[openssl-dev] [openssl.org #3951] [RFC][PATCH] Allow certificate time checks to be disabled

Woodhouse, David via RT rt at openssl.org
Wed Jul 22 13:09:48 UTC 2015 

There are various circumstances in which it makes no sense to be
checking the start and end times of a certificate's validity.

When validating OS kernel drivers, or indeed when validating the OS
kernel itself when the firmware loads it, we *really* don't want to
have a built-in obsolescence date after which the system will no longer
function. That would be a bad thing even if we *could* reliably trust
the system's real time clock at this stage in the boot sequence.

This patch gives us a way to disable the time checks entirely, by using
X509_VERIFY_PARAM_set_time() with a time of -1.

There is a slight risk here — if anyone was genuinely using the value
of -1 to check if a certificate chain was indeed valid in the last
second of 1969. I judge that risk to be negligible. And it certainly
shouldn't be externally triggerable — if an attacker could influence
the value passed to X509_VERIFY_PARAM_set_time() then all bets were off
w.r.t. time-based checks anyway.

If there are serious concerns, however, I can provide an alternative
patch which adds an X509_V_FLAG_NO_CHECK_TIME flag for this purpose
instead.

I'm happy with anything except the existing version in the UEFI source
tree that everyone is shipping, which just disables the time check if
OPENSSL_SYS_UEFI is set¹. That one I *don't* like.

-- 
David Woodhouse                            Open Source Technology Centre
David.Woodhouse at intel.com                              Intel Corporation

¹ http://git.infradead.org/users/dwmw2/openssl.git/commitdiff/2fb12afc2ceb
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Allow-certificate-time-checks-to-be-disabled.patch
Type: text/x-patch
Size: 2332 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150722/3801d3ff/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3437 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150722/3801d3ff/attachment-0001.bin>
-------------- next part --------------
_______________________________________________
openssl-bugs-mod mailing list
openssl-bugs-mod at openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-bugs-mod

More information about the openssl-dev mailing list