/src/boringssl/pki/revocation_util.cc

Source
// Copyright 2019 The Chromium Authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     https://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

#include "revocation_util.h"

#include "encode_values.h"
#include "parse_values.h"

BSSL_NAMESPACE_BEGIN

namespace {

constexpr int64_t kMinValidTime = -62167219200;  // 0000-01-01 00:00:00 UTC
constexpr int64_t kMaxValidTime = 253402300799;  // 9999-12-31 23:59:59 UTC

}  // namespace

bool CheckRevocationDateValid(const der::GeneralizedTime &this_update,
                              const der::GeneralizedTime *next_update,
                              int64_t verify_time_epoch_seconds,
                              std::optional<int64_t> max_age_seconds) {
  if (verify_time_epoch_seconds > kMaxValidTime ||
      verify_time_epoch_seconds < kMinValidTime ||
      (max_age_seconds.has_value() &&
       (max_age_seconds.value() > kMaxValidTime ||
        max_age_seconds.value() < 0))) {
    return false;
  }
  der::GeneralizedTime verify_time;
  if (!der::EncodePosixTimeAsGeneralizedTime(verify_time_epoch_seconds,
                                             &verify_time)) {
    return false;
  }

  if (this_update > verify_time) {
    return false;  // Response is not yet valid.
  }

  if (next_update && (*next_update <= verify_time)) {
    return false;  // Response is no longer valid.
  }

  if (max_age_seconds.has_value()) {
    der::GeneralizedTime earliest_this_update;
    if (!der::EncodePosixTimeAsGeneralizedTime(
            verify_time_epoch_seconds - max_age_seconds.value(),
            &earliest_this_update)) {
      return false;
    }
    if (this_update < earliest_this_update) {
      return false;  // Response is too old.
    }
  }

  return true;
}

BSSL_NAMESPACE_END

Coverage Report

Created: 2026-03-19 06:22

Line	Count	Source
1		// Copyright 2019 The Chromium Authors
2		//
3		// Licensed under the Apache License, Version 2.0 (the "License");
4		// you may not use this file except in compliance with the License.
5		// You may obtain a copy of the License at
6		//
7		// https://www.apache.org/licenses/LICENSE-2.0
8		//
9		// Unless required by applicable law or agreed to in writing, software
10		// distributed under the License is distributed on an "AS IS" BASIS,
11		// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12		// See the License for the specific language governing permissions and
13		// limitations under the License.
14
15		#include "revocation_util.h"
16
17		#include "encode_values.h"
18		#include "parse_values.h"
19
20		BSSL_NAMESPACE_BEGIN
21
22		namespace {
23
24		constexpr int64_t kMinValidTime = -62167219200; // 0000-01-01 00:00:00 UTC
25		constexpr int64_t kMaxValidTime = 253402300799; // 9999-12-31 23:59:59 UTC
26
27		} // namespace
28
29		bool CheckRevocationDateValid(const der::GeneralizedTime &this_update,
30		const der::GeneralizedTime *next_update,
31		int64_t verify_time_epoch_seconds,
32	0	std::optional<int64_t> max_age_seconds) {
33	0	if (verify_time_epoch_seconds > kMaxValidTime \|\|
34	0	verify_time_epoch_seconds < kMinValidTime \|\|
35	0	(max_age_seconds.has_value() &&
36	0	(max_age_seconds.value() > kMaxValidTime \|\|
37	0	max_age_seconds.value() < 0))) {
38	0	return false;
39	0	}
40	0	der::GeneralizedTime verify_time;
41	0	if (!der::EncodePosixTimeAsGeneralizedTime(verify_time_epoch_seconds,
42	0	&verify_time)) {
43	0	return false;
44	0	}
45
46	0	if (this_update > verify_time) {
47	0	return false; // Response is not yet valid.
48	0	}
49
50	0	if (next_update && (*next_update <= verify_time)) {
51	0	return false; // Response is no longer valid.
52	0	}
53
54	0	if (max_age_seconds.has_value()) {
55	0	der::GeneralizedTime earliest_this_update;
56	0	if (!der::EncodePosixTimeAsGeneralizedTime(
57	0	verify_time_epoch_seconds - max_age_seconds.value(),
58	0	&earliest_this_update)) {
59	0	return false;
60	0	}
61	0	if (this_update < earliest_this_update) {
62	0	return false; // Response is too old.
63	0	}
64	0	}
65
66	0	return true;
67	0	}
68
69		BSSL_NAMESPACE_END