X509: Enable printing cert even with invalid validity times, saying 'Bad time value'

Add internal asn1_time_print_ex() that can return success on invalid time. This is a workaround for inconsistent error behavior of ASN1_TIME_print(), used in X509_print_ex(). Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13714)
2025-01-30 14:01:55 +08:00 · 2021-01-18 17:18:03 +01:00 · 2021-01-18 17:18:03 +01:00 · 63162e3d55
commit 63162e3d55
parent b09aa550d3
3 changed files with 14 additions and 8 deletions
--- a/crypto/asn1/a_time.c
+++ b/crypto/asn1/a_time.c
@ -16,6 +16,7 @@

 #include <stdio.h>
 #include <time.h>
+#include "crypto/asn1.h"
 #include "crypto/ctype.h"
 #include "internal/cryptlib.h"
 #include <openssl/asn1t.h>
@ -467,19 +468,23 @@ static const char _asn1_mon[12][4] = {
    "Jul", "Aug", "Sep", "Oct", "Nov", "Dec"
 };

+/* returns 1 on success, 0 on BIO write error or parse failure */
 int ASN1_TIME_print(BIO *bp, const ASN1_TIME *tm)
+{
+    return asn1_time_print_ex(bp, tm) > 0;
+}
+
+/* returns 0 on BIO write error, else -1 in case of parse failure, else 1 */
+int asn1_time_print_ex(BIO *bp, const ASN1_TIME *tm)
 {
    char *v;
    int gmt = 0, l;
    struct tm stm;
    const char upper_z = 0x5A, period = 0x2E;

-    if (!asn1_time_to_tm(&stm, tm)) {
-        /* asn1_time_to_tm will check the time type */
-        (void)BIO_write(bp, "Bad time value", 14);
-        return 0;
-        /* It would have been more consistent to return BIO_write(...) */
-    }
+    /* asn1_time_to_tm will check the time type */
+    if (!asn1_time_to_tm(&stm, tm))
+        return BIO_write(bp, "Bad time value", 14) ? -1 : 0;

    l = tm->length;
    v = (char *)tm->data;
--- a/crypto/x509/t_x509.c
+++ b/crypto/x509/t_x509.c
@ -140,11 +140,11 @@ int X509_print_ex(BIO *bp, X509 *x, unsigned long nmflags,
            goto err;
        if (BIO_write(bp, "            Not Before: ", 24) <= 0)
            goto err;
-        if (!ASN1_TIME_print(bp, X509_get0_notBefore(x)))
+        if (asn1_time_print_ex(bp, X509_get0_notBefore(x)) == 0)
            goto err;
        if (BIO_write(bp, "\n            Not After : ", 25) <= 0)
            goto err;
-        if (!ASN1_TIME_print(bp, X509_get0_notAfter(x)))
+        if (asn1_time_print_ex(bp, X509_get0_notAfter(x)) == 0)
            goto err;
        if (BIO_write(bp, "\n", 1) <= 0)
            goto err;
--- a/include/crypto/asn1.h
+++ b/include/crypto/asn1.h
@ -138,3 +138,4 @@ int x509_algor_new_from_md(X509_ALGOR **palg, const EVP_MD *md);
 const EVP_MD *x509_algor_get_md(X509_ALGOR *alg);
 X509_ALGOR *x509_algor_mgf1_decode(X509_ALGOR *alg);
 int x509_algor_md_to_mgf1(X509_ALGOR **palg, const EVP_MD *mgf1md);
+int asn1_time_print_ex(BIO *bp, const ASN1_TIME *tm);