Add API to disable certificate validity period validation (aws#4183)

api/s2n.h

@@ -975,6 +975,30 @@ S2N_API extern int s2n_config_set_verify_host_callback(struct s2n_config *config
  */
 S2N_API extern int s2n_config_set_check_stapled_ocsp_response(struct s2n_config *config, uint8_t check_ocsp);
 
+/**
+ * Disables timestamp validation for received certificates.
+ *
+ * By default, s2n-tls checks the notBefore and notAfter fields on the certificates it receives
+ * during the handshake. If the current date is not within the range of these fields for any
+ * certificate in the chain of trust, `s2n_negotiate()` will error. This validation is in
+ * accordance with RFC 5280, section 6.1.3 a.2:
+ * https://datatracker.ietf.org/doc/html/rfc5280#section-6.1.3.
+ *
+ * This API will disable this timestamp validation, permitting negotiation with peers that send
+ * expired certificates, or certificates that are not yet considered valid.
+ *
+ * @warning Applications calling this API should seriously consider the security implications of
+ * disabling this validation. The validity period of a certificate corresponds to the range of time
+ * in which the CA is guaranteed to maintain information regarding the certificate's revocation
+ * status. As such, it may not be possible to obtain accurate revocation information for
+ * certificates with invalid timestamps. Applications disabling this validation MUST implement
+ * some external method for limiting certificate lifetime.
+ *
+ * @param config The associated connection config.
+ * @returns S2N_SUCCESS on success, S2N_FAILURE on failure.
+ */
+S2N_API extern int s2n_config_disable_x509_time_verification(struct s2n_config *config);
+
 /**
  * Turns off all X.509 validation during the negotiation phase of the connection. This should only
  * be used for testing or debugging purposes.

crypto/s2n_libcrypto.c

@@ -118,7 +118,7 @@ bool s2n_libcrypto_is_awslc()
 #endif
 }
 
-static uint64_t s2n_libcrypto_awslc_api_version(void)
+uint64_t s2n_libcrypto_awslc_api_version(void)
 {
 #if defined(OPENSSL_IS_AWSLC)
     return AWSLC_API_VERSION;
@@ -191,3 +191,12 @@ unsigned long s2n_get_openssl_version(void)
 {
     return OPENSSL_VERSION_NUMBER;
 }
+
+bool s2n_libcrypto_supports_flag_no_check_time()
+{
+#ifdef S2N_LIBCRYPTO_SUPPORTS_FLAG_NO_CHECK_TIME
+    return true;
+#else
+    return false;
+#endif
+}

crypto/s2n_libcrypto.h

@@ -18,3 +18,5 @@
 #include "utils/s2n_result.h"
 
 S2N_RESULT s2n_libcrypto_validate_runtime(void);
+
+bool s2n_libcrypto_supports_flag_no_check_time();

error/s2n_errno.c

@@ -96,6 +96,7 @@ static const char *no_such_error = "Internal s2n error";
     ERR_ENTRY(S2N_ERR_RECORD_LIMIT, "TLS record limit reached") \
     ERR_ENTRY(S2N_ERR_CERT_UNTRUSTED, "Certificate is untrusted") \
     ERR_ENTRY(S2N_ERR_CERT_REVOKED, "Certificate has been revoked by the CA") \
+    ERR_ENTRY(S2N_ERR_CERT_NOT_YET_VALID, "Certificate is not yet valid") \
     ERR_ENTRY(S2N_ERR_CERT_EXPIRED, "Certificate has expired") \
     ERR_ENTRY(S2N_ERR_CERT_TYPE_UNSUPPORTED, "Certificate Type is unsupported") \
     ERR_ENTRY(S2N_ERR_CERT_INVALID, "Certificate is invalid") \

error/s2n_errno.h

@@ -109,6 +109,7 @@ typedef enum {
     S2N_ERR_RECORD_LIMIT,
     S2N_ERR_CERT_UNTRUSTED,
     S2N_ERR_CERT_REVOKED,
+    S2N_ERR_CERT_NOT_YET_VALID,
     S2N_ERR_CERT_EXPIRED,
     S2N_ERR_CERT_TYPE_UNSUPPORTED,
     S2N_ERR_CERT_INVALID,

