* -- Extensions: extension values are processed in due order.
*
* -- Basic Constraints: for all certificates except EE, must be
- * present, indicate a CA, and have a path legnth compatible with
+ * present, indicate a CA, and have a path length compatible with
* the chain length so far.
*
* -- Key Usage: for the EE, if present, must allow signatures
* then validation is reported as failed.
*/
-#ifndef BR_USE_UNIX_TIME
-#if defined __unix__ || defined __linux__ \
- || defined _POSIX_SOURCE || defined _POSIX_C_SOURCE \
- || (defined __APPLE__ && defined __MACH__)
-#define BR_USE_UNIX_TIME 1
-#endif
-#endif
-
-#ifndef BR_USE_WIN32_TIME
-#if defined _WIN32 || defined _WIN64
-#define BR_USE_WIN32_TIME 1
-#endif
-#endif
-
#if BR_USE_UNIX_TIME
#include <time.h>
#endif
#include <windows.h>
#endif
+/*
+ * The T0 compiler will produce these prototypes declarations in the
+ * header.
+ *
void br_x509_minimal_init_main(void *ctx);
void br_x509_minimal_run(void *ctx);
+ */
/* see bearssl_x509.h */
void
br_x509_minimal_context *cc;
size_t u;
- cc = (br_x509_minimal_context *)ctx;
+ cc = (br_x509_minimal_context *)(void *)ctx;
for (u = 0; u < cc->num_name_elts; u ++) {
cc->name_elts[u].status = 0;
cc->name_elts[u].buf[0] = 0;
{
br_x509_minimal_context *cc;
- cc = (br_x509_minimal_context *)ctx;
+ cc = (br_x509_minimal_context *)(void *)ctx;
if (cc->err != 0) {
return;
}
{
br_x509_minimal_context *cc;
- cc = (br_x509_minimal_context *)ctx;
+ cc = (br_x509_minimal_context *)(void *)ctx;
if (cc->err != 0) {
return;
}
{
br_x509_minimal_context *cc;
- cc = (br_x509_minimal_context *)ctx;
+ cc = (br_x509_minimal_context *)(void *)ctx;
if (cc->err == 0 && cc->cert_length != 0) {
cc->err = BR_ERR_X509_TRUNCATED;
}
{
br_x509_minimal_context *cc;
- cc = (br_x509_minimal_context *)ctx;
+ cc = (br_x509_minimal_context *)(void *)ctx;
if (cc->err == 0) {
if (cc->num_certs == 0) {
cc->err = BR_ERR_X509_EMPTY_CHAIN;
{
br_x509_minimal_context *cc;
- cc = (br_x509_minimal_context *)ctx;
+ cc = (br_x509_minimal_context *)(void *)ctx;
if (cc->err == BR_ERR_X509_OK
|| cc->err == BR_ERR_X509_NOT_TRUSTED)
{
if (usages != NULL) {
*usages = cc->key_usages;
}
- return &((br_x509_minimal_context *)ctx)->pkey;
+ return &((br_x509_minimal_context *)(void *)ctx)->pkey;
} else {
return NULL;
}
xm_get_pkey
};
-#define CTX ((br_x509_minimal_context *)((unsigned char *)t0ctx - offsetof(br_x509_minimal_context, cpu)))
+#define CTX ((br_x509_minimal_context *)(void *)((unsigned char *)t0ctx - offsetof(br_x509_minimal_context, cpu)))
#define CONTEXT_NAME br_x509_minimal_context
#define DNHASH_LEN ((CTX->dn_hash_impl->desc >> BR_HASHDESC_OUT_OFF) & BR_HASHDESC_OUT_MASK)
\ Return the CN match flag.
eename-matches ;
-\ Get the validation date and time from the context or system.
-cc: get-system-date ( -- days seconds ) {
- if (CTX->days == 0 && CTX->seconds == 0) {
+\ Check the provided validity range against the current (or configured)
+\ date and time ("na" = notAfter, "nb = notBefore). Returned value:
+\ -1 current date/time is before the notBefore date
+\ 0 current date/time is within the allowed range
+\ +1 current date/time is after the notAfter range
+\ If the current date/time is not available, then this function triggers a
+\ failure and does not return.
+cc: check-validity-range ( na-days na-seconds nb-days nb-seconds -- int ) {
+ uint32_t nbs = T0_POP();
+ uint32_t nbd = T0_POP();
+ uint32_t nas = T0_POP();
+ uint32_t nad = T0_POP();
+ int r;
+ if (CTX->itime != 0) {
+ r = CTX->itime(CTX->itime_ctx, nbd, nbs, nad, nas);
+ if (r < -1 || r > 1) {
+ CTX->err = BR_ERR_X509_TIME_UNKNOWN;
+ T0_CO();
+ }
+ } else {
+ uint32_t vd = CTX->days;
+ uint32_t vs = CTX->seconds;
+ if (vd == 0 && vs == 0) {
#if BR_USE_UNIX_TIME
- time_t x = time(NULL);
+ time_t x = time(NULL);
- T0_PUSH((uint32_t)(x / 86400) + 719528);
- T0_PUSH((uint32_t)(x % 86400));
+ vd = (uint32_t)(x / 86400) + 719528;
+ vs = (uint32_t)(x % 86400);
#elif BR_USE_WIN32_TIME
- FILETIME ft;
- uint64_t x;
-
- GetSystemTimeAsFileTime(&ft);
- x = ((uint64_t)ft.dwHighDateTime << 32)
- + (uint64_t)ft.dwLowDateTime;
- x = (x / 10000000);
- T0_PUSH((uint32_t)(x / 86400) + 584754);
- T0_PUSH((uint32_t)(x % 86400));
+ FILETIME ft;
+ uint64_t x;
+
+ GetSystemTimeAsFileTime(&ft);
+ x = ((uint64_t)ft.dwHighDateTime << 32)
+ + (uint64_t)ft.dwLowDateTime;
+ x = (x / 10000000);
+ vd = (uint32_t)(x / 86400) + 584754;
+ vs = (uint32_t)(x % 86400);
#else
- CTX->err = BR_ERR_X509_TIME_UNKNOWN;
- T0_CO();
+ CTX->err = BR_ERR_X509_TIME_UNKNOWN;
+ T0_CO();
#endif
- } else {
- T0_PUSH(CTX->days);
- T0_PUSH(CTX->seconds);
+ }
+ if (vd < nbd || (vd == nbd && vs < nbs)) {
+ r = -1;
+ } else if (vd > nad || (vd == nad && vs > nas)) {
+ r = 1;
+ } else {
+ r = 0;
+ }
}
+ T0_PUSHi(r);
}
-\ Compare two dates (days+seconds) together.
-: before ( days1 seconds1 days2 seconds2 -- bool )
- { d1 s1 d2 s2 }
- d1 d2 = if s1 s2 < else d1 d2 < then ;
-
-: after ( days1 seconds1 days2 seconds2 -- bool )
- swap2 before ;
-
\ Swap the top two elements with the two elements immediately below.
: swap2 ( a b c d -- c d a b )
3 roll 3 roll ;
\ Validity dates.
read-sequence-open
- read-date get-system-date after if ERR_X509_EXPIRED fail then
- read-date get-system-date before if ERR_X509_EXPIRED fail then
+ read-date { nbd nbs } read-date nbd nbs check-validity-range
+ if ERR_X509_EXPIRED fail then
close-elt
\ Subject name.