From d3b2e5df800e265c61d2cc71bd7f80833898cbe4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Love=20H=C3=B6rnquist=20=C3=85strand?= <lha@kth.se>
Date: Tue, 28 Nov 2006 17:41:57 +0000
Subject: [PATCH] Don't check the trust anchors expiration time since they are
 transported out of band, from RFC3820.

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@19176 ec53bebd-3082-4978-b11e-865c3cabbd6b
---
 lib/hx509/cert.c | 31 ++++++++++++++++++++-----------
 1 file changed, 20 insertions(+), 11 deletions(-)

diff --git a/lib/hx509/cert.c b/lib/hx509/cert.c
index f7ea786a5..a956d6eb6 100644
--- a/lib/hx509/cert.c
+++ b/lib/hx509/cert.c
@@ -41,6 +41,7 @@ struct hx509_verify_ctx_data {
 #define HX509_VERIFY_CTX_F_TIME_SET			1
 #define HX509_VERIFY_CTX_F_ALLOW_PROXY_CERTIFICATE	2
 #define HX509_VERIFY_CTX_F_REQUIRE_RFC3280		4
+#define HX509_VERIFY_CTX_F_CHECK_TRUST_ANCHORS		8
     time_t time_now;
     unsigned int max_depth;
 #define HX509_VERIFY_MAX_DEPTH 30
@@ -48,6 +49,7 @@ struct hx509_verify_ctx_data {
 };
 
 #define REQUIRE_RFC3280(ctx) ((ctx)->flags & HX509_VERIFY_CTX_F_REQUIRE_RFC3280)
+#define CHECK_TA(ctx) ((ctx)->flags & HX509_VERIFY_CTX_F_CHECK_TRUST_ANCHORS)
 
 struct _hx509_cert_attrs {
     size_t len;
@@ -1542,18 +1544,25 @@ hx509_verify_path(hx509_context context,
 	ret = check_basic_constraints(context, c, type, i - proxy_cert_depth);
 	if (ret)
 	    goto out;
+	    
+	/*
+	 * Don't check the trust anchors expiration time since they
+	 * are transported out of band, from RFC3820.
+	 */
+	if (i + 1 != path.len || CHECK_TA(ctx)) {
 
-	t = _hx509_Time2time_t(&c->tbsCertificate.validity.notBefore);
-	if (t > ctx->time_now) {
-	    ret = HX509_CERT_USED_BEFORE_TIME;
-	    hx509_clear_error_string(context);
-	    goto out;
-	}
-	t = _hx509_Time2time_t(&c->tbsCertificate.validity.notAfter);
-	if (t < ctx->time_now) {
-	    ret = HX509_CERT_USED_AFTER_TIME;
-	    hx509_clear_error_string(context);
-	    goto out;
+	    t = _hx509_Time2time_t(&c->tbsCertificate.validity.notBefore);
+	    if (t > ctx->time_now) {
+		ret = HX509_CERT_USED_BEFORE_TIME;
+		hx509_clear_error_string(context);
+		goto out;
+	    }
+	    t = _hx509_Time2time_t(&c->tbsCertificate.validity.notAfter);
+	    if (t < ctx->time_now) {
+		ret = HX509_CERT_USED_AFTER_TIME;
+		hx509_clear_error_string(context);
+		goto out;
+	    }
 	}
 
 	if (type == EE_CERT)