1 // Copyright 2019 The Chromium Authors 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #include "revocation_util.h" 6 7 #include "encode_values.h" 8 #include "parse_values.h" 9 10 namespace bssl { 11 12 namespace { 13 14 constexpr int64_t kMinValidTime = -62167219200; // 0000-01-01 00:00:00 UTC 15 constexpr int64_t kMaxValidTime = 253402300799; // 9999-12-31 23:59:59 UTC 16 17 } // namespace 18 CheckRevocationDateValid(const der::GeneralizedTime & this_update,const der::GeneralizedTime * next_update,int64_t verify_time_epoch_seconds,std::optional<int64_t> max_age_seconds)19bool CheckRevocationDateValid(const der::GeneralizedTime &this_update, 20 const der::GeneralizedTime *next_update, 21 int64_t verify_time_epoch_seconds, 22 std::optional<int64_t> max_age_seconds) { 23 if (verify_time_epoch_seconds > kMaxValidTime || 24 verify_time_epoch_seconds < kMinValidTime || 25 (max_age_seconds.has_value() && 26 (max_age_seconds.value() > kMaxValidTime || 27 max_age_seconds.value() < 0))) { 28 return false; 29 } 30 der::GeneralizedTime verify_time; 31 if (!der::EncodePosixTimeAsGeneralizedTime(verify_time_epoch_seconds, 32 &verify_time)) { 33 return false; 34 } 35 36 if (this_update > verify_time) { 37 return false; // Response is not yet valid. 38 } 39 40 if (next_update && (*next_update <= verify_time)) { 41 return false; // Response is no longer valid. 42 } 43 44 if (max_age_seconds.has_value()) { 45 der::GeneralizedTime earliest_this_update; 46 if (!der::EncodePosixTimeAsGeneralizedTime( 47 verify_time_epoch_seconds - max_age_seconds.value(), 48 &earliest_this_update)) { 49 return false; 50 } 51 if (this_update < earliest_this_update) { 52 return false; // Response is too old. 53 } 54 } 55 56 return true; 57 } 58 59 } // namespace bssl 60