1 // Copyright 2019 The Chromium Authors
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 //     https://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14 
15 #include "revocation_util.h"
16 
17 #include "encode_values.h"
18 #include "parse_values.h"
19 
20 BSSL_NAMESPACE_BEGIN
21 
22 namespace {
23 
24 constexpr int64_t kMinValidTime = -62167219200;  // 0000-01-01 00:00:00 UTC
25 constexpr int64_t kMaxValidTime = 253402300799;  // 9999-12-31 23:59:59 UTC
26 
27 }  // namespace
28 
CheckRevocationDateValid(const der::GeneralizedTime & this_update,const der::GeneralizedTime * next_update,int64_t verify_time_epoch_seconds,std::optional<int64_t> max_age_seconds)29 bool CheckRevocationDateValid(const der::GeneralizedTime &this_update,
30                               const der::GeneralizedTime *next_update,
31                               int64_t verify_time_epoch_seconds,
32                               std::optional<int64_t> max_age_seconds) {
33   if (verify_time_epoch_seconds > kMaxValidTime ||
34       verify_time_epoch_seconds < kMinValidTime ||
35       (max_age_seconds.has_value() &&
36        (max_age_seconds.value() > kMaxValidTime ||
37         max_age_seconds.value() < 0))) {
38     return false;
39   }
40   der::GeneralizedTime verify_time;
41   if (!der::EncodePosixTimeAsGeneralizedTime(verify_time_epoch_seconds,
42                                              &verify_time)) {
43     return false;
44   }
45 
46   if (this_update > verify_time) {
47     return false;  // Response is not yet valid.
48   }
49 
50   if (next_update && (*next_update <= verify_time)) {
51     return false;  // Response is no longer valid.
52   }
53 
54   if (max_age_seconds.has_value()) {
55     der::GeneralizedTime earliest_this_update;
56     if (!der::EncodePosixTimeAsGeneralizedTime(
57             verify_time_epoch_seconds - max_age_seconds.value(),
58             &earliest_this_update)) {
59       return false;
60     }
61     if (this_update < earliest_this_update) {
62       return false;  // Response is too old.
63     }
64   }
65 
66   return true;
67 }
68 
69 BSSL_NAMESPACE_END
70