tests/features/S2N_LIBCRYPTO_SUPPORTS_FLAG_NO_CHECK_TIME.c

@@ -0,0 +1,24 @@
+/*
+* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+*
+* Licensed under the Apache License, Version 2.0 (the "License").
+* You may not use this file except in compliance with the License.
+* A copy of the License is located at
+*
+*  http://aws.amazon.com/apache2.0
+*
+* or in the "license" file accompanying this file. This file is distributed
+* on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+* express or implied. See the License for the specific language governing
+* permissions and limitations under the License.
+*/
+
+#include <openssl/x509.h>
+
+int main()
+{
+    X509_STORE *store = X509_STORE_new();
+    X509_VERIFY_PARAM *param = X509_STORE_get0_param(store);
+    X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_NO_CHECK_TIME);
+    return 0;
+}

tests/pems/rsa_2048_expired_cert.pem

@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDkTCCAnmgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBYMQswCQYDVQQGEwJVUzEW
+MBQGA1UECAwNTWFzc2FjaHVzZXR0czEPMA0GA1UECgwGQW1hem9uMQwwCgYDVQQL
+DANzMm4xEjAQBgNVBAMMCWxvY2FsaG9zdDAeFw05MDAxMDEwMDAwMDBaFw05MDAy
+MDEwMDAwMDBaMFgxCzAJBgNVBAYTAlVTMRYwFAYDVQQIDA1NYXNzYWNodXNldHRz
+MQ8wDQYDVQQKDAZBbWF6b24xDDAKBgNVBAsMA3MybjESMBAGA1UEAwwJbG9jYWxo
+b3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAs+pIdMVGJKSFJ9pF
+gTTt9KDwYxrZLXsNpiSliQ1ycwZgBT5F6E+gw4ojXaRuJU+eUWJJSnOEV8/pkU6A
+OwtN3A/9PQUxrxgEGYUM7oyeS1uuS7LPKZVyp+wvfAJGxkUr5I5sxD3qJWEtlibZ
++jkxA9Q6gtfzeXzFE1gsbTZl30s/kX1WHLalAmh/+XisZ+CUuQFVjVNKQU3mVl5x
+3GItjH+JxiiERQfyzhafOUT8aCzmxrflqKFUgr7SCcNriE++sAydnwKfYCv4G5cW
+iRG7UYFPpGrL3cOaWVvOuNw2vlVgCfPBoWx15IERpit1Veo8kf8bDi6uEwXylmEW
+QxwIjQIDAQABo2YwZDAdBgNVHQ4EFgQUtZKt5dw+F7AlhqN0vkybb+wYGAQwHwYD
+VR0jBBgwFoAUtZKt5dw+F7AlhqN0vkybb+wYGAQwEgYDVR0TAQH/BAgwBgEB/wIB
+ADAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQELBQADggEBAAaVMXdfU00Ukdzh
+vnj/2ZZg9JnOPVDfFqj/JzvBTwWZLDruxCde+QDJuszbKx95EeGh2CJvWqauR0ik
+RC6vx07qR+u/cFyoxYORnU4tvA5VPUpR+6Wbnjoc9znQjC3EuPix8XtBvLYjhpxf
+7Gp9tcbAJ3T6xnhQ0yVAOSOodfvGEV58lwSXudS4EkA4PRIcv6MLST13/XGP+u8a
+KMnAvc3U2/I4DhNDUnqQJHNGHetst9wzbplcJyfmyHmV0CaxY8HZWjdHPZ8Slcld
+UMkSAdh+STu81ArAMmXOnGSM/4hF3/Llr45xoz3jhT62JdtJQqiAH5rT4CXzoCH6
+7bcygUw=
+-----END CERTIFICATE-----

