Don't check the trust anchors expiration time since they are

transported out of band, from RFC3820.


git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@19176 ec53bebd-3082-4978-b11e-865c3cabbd6b

lib/hx509/cert.c

@@ -41,6 +41,7 @@ struct hx509_verify_ctx_data {
 #define HX509_VERIFY_CTX_F_TIME_SET			1
 #define HX509_VERIFY_CTX_F_ALLOW_PROXY_CERTIFICATE	2
 #define HX509_VERIFY_CTX_F_REQUIRE_RFC3280		4
+#define HX509_VERIFY_CTX_F_CHECK_TRUST_ANCHORS		8
     time_t time_now;
     unsigned int max_depth;
 #define HX509_VERIFY_MAX_DEPTH 30
@@ -48,6 +49,7 @@ struct hx509_verify_ctx_data {
 };
 
 #define REQUIRE_RFC3280(ctx) ((ctx)->flags & HX509_VERIFY_CTX_F_REQUIRE_RFC3280)
+#define CHECK_TA(ctx) ((ctx)->flags & HX509_VERIFY_CTX_F_CHECK_TRUST_ANCHORS)
 
 struct _hx509_cert_attrs {
     size_t len;
@@ -1543,6 +1545,12 @@ hx509_verify_path(hx509_context context,
 	if (ret)
 	    goto out;
 	    
+	/*
+	 * Don't check the trust anchors expiration time since they
+	 * are transported out of band, from RFC3820.
+	 */
+	if (i + 1 != path.len || CHECK_TA(ctx)) {
+
 	    t = _hx509_Time2time_t(&c->tbsCertificate.validity.notBefore);
 	    if (t > ctx->time_now) {
 		ret = HX509_CERT_USED_BEFORE_TIME;
@@ -1555,6 +1563,7 @@ hx509_verify_path(hx509_context context,
 		hx509_clear_error_string(context);
 		goto out;
 	    }
+	}
 
 	if (type == EE_CERT)
 	    type = CA_CERT;