1::ObjectIdentifier;
use cryptography_x509::certificate::Certificate;
Expand Down Expand Up @@ -552,16 +553,14 @@ impl<'a, B: CryptoOps> Policy<'a, B> {
}

fn permits_validity_date(validity_date: &Time) -> Result<(), ValidationError> {
const GENERALIZED_DATE_CUTOFF_YEAR: u16 = 2050;
const GENERALIZED_DATE_INVALIDITY_RANGE: Range<u16> = 1950..2050;

// NOTE: The inverse check on `asn1::UtcTime` is already done for us
// by the variant's constructor.
if let Time::GeneralizedTime(_) = validity_date {
// NOTE: This is technically wrong for certificates issued before 1950,
// but this does not matter in practice.
if validity_date.as_datetime().year() < GENERALIZED_DATE_CUTOFF_YEAR {
if GENERALIZED_DATE_INVALIDITY_RANGE.contains(&validity_date.as_datetime().year()) {
return Err(ValidationError::Other(
"validity dates before generalized date cutoff must be UtcTime".to_string(),
"validity dates between 1950 and 2049 must be UtcTime".to_string(),
));
}
}
Expand Down

0 comments on commit 0fc7327

Please sign in to comment.