tests/pems/rsa_2048_expired_key.pem

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAs+pIdMVGJKSFJ9pFgTTt9KDwYxrZLXsNpiSliQ1ycwZgBT5F
+6E+gw4ojXaRuJU+eUWJJSnOEV8/pkU6AOwtN3A/9PQUxrxgEGYUM7oyeS1uuS7LP
+KZVyp+wvfAJGxkUr5I5sxD3qJWEtlibZ+jkxA9Q6gtfzeXzFE1gsbTZl30s/kX1W
+HLalAmh/+XisZ+CUuQFVjVNKQU3mVl5x3GItjH+JxiiERQfyzhafOUT8aCzmxrfl
+qKFUgr7SCcNriE++sAydnwKfYCv4G5cWiRG7UYFPpGrL3cOaWVvOuNw2vlVgCfPB
+oWx15IERpit1Veo8kf8bDi6uEwXylmEWQxwIjQIDAQABAoIBAEc3mBLQ/CEJFsRd
+vGGW6BKLmlxAhnNgYFjB7NzBe+pYPa4Vpmp9CrAcgD9TFV6jk5G3jDdyXpK79ELW
+hh/ZK6rOkXmUEsSyhvzrE+FhvE8sLWQ9lY9qXwZlka5O4GEfhG5miltr/sFpJDhp
+jKNl/Cb93WNpxDD02LX9kyhv/gdTAb6oBffM6B92buTw1i6HlvItsVNyrf1Vw39C
+NafkbRCRO3BCalKRr5sDU9uvMhu0LFYPVyRaBcNgqRVHFWQ6Ho3G69jsdwux0fY1
+bnsM0dkU1yh1LsKe6btt/pRobHeZkVkkTjbLX0/ABgeWE7B97g8xUDz2i9WjYdLy
+pGFluUECgYEA5YhhUPfQWbepY7eVzPZycXnVP6zwpZBk8eijoDRXXOjKPpPNz0am
+vVDzDH4NkvOWgzqxwjs7tcoJvFRhwbLcQSJzQB3vbrhKBCUg1YkxixwjMDdmjunM
+gkMur9uLi5IAODKVFKsyR+aQ5/Iv4UFVcJsJGa7eKfN+5/ez8g47SJUCgYEAyKk7
+jXb5cGmRtpoIBnfTucw9wR4PsnJ3dnEHU+U+aoOOBLQaOQATs9+YJaiJFTtKQ/Jh
+Or0t8VLxUMes6VUXQT1qYHJKE72Qdw0bAYrdrEWkspEwnPPUjVErvSpqQg6mGs7t
+FGOcMHKqVoIlvg3QwBKE4d7Sv5EyYL7121HjqhkCgYB+sKjuNOoWKw5e0LzpNXnz
+ckim7cCh0bI1568wxNMXoBHJOnGVn6x2wBB267h4TOTdp+7ngyQw8cQv4+9VJ3D0
+rpwoXp2CYkvQP+IAmsnyu2Qcv+dmqFtN5uEFBcvfDIX8fsbUcq29C+EddQrCbPpI
+vfnm6CMNyq1YQdtblklYhQKBgQCDB5c+siECGb2v2ndBGgAkxEzTDTk80mhV7ErX
+qsuOLCeRxLWW4Qj8nRYyCRKyzYuaQOziuWQFwJ6ZnDm6B/lufZc4MYlTyKZMRz+K
+S06jTrrUa+CtrL7wJMAF/2txhTVMLjE77iuwqz+1y7ivmT/mHHGvOJyvwTV/XVMY
+Cyo6CQKBgQCMyW7nJLEuNH2AFcyyv7Rs783KW81LbWMnQMIg/D2kdhhWbEWbbZw5
+JwqC21GFT8C1AZOMoVFK7ecnFD8Gt/JaRO+Ncjg74ciyo/OHIwN9x9Ra+3wjCErr
+Tlw65Afq1lLLvoH/xhilp9tbwOk/AUMYW6p05MMb+ecfD3vTzMgJ5A==
+-----END RSA PRIVATE KEY-----

