[openssl-commits] [openssl] master update

Rich Salz rsalz at openssl.org
Sun Jun 11 20:45:42 UTC 2017


The branch master has been updated
       via  04e62715db684d83bffac53793ff4cfac51e047a (commit)
      from  7aefa75490991d71e190be38457223704fefff34 (commit)


- Log -----------------------------------------------------------------
commit 04e62715db684d83bffac53793ff4cfac51e047a
Author: Rich Salz <rsalz at openssl.org>
Date:   Sun Jun 11 16:36:07 2017 -0400

    Introduce ASN1_TIME_set_string_X509 API
    
    Make funcs to deal with non-null-term'd string
    in both asn1_generalizedtime_to_tm() and asn1_utctime_to_tm().
    
    Fixes issue #3444.
    
    This one is used to enforce strict format (RFC 5280) check and to
    convert GeneralizedTime to UTCTime.
    
    apps/ca has been changed to use the new API.
    
    Test cases and documentation are updated/added
    
    Signed-off-by: Paul Yang <paulyang.inf at gmail.com>
    
    Reviewed-by: Kurt Roeckx <kurt at openssl.org>
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/3566)

-----------------------------------------------------------------------

Summary of changes:
 apps/apps.c                |   4 +-
 apps/ca.c                  |   4 +-
 crypto/asn1/a_gentm.c      |  57 ++++++++++++++----
 crypto/asn1/a_time.c       |  60 ++++++++++++++++++-
 crypto/asn1/a_utctm.c      |  43 +++++++++++---
 doc/man3/ASN1_TIME_set.pod |  19 ++++--
 include/openssl/asn1.h     |   3 +
 test/time_offset_test.c    |   1 +
 test/x509_time_test.c      | 143 +++++++++++++++++++++++++++++++++++++++++++++
 util/libcrypto.num         |   1 +
 10 files changed, 308 insertions(+), 27 deletions(-)

diff --git a/apps/apps.c b/apps/apps.c
index 1a1b7ec..15cf4a7 100644
--- a/apps/apps.c
+++ b/apps/apps.c
@@ -2662,14 +2662,14 @@ int set_cert_times(X509 *x, const char *startdate, const char *enddate,
         if (X509_gmtime_adj(X509_getm_notBefore(x), 0) == NULL)
             return 0;
     } else {
-        if (!ASN1_TIME_set_string(X509_getm_notBefore(x), startdate))
+        if (!ASN1_TIME_set_string_X509(X509_getm_notBefore(x), startdate))
             return 0;
     }
     if (enddate == NULL) {
         if (X509_time_adj_ex(X509_getm_notAfter(x), days, 0, NULL)
             == NULL)
             return 0;
-    } else if (!ASN1_TIME_set_string(X509_getm_notAfter(x), enddate)) {
+    } else if (!ASN1_TIME_set_string_X509(X509_getm_notAfter(x), enddate)) {
         return 0;
     }
     return 1;
diff --git a/apps/ca.c b/apps/ca.c
index 289fd48..7e6e103 100644
--- a/apps/ca.c
+++ b/apps/ca.c
@@ -805,7 +805,7 @@ end_of_options:
             if (startdate == NULL)
                 ERR_clear_error();
         }
-        if (startdate && !ASN1_TIME_set_string(NULL, startdate)) {
+        if (startdate && !ASN1_TIME_set_string_X509(NULL, startdate)) {
             BIO_printf(bio_err,
                        "start date is invalid, it should be YYMMDDHHMMSSZ or YYYYMMDDHHMMSSZ\n");
             goto end;
@@ -818,7 +818,7 @@ end_of_options:
             if (enddate == NULL)
                 ERR_clear_error();
         }
-        if (enddate && !ASN1_TIME_set_string(NULL, enddate)) {
+        if (enddate && !ASN1_TIME_set_string_X509(NULL, enddate)) {
             BIO_printf(bio_err,
                        "end date is invalid, it should be YYMMDDHHMMSSZ or YYYYMMDDHHMMSSZ\n");
             goto end;
diff --git a/crypto/asn1/a_gentm.c b/crypto/asn1/a_gentm.c
index ff1b695..bd90d05 100644
--- a/crypto/asn1/a_gentm.c
+++ b/crypto/asn1/a_gentm.c
@@ -22,7 +22,7 @@ int asn1_generalizedtime_to_tm(struct tm *tm, const ASN1_GENERALIZEDTIME *d)
     static const int min[9] = { 0, 0, 1, 1, 0, 0, 0, 0, 0 };
     static const int max[9] = { 99, 99, 12, 31, 23, 59, 59, 12, 59 };
     char *a;
-    int n, i, l, o;
+    int n, i, l, o, min_l = 13, strict = 0;
 
