Skip to content

Add support for parsing ASN.1 GeneralizedTime in X509 Certificates #267

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 8 commits into
base: dev
Choose a base branch
from
Open

Add support for parsing ASN.1 GeneralizedTime in X509 Certificates #267

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
8eb9cfe
add support for parsing ASN.1 GeneralizedTime
sjscymru Apr 4, 2024
14105e1
fix validity format field error
sjscymru Apr 4, 2024
ce74786
changed CertMsg notBefore format to be in GeneralizedTime format
sjscymru Apr 4, 2024
e348ac3
changed notBefore time to be in GeneralizedTime format
sjscymru Apr 4, 2024
5715589
changed notAfter time to be in GeneralizedTime format
sjscymru Apr 4, 2024
b9d41bc
expand tests for invalid date format
sjscymru Apr 4, 2024
cc67d01
update function comments
sjscymru Apr 4, 2024
3c349b7
update function comments
sjscymru Apr 4, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion nx_secure/inc/nx_secure_x509.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -709,7 +709,8 @@ typedef struct NX_SECURE_X509_CERT_STRUCT

/* Validity time format - either ASN.1 generalized time or ASN.1 UTC time.
Uses the ASN.1 tag value. */
USHORT nx_secure_x509_validity_format;
USHORT nx_secure_x509_not_before_validity_format;
USHORT nx_secure_x509_not_after_validity_format;

/* Validity period. Stored as ASN.1 generalized time or UTC time. */
const UCHAR *nx_secure_x509_not_before;
Expand Down
3 changes: 2 additions & 1 deletion nx_secure/src/nx_secure_x509.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1128,7 +1128,7 @@ const UCHAR *current_buffer;
return(NX_SECURE_X509_UNEXPECTED_ASN1_TAG);
}

cert -> nx_secure_x509_validity_format = tlv_type;
cert -> nx_secure_x509_not_before_validity_format = tlv_type;
cert -> nx_secure_x509_not_before = tlv_data;
cert -> nx_secure_x509_not_before_length = (USHORT)tlv_length;

Expand All @@ -1149,6 +1149,7 @@ const UCHAR *current_buffer;
return(NX_SECURE_X509_UNEXPECTED_ASN1_TAG);
}

cert -> nx_secure_x509_not_after_validity_format = tlv_type;
cert -> nx_secure_x509_not_after = tlv_data;
cert -> nx_secure_x509_not_after_length = (USHORT)tlv_length;

Expand Down
180 changes: 160 additions & 20 deletions nx_secure/src/nx_secure_x509_expiration_check.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,8 @@
static UINT _nx_secure_x509_asn1_time_to_unix_convert(const UCHAR *asn1_time, USHORT asn1_length,
USHORT format, ULONG *unix_time);

static ULONG _nx_secure_count_leap_years(ULONG start_year, ULONG end_year);

/**************************************************************************/
/* */
/* FUNCTION RELEASE */
Expand Down Expand Up @@ -72,6 +74,10 @@ static UINT _nx_secure_x509_asn1_time_to_unix_convert(const UCHAR *asn1_time, US
/* 04-02-2021 Timothy Stapko Modified comment(s), */
/* removed dependency on TLS, */
/* resulting in version 6.1.6 */
/* 04-04-2024 Simon Scurrell Modified comment(s), */
/* changed name of validity */
/* format fields, */
/* resulting in version 6.1.7 */
/* */
/**************************************************************************/
UINT _nx_secure_x509_expiration_check(NX_SECURE_X509_CERT *certificate, ULONG current_time)
Expand All @@ -82,15 +88,15 @@ UINT status;

/* First, convert the X.509 ASN.1 time format into 32-bit UINX-epoch format of the "not before" field. */
status = _nx_secure_x509_asn1_time_to_unix_convert(certificate -> nx_secure_x509_not_before, certificate -> nx_secure_x509_not_before_length,
certificate -> nx_secure_x509_validity_format, &not_before);
certificate -> nx_secure_x509_not_before_validity_format, &not_before);
if (status != NX_SECURE_X509_SUCCESS)
{
return(status);
}

/* Convert the "not after" time field. */
status = _nx_secure_x509_asn1_time_to_unix_convert(certificate -> nx_secure_x509_not_after, certificate -> nx_secure_x509_not_after_length,
certificate -> nx_secure_x509_validity_format, &not_after);
certificate -> nx_secure_x509_not_after_validity_format, &not_after);
if (status != NX_SECURE_X509_SUCCESS)
{
return(status);
Expand Down Expand Up @@ -118,18 +124,27 @@ UINT status;
/* Helper function to convert the ASN.1 time formats into UNIX epoch time for comparison. */

