diff options
| author | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2020-12-01 14:22:16 +0100 |
|---|---|---|
| committer | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2020-12-03 14:06:49 +0100 |
| commit | 3bed88a3970605a2ff817065f93b08e965d89e5f (patch) | |
| tree | e7d169ec545cbee70c5043ec2a5bc7f62233706b /doc/man1 | |
| parent | apps/pkcs12.c: Improve user guidance, re-ordering no-export vs. export options (diff) | |
| download | openssl-3bed88a3970605a2ff817065f93b08e965d89e5f.tar.xz openssl-3bed88a3970605a2ff817065f93b08e965d89e5f.zip | |
x509_vfy.c: Restore rejection of expired trusted (root) certificate
The certificate path validation procedure specified in RFC 5280 does not
include checking the validity period of the trusted (root) certificate.
Still it is common good practice to perform this check.
Also OpenSSL did this until commit 0e7b1383e, which accidentally killed it.
The current commit restores the previous behavior.
It also removes the cause of that bug, namely counter-intuitive design
of the internal function check_issued(), which was complicated by checks
that actually belong to some other internal function, namely find_issuer().
Moreover, this commit adds a regression check and proper documentation of
the root cert validity period check feature, which had been missing so far.
Fixes #13427
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13590)
Diffstat (limited to 'doc/man1')
| -rw-r--r-- | doc/man1/openssl.pod | 11 |
1 files changed, 6 insertions, 5 deletions
diff --git a/doc/man1/openssl.pod b/doc/man1/openssl.pod index 0bb37d415d..ace96274f9 100644 --- a/doc/man1/openssl.pod +++ b/doc/man1/openssl.pod @@ -847,11 +847,12 @@ For compatibility with previous versions of OpenSSL, a certificate with no trust settings is considered to be valid for all purposes. The fourth, and final, step is to check the validity of the certificate chain. -The validity period is checked against the system time -and the C<notBefore> and C<notAfter> dates in each certificate. -The B<-attime> flag may be used to specify a time other than "now." -The certificate signatures are also checked at this point -(except for the signature of the self-signed "root CA" certificate, +For each element in the chain, including the root CA certificate, +the validity period as specified by the C<notBefore> and C<notAfter> fields +is checked against the current system time. +The B<-attime> flag may be used to use a reference time other than "now." +The certificate signature is checked as well +(except for the signature of the typically self-signed root CA certificate, which is verified only if the B<-check_ss_sig> option is given). When verifying a certificate signature the keyUsage extension (if present) of the candidate issuer certificate |