tests/pems/rsa_2048_not_yet_valid_cert.pem

@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDlTCCAn2gAwIBAgIBATANBgkqhkiG9w0BAQsFADBYMQswCQYDVQQGEwJVUzEW
+MBQGA1UECAwNTWFzc2FjaHVzZXR0czEPMA0GA1UECgwGQW1hem9uMQwwCgYDVQQL
+DANzMm4xEjAQBgNVBAMMCWxvY2FsaG9zdDAiGA8yMTIzMDEwMTAwMDAwMFoYDzIx
+MjMwMjAxMDAwMDAwWjBYMQswCQYDVQQGEwJVUzEWMBQGA1UECAwNTWFzc2FjaHVz
+ZXR0czEPMA0GA1UECgwGQW1hem9uMQwwCgYDVQQLDANzMm4xEjAQBgNVBAMMCWxv
+Y2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK5C72o+ZbTf
+G2a59I4ETdBAbMwIqLNt1+6fPg+QhUzYlnyJgwUmSB6O9u1Y+Oj7WHQe9UyOrV/Q
+gMBVlM6R62zqAUzLhlDMYJc8Nkj7/EzqKPdY/EIOLpVJWx6wZT/9AvQozDBN956A
+JaExjhcfyCRVogb739pM/8ytuddZ3kdTwgTiN17e3xY1baVznOjBmH2UavkH5UZO
+VZVIbbvFDZd7D2IZjMqoDj+iwkhP/X9MrhrQVNY90OLX11GSxgDOOpmWNA6nzevG
+6cO/r+DtKL7RCZBoyrqBoBu44WCUuWlhNCgfoCa8i/2c7LxmyLyT7qFi+/ZUhLpk
+/M98i86X8BcCAwEAAaNmMGQwHQYDVR0OBBYEFHf+/FXOo2KPoJ5bezGcYtaRR9RW
+MB8GA1UdIwQYMBaAFHf+/FXOo2KPoJ5bezGcYtaRR9RWMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUAA4IBAQApvi5lHqg3
+S2XCugTARHbTCqjEpWwCN2MAPW9ni8IzqkGODh4e01XaxSef6iCmuROlRuLO5wli
+OKS+IemIgSwfmaMKpL0zZQuUBbPhvRfyknOxRQy/MxkbINUkwQB5kUZ90DqnTK+G
+3o2Ux12/yxH9L+ERKVsPmzSYLOPl7aWEp3yXwukph2H6EzApBw7g2Y2JrnPsfMCU
+PLAl89qsnIZZasyNWGc5wnyrJOmUxX7YzqmAm2xUpRh4i2+zG8oQiokBI+TH8Gt6
+xBKCEz+J1yx7tvW3AC3GnzBqT96VViD26EFd4icdas6wGY+BAkT3l6JvHzOCGX/J
+EEiVmJ3YNDSJ
+-----END CERTIFICATE-----

tests/pems/rsa_2048_not_yet_valid_key.pem

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEArkLvaj5ltN8bZrn0jgRN0EBszAios23X7p8+D5CFTNiWfImD
+BSZIHo727Vj46PtYdB71TI6tX9CAwFWUzpHrbOoBTMuGUMxglzw2SPv8TOoo91j8
+Qg4ulUlbHrBlP/0C9CjMME33noAloTGOFx/IJFWiBvvf2kz/zK2511neR1PCBOI3
+Xt7fFjVtpXOc6MGYfZRq+QflRk5VlUhtu8UNl3sPYhmMyqgOP6LCSE/9f0yuGtBU
+1j3Q4tfXUZLGAM46mZY0DqfN68bpw7+v4O0ovtEJkGjKuoGgG7jhYJS5aWE0KB+g
+JryL/ZzsvGbIvJPuoWL79lSEumT8z3yLzpfwFwIDAQABAoIBAAnOanqoGEEdbQVS
+4Zg8VcSqW3T/575xJ/2dqHhnwZiZd556fo0DontVwD+LCjbSLiAaveMZBFin+xbX
+uhAF1iHC6V/Q9DYHyke4c7WXuJL7emKw90EgWy67eg04D/qR2mCzCwqM2Kpqu7Ne
+foh+mVyyFPQfqHE4dAyomhSsUf3heOy7ojSIkpxp/jrLVjsrq1Th5flSXfHp3EF7
+b+3O771Xby6tIUBTWhOAP7k3Cpx7Cnyb/FdkSK/lMlYpnr/OopKxB/Wv51+2Ur0v
+8nvLhrbp3ODP3g/o/Xo6z3rghu08Y20iUnLabo/ZhSNSIxWPyguhVE7ge+M2NYJz
+2SeJA0ECgYEA4rwClvyWbEz2VA1pWqo3nwvONo+Gx39fioPtZ7pHW8FRbpAJOX9i
+piG14gVza/n6K/a243Ubw6tHLqe1D4t3zHG2t23Wy8sKj+qtGIQ6NVaPkJtdwRwk
+4KRG7F948PaQv2dSV7arJC236hWCM2dSK/MCQrI5GwXPUj//2WlwQdUCgYEAxMEP
+dQ7LAbYL09jnM+jje+exdbc5iBmwK3XjiGsUWukZw+/AXXdgc02FXRr29Tug4R/D
+TZrXok562L4jV2aGk9M3CuCv5LkNQbnJ3i6+/lgcjvvuy3BWQ/aXmYm3JVdfrmZx
+ITTdqbxz729pagoXB02E0svTld/A7kNQk54ztDsCgYB8M3lHtD3CPbaB/IbFv5CQ
+cysXADBYgBGaEwKtW4FTZeZxpj0nXfxv/O9hTJMZhunfw1oT50a6PMzVZdDtHv0U
+5QWuHWEYabTzeR4w29328d/a2wDUk9IvrE2dlf7uIGLSNosIuWuueczRUc7s0aBV
+qtyGJJLblqcm6x//vJ5dsQKBgESjkU/l9D5JkwC5x5adZVbhclA9tk1boNDYlKMP
+sA8zCLEJH9O7hKNU5PShJoxQ3AQNf6XAIf/WXxbj5hJkiwhhA+/AiLxDLnPCa8Ee
+D7VNadEb5KeGLiIRkbuXhpP5UkDWLhtGhRnky5E5Dc5XbMc4bODZCJxdbcHxK9gD
+tcfnAoGBANSb6IAOdkPebFTpCyBHGtm3mCyTPRf7t/Fo1FHMI5+EV6/PZC6vbMNB
+6Eh1ft6pzCEHEj+rbuGaroCaOisbpnFl7QNm1JTvedTaBGPeJ/bFgXfECKwyn/YW
+kPrLecfPPEnOSI4+5Ld+UXBg9Fkd0pHr9BwStUB+xEzDcF/kEuQQ
+-----END RSA PRIVATE KEY-----

