From 0fc7327c7bbadd062201520225f3ed1539b8c5fb Mon Sep 17 00:00:00 2001
From: William Woodruff <william@trailofbits.com>
Date: Fri, 22 Dec 2023 15:15:03 -0500
Subject: [PATCH] validation/policy: fix validity_date GeneralizedTime check

Signed-off-by: William Woodruff <william@trailofbits.com>
---
 src/rust/cryptography-x509-validation/src/policy/mod.rs | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/src/rust/cryptography-x509-validation/src/policy/mod.rs b/src/rust/cryptography-x509-validation/src/policy/mod.rs
index 8795bda31d3a..2e3652505e57 100644
--- a/src/rust/cryptography-x509-validation/src/policy/mod.rs
+++ b/src/rust/cryptography-x509-validation/src/policy/mod.rs
@@ -5,6 +5,7 @@
 mod extension;
 
 use std::collections::HashSet;
+use std::ops::Range;
 
 use asn1::ObjectIdentifier;
 use cryptography_x509::certificate::Certificate;
@@ -552,16 +553,14 @@ impl<'a, B: CryptoOps> Policy<'a, B> {
 }
 
 fn permits_validity_date(validity_date: &Time) -> Result<(), ValidationError> {
-    const GENERALIZED_DATE_CUTOFF_YEAR: u16 = 2050;
+    const GENERALIZED_DATE_INVALIDITY_RANGE: Range<u16> = 1950..2050;
 
     // NOTE: The inverse check on `asn1::UtcTime` is already done for us
     // by the variant's constructor.
     if let Time::GeneralizedTime(_) = validity_date {
-        // NOTE: This is technically wrong for certificates issued before 1950,
-        // but this does not matter in practice.
-        if validity_date.as_datetime().year() < GENERALIZED_DATE_CUTOFF_YEAR {
+        if GENERALIZED_DATE_INVALIDITY_RANGE.contains(&validity_date.as_datetime().year()) {
             return Err(ValidationError::Other(
-                "validity dates before generalized date cutoff must be UtcTime".to_string(),
+                "validity dates between 1950 and 2049 must be UtcTime".to_string(),
             ));
         }
     }