     if (d->type != V_ASN1_GENERALIZEDTIME)
         return (0);
@@ -34,10 +34,26 @@ int asn1_generalizedtime_to_tm(struct tm *tm, const ASN1_GENERALIZEDTIME *d)
      * as YYYY. This stuff treats everything as a two digit field so make
      * first two fields 00 to 99
      */
-    if (l < 13)
+
+    /*
+     * ASN1_STRING_FLAG_X509_TIME is used to enforce RFC 5280
+     * time string format, in which:
+     *
+     * 1. "seconds" is a 'MUST'
+     * 2. "Zulu" timezone is a 'MUST'
+     * 3. "+|-" is not allowed to indicate a time zone
+     * 4. fractional seconds are not allowed in GeneralizedTime
+     */
+
+    if (d->flags & ASN1_STRING_FLAG_X509_TIME) {
+        min_l = 15;
+        strict = 1;
+    }
+
+    if (l < min_l)
         goto err;
     for (i = 0; i < 7; i++) {
-        if ((i == 6) && ((a[o] == 'Z') || (a[o] == '+') || (a[o] == '-'))) {
+        if (!strict && (i == 6) && ((a[o] == 'Z') || (a[o] == '+') || (a[o] == '-'))) {
             i++;
             if (tm)
                 tm->tm_sec = 0;
@@ -46,13 +62,15 @@ int asn1_generalizedtime_to_tm(struct tm *tm, const ASN1_GENERALIZEDTIME *d)
         if ((a[o] < '0') || (a[o] > '9'))
             goto err;
         n = a[o] - '0';
-        if (++o > l)
+        /* incomplete 2-digital number */
+        if (++o == l)
             goto err;
 
         if ((a[o] < '0') || (a[o] > '9'))
             goto err;
         n = (n * 10) + a[o] - '0';
-        if (++o > l)
+        /* no more bytes to read, but we haven't seen time-zone yet */
+        if (++o == l)
             goto err;
 
         if ((n < min[i]) || (n > max[i]))
@@ -88,22 +106,39 @@ int asn1_generalizedtime_to_tm(struct tm *tm, const ASN1_GENERALIZEDTIME *d)
      * digits.
      */
     if (a[o] == '.') {
-        if (++o > l)
+        if (strict)
+            /* RFC 5280 forbids fractional seconds */
+            goto err;
+        if (++o == l)
             goto err;
         i = o;
-        while ((a[o] >= '0') && (a[o] <= '9') && (o <= l))
+        while ((o < l) && (a[o] >= '0') && (a[o] <= '9'))
             o++;
         /* Must have at least one digit after decimal point */
         if (i == o)
             goto err;
+        /* no more bytes to read, but we haven't seen time-zone yet */
+        if (o == l)
+            goto err;
     }
 
