[En-Nut-Discussion] [PATCH 1/2] FIX: accept certificate without expiration date
Krzysztof Sawicki
krzysztof.sawicki at mlabs.pl
Mon Apr 24 15:35:47 CEST 2017
On 24.04.2017 13:08, Uwe Bonnes wrote:
>>>>>> "Krzysztof" == Krzysztof Sawicki <krzysztof.sawicki at mlabs.pl> writes:
>
> Krzysztof> --- nut/tls/x509.c | 2 +- 1 file changed, 1 insertion(+), 1
> Krzysztof> deletion(-)
>
> Krzysztof> diff --git a/nut/tls/x509.c b/nut/tls/x509.c index
> Krzysztof> 2b483c7..310d26b 100644 --- a/nut/tls/x509.c +++
> Krzysztof> b/nut/tls/x509.c @@ -385,7 +385,7 @@ int x509_verify(const
> Krzysztof> CA_CERT_CTX *ca_cert_ctx, const X509_CTX *cert) } /* check
> Krzysztof> the not after date */ - if (tv.tv_sec > cert->not_after) + if
> Krzysztof> ((cert->not_after != -1) && (tv.tv_sec > cert->not_after)) {
> Krzysztof> ret = X509_VFY_ERROR_EXPIRED; goto end_verify; -- 2.7.4
>
> Dear Krzysztof,
>
> can you give some reference that a certificate without expiration date is
> valid?
RFC5280 4.1.2.5
"In some situations, devices are given certificates for which no good
expiration date can be assigned. For example, a device could be
issued a certificate that binds its model and serial number to its
public key; such a certificate is intended to be used for the entire
lifetime of the device."
I think it is common in embedded devices. Implementing certificates'
updating would be an overkill.
regards
--
Krzysztof Sawicki
MLabs sp. z o.o.
ul. Kaliska 21
61-131 Poznań
tel. 61 646 84 27
KRS: 0000390306
NIP: 7822533401
More information about the En-Nut-Discussion
mailing list