tests/testlib/s2n_testlib.h

@@ -135,6 +135,12 @@ S2N_RESULT s2n_connection_set_test_master_secret(struct s2n_connection *conn, co
 /* Missing line endings between PEM encapsulation boundaries */
 #define S2N_MISSING_LINE_ENDINGS_CERT_CHAIN "../pems/rsa_2048_missing_line_endings_cert.pem"
 
+/* PEMs with invalid timestamp fields */
+#define S2N_EXPIRED_CERT_CHAIN       "../pems/rsa_2048_expired_cert.pem"
+#define S2N_EXPIRED_KEY              "../pems/rsa_2048_expired_key.pem"
+#define S2N_NOT_YET_VALID_CERT_CHAIN "../pems/rsa_2048_not_yet_valid_cert.pem"
+#define S2N_NOT_YET_VALID_KEY        "../pems/rsa_2048_not_yet_valid_key.pem"
+
 /* Illegally formatted PEMs */
 #define S2N_INVALID_HEADER_CERT_CHAIN  "../pems/rsa_2048_invalid_header_cert.pem"
 #define S2N_INVALID_TRAILER_CERT_CHAIN "../pems/rsa_2048_invalid_trailer_cert.pem"

tests/unit/s2n_config_test.c

@@ -962,5 +962,21 @@ int main(int argc, char **argv)
         }
     }
 
+    /* s2n_config_disable_x509_time_verification tests */
+    {
+        /* Safety */
+        EXPECT_FAILURE_WITH_ERRNO(s2n_config_disable_x509_time_verification(NULL), S2N_ERR_NULL);
+
+        /* Ensure s2n_config_disable_x509_time_verification sets the proper state */
+        {
+            DEFER_CLEANUP(struct s2n_config *config = s2n_config_new(), s2n_config_ptr_free);
+            EXPECT_NOT_NULL(config);
+            EXPECT_EQUAL(config->disable_x509_time_validation, false);
+
+            EXPECT_SUCCESS(s2n_config_disable_x509_time_verification(config));
+            EXPECT_EQUAL(config->disable_x509_time_validation, true);
+        }
+    }
+
     END_TEST();
 }

tests/unit/s2n_crl_test.c

@@ -573,7 +573,7 @@ int main(int argc, char *argv[])
     };
 
     /* CRL validation succeeds for a CRL with an invalid nextUpdate date */
-    {
+    for (int disable_time_validation = 0; disable_time_validation <= 1; disable_time_validation += 1) {
         DEFER_CLEANUP(struct s2n_x509_trust_store trust_store = { 0 }, s2n_x509_trust_store_wipe);
         s2n_x509_trust_store_init_empty(&trust_store);
 
@@ -592,6 +592,13 @@ int main(int argc, char *argv[])
         EXPECT_NOT_NULL(config);
         EXPECT_SUCCESS(s2n_config_set_crl_lookup_cb(config, crl_lookup_test_callback, &data));
 
+        /* Ensure that validation succeeds for a CRL with an invalid nextUpdate field when time
+         * validation is disabled.
+         */
+        if (disable_time_validation) {
+            EXPECT_SUCCESS(s2n_config_disable_x509_time_verification(config));
+        }
+
         DEFER_CLEANUP(struct s2n_connection *connection = s2n_connection_new(S2N_CLIENT), s2n_connection_ptr_free);
         EXPECT_NOT_NULL(connection);
         EXPECT_SUCCESS(s2n_connection_set_config(connection, config));