-    if (a[o] == 'Z')
+    /*
+     * 'o' will never point to '\0' at this point, the only chance
+     * 'o' can point th '\0' is either the subsequent if or the first
+     * else if is true.
+     */
+    if (a[o] == 'Z') {
         o++;
-    else if ((a[o] == '+') || (a[o] == '-')) {
+    } else if (!strict && ((a[o] == '+') || (a[o] == '-'))) {
         int offsign = a[o] == '-' ? 1 : -1, offset = 0;
         o++;
-        if (o + 4 > l)
+        /*
+         * if not equal, no need to do subsequent checks
+         * since the following for-loop will add 'o' by 4
+         * and the final return statement will check if 'l'
+         * and 'o' are equal.
+         */
+        if (o + 4 != l)
             goto err;
         for (i = 7; i < 9; i++) {
             if ((a[o] < '0') || (a[o] > '9'))
@@ -146,6 +181,8 @@ int ASN1_GENERALIZEDTIME_set_string(ASN1_GENERALIZEDTIME *s, const char *str)
     t.type = V_ASN1_GENERALIZEDTIME;
     t.length = strlen(str);
     t.data = (unsigned char *)str;
+    t.flags = 0;
+
     if (ASN1_GENERALIZEDTIME_check(&t)) {
         if (s != NULL) {
             if (!ASN1_STRING_set((ASN1_STRING *)s, str, t.length))
diff --git a/crypto/asn1/a_time.c b/crypto/asn1/a_time.c
index 27f9bc6..12b1ff5 100644
--- a/crypto/asn1/a_time.c
+++ b/crypto/asn1/a_time.c
@@ -107,7 +107,6 @@ ASN1_GENERALIZEDTIME *ASN1_TIME_to_generalizedtime(const ASN1_TIME *t,
     return NULL;
 }
 
-
 int ASN1_TIME_set_string(ASN1_TIME *s, const char *str)
 {
     ASN1_TIME t;
@@ -130,6 +129,65 @@ int ASN1_TIME_set_string(ASN1_TIME *s, const char *str)
     return 1;
 }
 
+int ASN1_TIME_set_string_X509(ASN1_TIME *s, const char *str)
+{
+    ASN1_TIME t;
+    struct tm tm;
+    int rv = 0;
+
+    t.length = strlen(str);
+    t.data = (unsigned char *)str;
+    t.flags = ASN1_STRING_FLAG_X509_TIME;
+
+    t.type = V_ASN1_UTCTIME;
+
+    if (!ASN1_TIME_check(&t)) {
+        t.type = V_ASN1_GENERALIZEDTIME;
+        if (!ASN1_TIME_check(&t))
+            goto out;
+    }
+
+    /*
+     * Per RFC 5280 (section 4.1.2.5.), the valid input time
+     * strings should be encoded with the following rules:
+     *
+     * 1. UTC: YYMMDDHHMMSSZ, if YY < 50 (20YY) --> UTC: YYMMDDHHMMSSZ
+     * 2. UTC: YYMMDDHHMMSSZ, if YY >= 50 (19YY) --> UTC: YYMMDDHHMMSSZ
+     * 3. G'd: YYYYMMDDHHMMSSZ, if YYYY >= 2050 --> G'd: YYYYMMDDHHMMSSZ
+     * 4. G'd: YYYYMMDDHHMMSSZ, if YYYY < 2050 --> UTC: YYMMDDHHMMSSZ
+     *
+     * Only strings of the 4th rule should be reformatted, but since a
+     * UTC can only present [1950, 2050), so if the given time string
+     * is less than 1950 (e.g. 19230419000000Z), we do nothing...
+     */
+
+    if (s != NULL && t.type == V_ASN1_GENERALIZEDTIME) {
+        if (!asn1_generalizedtime_to_tm(&tm, &t))
+            goto out;
+        if (tm.tm_year >= 50 && tm.tm_year < 150) {
+            t.length -= 2;
+            /*
+             * it's OK to let original t.data go since that's assigned
+             * to a piece of memory allocated outside of this function.
+             * new t.data would be freed after ASN1_STRING_copy is done.
+             */
+            t.data = OPENSSL_zalloc(t.length + 1);
+            if (t.data == NULL)
+                goto out;
+            memcpy(t.data, str + 2, t.length);
+            t.type = V_ASN1_UTCTIME;
+        }
+    }
+
+    if (s == NULL || ASN1_STRING_copy((ASN1_STRING *)s, (ASN1_STRING *)&t))
+        rv = 1;
+
+    if (t.data != (unsigned char *)str)
+        OPENSSL_free(t.data);
+out:
+    return rv;
+}
+
 int ASN1_TIME_to_tm(const ASN1_TIME *s, struct tm *tm)
 {
     if (s == NULL) {
diff --git a/crypto/asn1/a_utctm.c b/crypto/asn1/a_utctm.c
index 9797aa8..ee98e4b 100644
--- a/crypto/asn1/a_utctm.c
+++ b/crypto/asn1/a_utctm.c
@@ -18,7 +18,7 @@ int asn1_utctime_to_tm(struct tm *tm, const ASN1_UTCTIME *d)
     static const int min[8] = { 0, 1, 1, 0, 0, 0, 0, 0 };
     static const int max[8] = { 99, 12, 31, 23, 59, 59, 12, 59 };
     char *a;
-    int n, i, l, o;
+    int n, i, l, o, min_l = 11, strict = 0;
 