#define date_2_chars_to_int(buffer, index) (ULONG)(((buffer[index] - '0') * 10) + (buffer[index + 1] - '0'))
#define date_3_chars_to_int(buffer, index) (ULONG)(((buffer[index] - '0') * 100) + ((buffer[index + 1] - '0') * 10) + (buffer[index + 2] - '0'))
#define date_4_chars_to_int(buffer, index) (ULONG)(((buffer[index] - '0') * 1000) + ((buffer[index + 1] - '0') * 100) + ((buffer[index + 2] - '0') * 10) + (buffer[index + 3] - '0'))

/* Helper function to determine if a given year is a leap year */

#define is_leap_year(year) ((((year) % 4 == 0) && ((year) % 100 != 0)) || ((year) % 400 == 0))

/* Array indexed on month - 1 gives the total number of days in all previous months (through last day of previous
month). Leap years are handled in the logic below and are not reflected in this array. */
/* J F M A M J J A S O N D */
static const UINT days_before_month[12] = {0, 31, 59, 90, 120, 151, 181, 212, 243, 273, 304, 334};

/* Define epoch year for UNIX time */
static const ULONG unix_epoch = 1970;

/**************************************************************************/
/* */
/* FUNCTION RELEASE */
/* */
/* _nx_secure_x509_asn1_time_to_unix_convert PORTABLE C */
/* 6.1.11 */
/* 6.1.12 */
/* AUTHOR */
/* */
/* Timothy Stapko, Microsoft Corporation */
Expand All @@ -152,7 +167,7 @@ static const UINT days_before_month[12] = {0, 31, 59, 90, 120, 151, 181, 212, 24
/* */
/* CALLS */
/* */
/* None */
/* _nx_secure_count_leap_years */
/* */
/* CALLED BY */
/* */
Expand All @@ -170,12 +185,16 @@ static const UINT days_before_month[12] = {0, 31, 59, 90, 120, 151, 181, 212, 24
/* extend the time range, */
/* removed unused code, */
/* resulting in version 6.1.11 */
/* 04-04-2024 Simon Scurrell Modified comment(s), and */
/* Added support for parsing */
/* of ASN.1 GeneralisedTime */
/* resulting in version 6.1.12 */
/* */
/**************************************************************************/
static UINT _nx_secure_x509_asn1_time_to_unix_convert(const UCHAR *asn1_time, USHORT asn1_length,
USHORT format, ULONG *unix_time)
{
ULONG year, month, day, hour, minute, second;
ULONG year, month, day, hour, minute, second, fractional;
UINT index;

NX_CRYPTO_PARAMETER_NOT_USED(asn1_length);
Expand All @@ -191,6 +210,7 @@ UINT index;
hour = date_2_chars_to_int(asn1_time, 6);
minute = date_2_chars_to_int(asn1_time, 8);
second = 0;
fractional = 0;

/* Check the next field, can be 'Z' for Zulu time (GMT) or [+/-] for local time offset. */
index = 10;
Expand Down Expand Up @@ -230,31 +250,28 @@ UINT index;

/* printf("year: %lu, month: %lu, day: %lu, hour: %lu, minute: %lu, second: %lu\n", year, month, day, hour, minute, second);*/

/* Now we have our time in integers, calculate leap years. We aren't concerned with years outside the UNIX
time range of 1970-2038 so we can assume every 4 years starting with 1972 is a leap year (years divisible
by 100 are NOT leap years unless also divisible by 400, which the year 2000 is). Using integer division gives
us the floor of the number of 4 year periods, so add 1. */
/* Now we have our time in integers, calculate leap years that have occurred. */
if (year >= 70)
{
/* Year is before 2000. Subtract 72 to get duration from first leap year in epoch. */
year -= 70;
day += ((year + 2) / 4);
{
/* Year is before 2000. Add 1900 to get actual year. */
year += 1900;
}
else
{
/* Year is 2000 or greater. Add 28 (2000-1972) to get duration from first leap year in epoch. */
year += 30;
day += ((year - 2) / 4) + 1;
/* Year is 2000 or greater. Add 2000 to get actual year. */
year += 2000;
}

day += _nx_secure_count_leap_years(unix_epoch, year);

/* If it is leap year and month is before March, subtract 1 day. */
if (((year + 2) % 4 == 0) && (month < 3))
if ((is_leap_year(year)) && (month < 3))
{
day -= 1;
}

