validate certificate dates

Author: phoddie

modules/crypt/digest/modCrypt.c

@@ -1129,7 +1129,10 @@ void resolveBuffer(xsMachine *the, xsSlot *slot, uint8_t **data, uint32_t *count
 			byteOffset = xsmcToInteger(tmp);
 
 			xsmcGet(tmp, *slot, xsID_buffer);
-			*data = byteOffset + (uint8_t *)xsmcToArrayBuffer(tmp);
+			if (xsmcIsInstanceOf(tmp, xsArrayBufferPrototype))
+				*data = byteOffset + (uint8_t *)xsmcToArrayBuffer(tmp);
+			else
+				*data = byteOffset + (uint8_t *)xsmcGetHostData(tmp);
 		}
 	}
 	else {	// host buffer

modules/crypt/etc/x509.js

@@ -54,7 +54,7 @@ let X509 = {
 		let tbs = {};
 		let ber = new BER(buf);
 		if (ber.getTag() != 0x30)
-			throw new Error("x509: malfromed TBS");
+			throw new Error("x509: malformed TBS");
 		ber.getLength();
 		if (ber.peek() & 0x80) {
 			ber.skip(1);
@@ -63,12 +63,21 @@ let X509 = {
 		tbs.serialNumber = ber.next();
 		tbs.signature = ber.next();
 		tbs.issuer = ber.next();
-		tbs.validity = ber.next();
+
+		let validity = new BER(ber.next());
+		if (validity.getTag() != 0x30)
+			throw new Error("x509: malformed TBS");
+		validity.getLength();
+		let from = validity.next();
+		let to = validity.next();
+		from = parseDate(String.fromArrayBuffer(from.buffer.slice(from.byteOffset + 2, from.byteOffset + 2 + from.length - 2)));
+		to = parseDate(String.fromArrayBuffer(to.buffer.slice(to.byteOffset + 2, to.byteOffset + 2 + to.length - 2)));
+		tbs.validity = {from, to};
 		tbs.subject = ber.next();
 		tbs.subjectPublicKeyInfo = ber.next();
 		return tbs;
 	},
-	getSPK(buf) {
+	getSPK(buf) {		// Subject Public Key Info
 		let spki = this._decodeSPKI(buf);
 		if (!spki)
 			throw new Error("x509: no SPKI");
@@ -144,7 +153,27 @@ let X509 = {
 	_decodeSPKI(buf) @ "xs_x509_decodeSPKI",
 	decodeExtension(buf, extid) @ "xs_x509_decodeExtension",
 };
-
 Object.freeze(X509);
 
+function parseDate(date) {
+	if (!date.endsWith("Z"))
+		throw new Error("unexpected timezone");
+
+	let parts = [];
+	if (13 === date.length) {
+		for (let i = 0; (i + 1) < date.length; i += 2)
+			parts.push(parseInt(date.substring(i, i + 2)));
+		parts[0] += (parts[0] < 50) ? 2000 : 1900;
+	}
+	else if (15 === date.length) {
+		parse.push(parseInt(date.substring(0, 4)));
+		for (let i = 4; (i + 1) < date.length; i += 2)
+			parts.push(parseInt(date.substring(i, i + 2)));
+	}
+	else
+		throw new Error("unexpected date");
+	parts[1] -= 1;
+	return Date.UTC.apply(null, parts);
+}
+
 export default X509;

modules/crypt/ssl/ssl_cert.js

@@ -94,14 +94,28 @@ class CertificateManager {
 		var i = this.getIndex(fname, target);
 		if (i < 0)
 			return;	// undefined
-		return X509.decodeSPKI(getResource("ca" + i + ".der"));
+		let data = getResource("ca" + i + ".der");
+		let validity = X509.decodeTBS(X509.decode(new Uint8Array(data)).tbs).validity;
+		let now = Date.now();
+		if (!((validity.from < now) && (now < validity.to))) {
+			trace("date validation failed on certificate resource\n");
+			return;
+		}
+		return X509.decodeSPKI(data);
 	};
 	verify(certs) {
-		let length = certs.length - 1;
+		let length = certs.length - 1, x509, validity, now = Date.now();
 
 		// this approach calls decodeSPKI once more than necessary in favor of minimizing memory use
 		for (let i = 0; i < length; i++) {
-			if (!this._verify(X509.decodeSPKI(certs[i + 1]), X509.decode(certs[i])))
+			x509 = X509.decode(certs[i]);
+			validity = X509.decodeTBS(x509.tbs).validity;
+			if (!((validity.from < now) && (now < validity.to))) {
+				trace("date validation failed on received certificate\n");
+				return false;
+			}
+
+			if (!this._verify(X509.decodeSPKI(certs[i + 1]), x509))
 				return false;
 
 			let aki = X509.decodeAKI(certs[i + 1]);
@@ -120,7 +134,11 @@ class CertificateManager {
 				// else fall thru
 		}
 
-		let x509 = X509.decode(certs[length]);
+		x509 = X509.decode(certs[length]);
+		validity = X509.decodeTBS(x509.tbs).validity;
+		if (!((validity.from < now) && (now < validity.to)))
+			throw new Error("date validation failed");
+
 		let spki = this.findCert("ca.ski", X509.decodeAKI(certs[length]));
 		if (spki && this._verify(spki, x509))
 			return true;
@@ -186,6 +204,10 @@ class CertificateManager {
 		return (new pk(spki, false, [] /* any oid */)).verify(H, sig);
 	};
 	register(cert) {
+		let validity = X509.decodeTBS(X509.decode(new Uint8Array(cert)).tbs).validity, now = Date.now();
+		if (!((validity.from < now) && (now < validity.to)))
+			throw new Error("date validation failed");
+
 		this.registeredCerts.push(cert);
 	};
 	getDH() {

modules/crypt/ssl/ssl_session.js

@@ -293,6 +293,9 @@ class SSLSession {
 			trace("ALERT! (" + this.alert.level + ", " + htis.alert.description + "\n");
 			return;
 		}
+		if (undefined === this.traceLevel)
+			return;
+
 		let algo = "";
 		switch (this.chosenCipher.keyExchangeAlgorithm) {
 		case RSA:	algo = "RSA"; break;
@@ -321,7 +324,6 @@ class SSLSession {
 		case SHA384:	hash = "SHA384"; break;
 		}
 		trace("FINISHED: " + algo + "-" + enc + "-" + mode + "-" + hash + "\n");
-//		debugger;
 	}
 };