     if (d->type != V_ASN1_UTCTIME)
         return (0);
@@ -26,10 +26,24 @@ int asn1_utctime_to_tm(struct tm *tm, const ASN1_UTCTIME *d)
     a = (char *)d->data;
     o = 0;
 
-    if (l < 11)
+    /*
+     * ASN1_STRING_FLAG_X509_TIME is used to enforce RFC 5280
+     * time string format, in which:
+     *
+     * 1. "seconds" is a 'MUST'
+     * 2. "Zulu" timezone is a 'MUST'
+     * 3. "+|-" is not allowed to indicate a time zone
+     */
+
+    if (d->flags & ASN1_STRING_FLAG_X509_TIME) {
+        min_l = 13;
+        strict = 1;
+    }
+
+    if (l < min_l)
         goto err;
     for (i = 0; i < 6; i++) {
-        if ((i == 5) && ((a[o] == 'Z') || (a[o] == '+') || (a[o] == '-'))) {
+        if (!strict && (i == 5) && ((a[o] == 'Z') || (a[o] == '+') || (a[o] == '-'))) {
             i++;
             if (tm)
                 tm->tm_sec = 0;
@@ -38,13 +52,15 @@ int asn1_utctime_to_tm(struct tm *tm, const ASN1_UTCTIME *d)
         if ((a[o] < '0') || (a[o] > '9'))
             goto err;
         n = a[o] - '0';
-        if (++o > l)
+        /* incomplete 2-digital number */
+        if (++o == l)
             goto err;
 
         if ((a[o] < '0') || (a[o] > '9'))
             goto err;
         n = (n * 10) + a[o] - '0';
-        if (++o > l)
+        /* no more bytes to read, but we haven't seen time-zone yet */
+        if (++o == l)
             goto err;
 
         if ((n < min[i]) || (n > max[i]))
@@ -72,12 +88,18 @@ int asn1_utctime_to_tm(struct tm *tm, const ASN1_UTCTIME *d)
             }
         }
     }
-    if (a[o] == 'Z')
+
+    /*
+     * 'o' will never point to '\0' at this point, the only chance
+     * 'o' can point th '\0' is either the subsequent if or the first
+     * else if is true.
+     */
+    if (a[o] == 'Z') {
         o++;
-    else if ((a[o] == '+') || (a[o] == '-')) {
+    } else if (!strict && ((a[o] == '+') || (a[o] == '-'))) {
         int offsign = a[o] == '-' ? 1 : -1, offset = 0;
         o++;
-        if (o + 4 > l)
+        if (o + 4 != l)
             goto err;
         for (i = 6; i < 8; i++) {
             if ((a[o] < '0') || (a[o] > '9'))
@@ -99,6 +121,9 @@ int asn1_utctime_to_tm(struct tm *tm, const ASN1_UTCTIME *d)
         }
         if (offset && !OPENSSL_gmtime_adj(tm, 0, offset * offsign))
             return 0;
+    } else {
+        /* not Z, or not +/- in non-strict mode */
+        return 0;
     }
     return o == l;
  err:
@@ -117,6 +142,8 @@ int ASN1_UTCTIME_set_string(ASN1_UTCTIME *s, const char *str)
     t.type = V_ASN1_UTCTIME;
     t.length = strlen(str);
     t.data = (unsigned char *)str;
+    t.flags = 0;
+
     if (ASN1_UTCTIME_check(&t)) {
         if (s != NULL) {
             if (!ASN1_STRING_set((ASN1_STRING *)s, str, t.length))
diff --git a/doc/man3/ASN1_TIME_set.pod b/doc/man3/ASN1_TIME_set.pod
index 95bc06d..5f041a5 100644
--- a/doc/man3/ASN1_TIME_set.pod
+++ b/doc/man3/ASN1_TIME_set.pod
@@ -2,7 +2,8 @@
 
