Skip to content

Adding NO_ASN_TIME_CHECK build option #6185

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
SparkiDev merged 3 commits into from
Apr 21, 2023
Merged

Adding NO_ASN_TIME_CHECK build option #6185

SparkiDev merged 3 commits into from
Apr 21, 2023

Conversation

@lealem47
Copy link
Contributor

@lealem47 lealem47 commented Mar 10, 2023

Description

Skip all time checking without having to define NO_ASN_TIME. Originally developed as workaround for the issue addressed by #6181, but still a nice feature to have.

Fixes zd#15790

Testing

Tested with certs in certs/test/expired/

Checklist

  • added tests
  • updated/added doxygen
  • updated appropriate READMEs
  • Updated manual and documentation

@JacobBarthelmeh
Copy link
Contributor

JacobBarthelmeh commented Mar 13, 2023

We have the VERIFY_SKIP_DATE option, could that be expanded to OCSP checks, allowing us to avoid adding another macro?

@lealem47
Copy link
Contributor Author

lealem47 commented Mar 13, 2023

We have the VERIFY_SKIP_DATE option, could that be expanded to OCSP checks, allowing us to avoid adding another macro?

That looks like it's going to involve duplicating wolfSSL_CertManagerLoadCA() and wolfSSL_CertManagerVerifyBuffer() to _ex() versions , only with the an additional flag parameter to pass in WOLFSSL_LOAD_FLAG_DATE_ERR_OKAY. Would that be a better change? @JacobBarthelmeh

dgarske
dgarske requested changes Apr 20, 2023
View reviewed changes
Copy link
Contributor

@dgarske dgarske left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I like the PR. Please add some additional comments in asn.c for NO_ASN_TIME_CHECK to describe the other options for accomplishing this. I'd prefer they use one of the existing supported methods. Also indicate the possible security risk using it.
Over to @SparkiDev for additional feedback.

@dgarske dgarske requested a review from SparkiDev April 20, 2023 20:13
@lealem47 lealem47 requested a review from dgarske April 20, 2023 20:36
dgarske
dgarske previously approved these changes Apr 20, 2023
View reviewed changes
@lealem47 lealem47 assigned SparkiDev and unassigned lealem47 Apr 20, 2023
SparkiDev
SparkiDev requested changes Apr 20, 2023
View reviewed changes
wolfcrypt/src/asn.c Outdated
ret = PaseCRL_CheckSignature(dcrl, buff, cm);
}

(void)verify;
Copy link
Contributor

@SparkiDev SparkiDev Apr 20, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Already this line above WOLFSSL_MSG.

Copy link
Contributor Author

@lealem47 lealem47 Apr 20, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for catching that. I opened the PR before that was added.

@lealem47 lealem47 requested a review from SparkiDev April 20, 2023 22:49
@SparkiDev SparkiDev merged commit 9230d9c into wolfSSL:master Apr 21, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@SparkiDev SparkiDev SparkiDev approved these changes

@dgarske dgarske dgarske left review comments

@JacobBarthelmeh JacobBarthelmeh Awaiting requested review from JacobBarthelmeh

Assignees

@SparkiDev SparkiDev

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@lealem47 @JacobBarthelmeh @dgarske @SparkiDev