Always revoke certificate on CRL

RFC5280 does not state that the `revocationDate` should be checked. In addition, when no time source is available (i.e., when MBEDTLS_HAVE_TIME_DATE is not defined), `mbedtls_x509_time_is_past` always returns 0. This results in the CRL not being checked at all. https://tools.ietf.org/html/rfc5280 Signed-off-by: Raoul Strackx <raoul.strackx@fortanix.com>
2026-02-19 00:39:46 +00:00 · 2020-06-15 17:03:13 +02:00
parent 14cb46de24
commit 75475d8465
9 changed files with 66 additions and 4 deletions
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@@ -1816,8 +1816,7 @@ int mbedtls_x509_crt_is_revoked( const mbedtls_x509_crt *crt, const mbedtls_x509
        if( crt->serial.len == cur->serial.len &&
            memcmp( crt->serial.p, cur->serial.p, crt->serial.len ) == 0 )
        {
-            if( mbedtls_x509_time_is_past( &cur->revocation_date ) )
-                return( 1 );
+            return( 1 );
        }

        cur = cur->next;