 =head1 NAME
 
-ASN1_TIME_set, ASN1_TIME_adj, ASN1_TIME_check, ASN1_TIME_set_string,
+ASN1_TIME_set, ASN1_TIME_adj, ASN1_TIME_check,
+ASN1_TIME_set_string, ASN1_TIME_set_string_X509,
 ASN1_TIME_print, ASN1_TIME_to_tm, ASN1_TIME_diff - ASN.1 Time functions
 
 =head1 SYNOPSIS
@@ -11,6 +12,7 @@ ASN1_TIME_print, ASN1_TIME_to_tm, ASN1_TIME_diff - ASN.1 Time functions
  ASN1_TIME *ASN1_TIME_adj(ASN1_TIME *s, time_t t,
                           int offset_day, long offset_sec);
  int ASN1_TIME_set_string(ASN1_TIME *s, const char *str);
+ int ASN1_TIME_set_string_X509(ASN1_TIME *s, const char *str);
  int ASN1_TIME_check(const ASN1_TIME *t);
  int ASN1_TIME_print(BIO *b, const ASN1_TIME *s);
  int ASN1_TIME_to_tm(const ASN1_TIME *s, struct tm *tm);
@@ -33,7 +35,15 @@ and returned.
 
 ASN1_TIME_set_string() sets ASN1_TIME structure B<s> to the time
 represented by string B<str> which must be in appropriate ASN.1 time
-format (for example YYMMDDHHMMSSZ or YYYYMMDDHHMMSSZ).
+format (for example YYMMDDHHMMSSZ or YYYYMMDDHHMMSSZ). If B<s> is NULL
+this function performs a format check on B<str> only.
+
+ASN1_TIME_set_string_X509() sets ASN1_TIME structure B<s> to the time
+represented by string B<str> which must be in appropriate time format
+that RFC 5280 requires, which means it only allows YYMMDDHHMMSSZ and
+YYYYMMDDHHMMSSZ (leap second is rejected), all other ASN.1 time format
+are not allowed. If B<s> is NULL this function performs a format check
+on B<str> only.
 
 ASN1_TIME_check() checks the syntax of ASN1_TIME structure B<s>.
 
@@ -122,8 +132,8 @@ Determine if one time is later or sooner than the current time:
 ASN1_TIME_set() and ASN1_TIME_adj() return a pointer to an ASN1_TIME structure
 or NULL if an error occurred.
 
-ASN1_TIME_set_string() returns 1 if the time value is successfully set and
-0 otherwise.
+ASN1_TIME_set_string() and ASN1_TIME_set_string_X509() return 1 if the time
+value is successfully set and 0 otherwise.
 
 ASN1_TIME_check() returns 1 if the structure is syntactically correct and 0
 otherwise.
@@ -140,6 +150,7 @@ pass ASN1_TIME structure has invalid syntax for example.
 =head1 HISTORY
 
 The ASN1_TIME_to_tm() function was added in OpenSSL 1.1.1.
+The ASN1_TIME_set_string_X509() function was added in OpenSSL 1.1.1.
 
 =head1 COPYRIGHT
 
diff --git a/include/openssl/asn1.h b/include/openssl/asn1.h
index ea24799..6040992 100644
--- a/include/openssl/asn1.h
+++ b/include/openssl/asn1.h
@@ -141,6 +141,8 @@ DEFINE_STACK_OF(X509_ALGOR)
 # define ASN1_STRING_FLAG_MSTRING 0x040
 /* String is embedded and only content should be freed */
 # define ASN1_STRING_FLAG_EMBED 0x080
+/* String should be parsed in RFC 5280's time format */
+# define ASN1_STRING_FLAG_X509_TIME 0x100
 /* This is the base type that holds just about everything :-) */
 struct asn1_string_st {
     int length;
@@ -628,6 +630,7 @@ int ASN1_TIME_check(const ASN1_TIME *t);
 ASN1_GENERALIZEDTIME *ASN1_TIME_to_generalizedtime(const ASN1_TIME *t,
                                                    ASN1_GENERALIZEDTIME **out);
 int ASN1_TIME_set_string(ASN1_TIME *s, const char *str);
+int ASN1_TIME_set_string_X509(ASN1_TIME *s, const char *str);
 int ASN1_TIME_to_tm(const ASN1_TIME *s, struct tm *tm);
 