/* Finally, calculate the number of seconds from the extracted values. */
day += year * 365;
day += (year - unix_epoch) * 365;
day += days_before_month[month - 1];
hour += day * 24;
minute += hour * 60;
Expand All @@ -269,8 +286,77 @@ UINT index;
Local time only. ``YYYYMMDDHH[MM[SS[.fff]]]'', where the optional fff is three decimal places (fractions of seconds).
Universal time (UTC time) only. ``YYYYMMDDHH[MM[SS[.fff]]]Z''. MM, SS, .fff are optional.
Difference between local and UTC times. ``YYYYMMDDHH[MM[SS[.fff]]]+-HHMM''. +/-HHMM is local time offset. */
/* TODO: Implement conversion to 32-bit UNIX time. */
return(NX_SECURE_X509_INVALID_DATE_FORMAT);

year = date_4_chars_to_int(asn1_time, 0);
month = date_2_chars_to_int(asn1_time, 4);
day = date_2_chars_to_int(asn1_time, 6) - 1; /* For calculations, day is 0-based. */
hour = date_2_chars_to_int(asn1_time, 8);
minute = date_2_chars_to_int(asn1_time, 10);
second = 0;
fractional = 0;

/* Check the next field, can be 'Z' for Zulu time (GMT) or [+/-] for local time offset. */
index = 12;

/* Check for optional seconds. */
if (asn1_time[index] != 'Z' && asn1_time[index] != '+' && asn1_time[index] != '-')
{
second = date_2_chars_to_int(asn1_time, index);
index += 2;

/* Check for optional fractional seconds. */
if (asn1_time[index] == '.')
{
index++;
fractional = date_3_chars_to_int(asn1_time, index);
index += 3;
}
}

/* Check for GMT time or local time offset. */
if (asn1_time[index] != 'Z')
{
/* Check for optional local time offset. NOTE: The additions and subtractions here may
* result in values > 24 or < 0 but that is OK for the calculations. */
if (asn1_time[index] == '+')
{
index++; /* Skip the '+' */
hour -= date_2_chars_to_int(asn1_time, index);
index += 2;
minute -= date_2_chars_to_int(asn1_time, index);
}
else if (asn1_time[index] == '-')
{
index++; /* Skip the '-' */
hour += date_2_chars_to_int(asn1_time, index);
index += 2;
minute += date_2_chars_to_int(asn1_time, index);
}
else
{
/* Not a correct UTC time! */
return(NX_SECURE_X509_INVALID_DATE_FORMAT);
}
}

/* Now we have our time in integers, calculate leap years that have occurred. */
day += _nx_secure_count_leap_years(unix_epoch, year);

/* If it is leap year and month is before March, subtract 1 day. */
if (is_leap_year(year) && (month < 3))
{
day -= 1;
}

/* Finally, calculate the number of seconds from the extracted values. */
day += (year - unix_epoch) * 365;
day += days_before_month[month - 1];
hour += day * 24;
minute += hour * 60;
second += minute * 60;

/* Finally, return the converted time. */
*unix_time = second;
}
else
{
Expand All @@ -280,3 +366,57 @@ UINT index;
return(NX_SECURE_X509_SUCCESS);
}


/**************************************************************************/
/* */
/* FUNCTION RELEASE */
/* */
/* _nx_secure_count_leap_years PORTABLE C */
/* 6.4.1 */
/* AUTHOR */
/* */
/* Simon Scurrell, T3S Solutions Ltd */
/* */
/* DESCRIPTION */
/* */
/* This function calculates the number of leap years that have */
/* occurred between the given start and end years. */
/* */
/* INPUT */
/* */
/* start_year 4-digit start year (YYYY) */
/* end_year 4-digit end year (YYYY) */
/* */
/* OUTPUT */
/* */
/* count Returns the number of leap years */
/* */
/* CALLS */
/* */
/* None */
/* */
/* CALLED BY */
/* */
/* _nx_secure_x509_asn1_time_to_unix_convert ASN.1 time convert */
/* */
/* RELEASE HISTORY */
/* */
/* DATE NAME DESCRIPTION */
/* */
/* 04-04-2024 Simon Scurrell Initial Version 6.4.1 */
/* */
/**************************************************************************/
static ULONG _nx_secure_count_leap_years(ULONG start_year, ULONG end_year)
{
ULONG count = 0;

for(ULONG year = start_year; year <= end_year; year++)
{
if(is_leap_year(year))
{
count += 1;
}
}

return count;
}
Loading