 int i2a_ASN1_INTEGER(BIO *bp, const ASN1_INTEGER *a);
diff --git a/test/time_offset_test.c b/test/time_offset_test.c
index 7b4bec9..6660aee 100644
--- a/test/time_offset_test.c
+++ b/test/time_offset_test.c
@@ -74,6 +74,7 @@ static int test_offset(int idx)
     at.data = (unsigned char*)testdata->data;
     at.length = strlen(testdata->data);
     at.type = testdata->type;
+    at.flags = 0;
 
     if (!TEST_true(ASN1_TIME_diff(&day, &sec, &the_asn1_time, &at))) {
         TEST_info("ASN1_TIME_diff() failed for %s\n", at.data);
diff --git a/test/x509_time_test.c b/test/x509_time_test.c
index b73e655..6812805 100644
--- a/test/x509_time_test.c
+++ b/test/x509_time_test.c
@@ -25,6 +25,99 @@ typedef struct {
     int expected;
 } TESTDATA;
 
+typedef struct {
+    const char *data;
+    /* 0 for check-only mode, 1 for set-string mode */
+    int set_string;
+    /* 0 for error, 1 if succeed */
+    int expected;
+    /*
+     * The following 2 fields are ignored if set_string field is set to '0'
+     * (in check only mode).
+     *
+     * But they can still be ignored explicitly in set-string mode by:
+     * setting -1 to expected_type and setting NULL to expected_string.
+     *
+     * It's useful in a case of set-string mode but the expected result
+     * is a 'parsing error'.
+     */
+    int expected_type;
+    const char *expected_string;
+} TESTDATA_FORMAT;
+
+/*
+ * Actually, the "loose" mode has been tested in
+ * those time-compare-cases, so we may not test it again.
+ */
+static TESTDATA_FORMAT x509_format_tests[] = {
+    /* GeneralizedTime */
+    {
+        /* good format, check only */
+        "20170217180105Z", 0, 1, -1, NULL,
+    },
+    {
+        /* SS is missing, check only */
+        "201702171801Z", 0, 0, -1, NULL,
+    },
+    {
+        /* fractional seconds, check only */
+        "20170217180105.001Z", 0, 0, -1, NULL,
+    },
+    {
+        /* time zone, check only */
+        "20170217180105+0800", 0, 0, -1, NULL,
+    },
+    {
+        /* SS is missing, set string */
+        "201702171801Z", 1, 0, -1, NULL,
+    },
+    {
+        /* fractional seconds, set string */
+        "20170217180105.001Z", 1, 0, -1, NULL,
+    },
+    {
+        /* time zone, set string */
+        "20170217180105+0800", 1, 0, -1, NULL,
+    },
+    {
+        /* good format, check returned 'turned' string */
+        "20170217180154Z", 1, 1, V_ASN1_UTCTIME, "170217180154Z",
+    },
+    {
+        /* good format, check returned string */
+        "20510217180154Z", 1, 1, V_ASN1_GENERALIZEDTIME, "20510217180154Z",
+    },
+    {
+        /* good format but out of UTC range, check returned string */
+        "19230419180154Z", 1, 1, V_ASN1_GENERALIZEDTIME, "19230419180154Z",
+    },
+    /* UTC */
+    {
+        /* SS is missing, check only */
+        "1702171801Z", 0, 0, -1, NULL,
+    },
+    {
+        /* time zone, check only */
+        "170217180154+0800", 0, 0, -1, NULL,
+    },
+    {
+        /* SS is missing, set string */
+        "1702171801Z", 1, 0, -1, NULL,
+    },
+    {
+        /* time zone, set string */
+        "170217180154+0800", 1, 0, -1, NULL,
+    },
+    {
+        /* 2017, good format, check returned string */
+        "170217180154Z", 1, 1, V_ASN1_UTCTIME, "170217180154Z",
+    },
+    {
+        /* 1998, good format, check returned string */
+        "981223180154Z", 1, 1, V_ASN1_UTCTIME, "981223180154Z",
+    },
+};
+
 static TESTDATA x509_cmp_tests[] = {
     {
         "20170217180154Z", V_ASN1_GENERALIZEDTIME,
@@ -153,6 +246,7 @@ static int test_x509_cmp_time(int idx)
     t.type = x509_cmp_tests[idx].type;
     t.data = (unsigned char*)(x509_cmp_tests[idx].data);
     t.length = strlen(x509_cmp_tests[idx].data);
+    t.flags = 0;
 
     result = X509_cmp_time(&t, &x509_cmp_tests[idx].cmp_time);
     if (!TEST_int_eq(result, x509_cmp_tests[idx].expected)) {
@@ -187,8 +281,57 @@ static int test_x509_cmp_time_current()
     return failed == 0;
 }
 
+static int test_x509_time(int idx)
+{
+    ASN1_TIME *t = NULL;
+    int result, rv = 0;
+
+    if (x509_format_tests[idx].set_string) {
+        /* set-string mode */
+        t = ASN1_TIME_new();
+        if (t == NULL) {
+            TEST_info("test_x509_time(%d) failed: internal error\n", idx);
+            return 0;
+        }
+    }
+
+    result = ASN1_TIME_set_string_X509(t, x509_format_tests[idx].data);
+    /* time string parsing result is always checked against what's expected */
+    if (!TEST_int_eq(result, x509_format_tests[idx].expected)) {
+        TEST_info("test_x509_time(%d) failed: expected %d, got %d\n",
+                idx, x509_format_tests[idx].expected, result);
+        goto out;
+    }
+
+    /* if t is not NULL but expected_type is ignored(-1), it is an 'OK' case */
+    if (t != NULL && x509_format_tests[idx].expected_type != -1) {
+        if (!TEST_int_eq(t->type, x509_format_tests[idx].expected_type)) {
+            TEST_info("test_x509_time(%d) failed: expected_type %d, got %d\n",
+                    idx, x509_format_tests[idx].expected_type, t->type);
+            goto out;
+        }
+    }
+
+    /* if t is not NULL but expected_string is NULL, it is an 'OK' case too */
+    if (t != NULL && x509_format_tests[idx].expected_string) {
+        if (!TEST_str_eq((const char *)t->data,
+                    x509_format_tests[idx].expected_string)) {
+            TEST_info("test_x509_time(%d) failed: expected_string %s, got %s\n",
+                    idx, x509_format_tests[idx].expected_string, t->data);
+            goto out;
+        }
+    }
+
+    rv = 1;
+out:
+    if (t != NULL)
+        ASN1_TIME_free(t);
+    return rv;
+}
+
 void register_tests()
 {
     ADD_TEST(test_x509_cmp_time_current);
     ADD_ALL_TESTS(test_x509_cmp_time, OSSL_NELEM(x509_cmp_tests));
+    ADD_ALL_TESTS(test_x509_time, OSSL_NELEM(x509_format_tests));
 }
diff --git a/util/libcrypto.num b/util/libcrypto.num
index 37cb2c2..13bd950 100644
--- a/util/libcrypto.num
+++ b/util/libcrypto.num
@@ -4298,3 +4298,4 @@ UI_dup_user_data                        4240	1_1_1	EXIST::FUNCTION:UI
 UI_method_get_data_destructor           4241	1_1_1	EXIST::FUNCTION:UI
 ERR_load_strings_const                  4242	1_1_1	EXIST::FUNCTION:
 ASN1_TIME_to_tm                         4243	1_1_1	EXIST::FUNCTION:
+ASN1_TIME_set_string_X509               4244 	1_1_1	EXIST::FUNCTION:


More information about the openssl-commits mailing list