disable limit of forward time checking for validating signatures

This commit is contained in:
csoler 2020-11-15 21:22:25 +01:00
parent 6617946fbd
commit 7db8400233

View file

@ -417,13 +417,24 @@ bool GxsSecurity::validateNxsMsg(const RsNxsMsg& msg, const RsTlvKeySignature& s
// /********************* check signature *******************/ // /********************* check signature *******************/
/* check signature timeperiod */ /* check signature timeperiod */
if ((msgMeta.mPublishTs < key.startTS) || (key.endTS != 0 && msgMeta.mPublishTs > key.endTS)) if(msgMeta.mPublishTs < key.startTS)
{ {
RsWarn() << __PRETTY_FUNCTION__ << " GxsSecurity::validateNxsMsg() TS out of range for key " << msgMeta.mAuthorId RsWarn() << __PRETTY_FUNCTION__ << " GxsSecurity::validateNxsMsg() TS out of range for key " << msgMeta.mAuthorId
<< " usage is limited to TS=[" << key.startTS << "," << key.endTS << "] and msg publish time is " << msgMeta.mPublishTs << std::endl; << " The signed message has an inconsistent msg publish time of " << msgMeta.mPublishTs
<< " whereas the signing key was created later at TS " << key.startTS
<< ". Validation rejected for security. If you see this, something irregular is going on." << std::endl;
return false; return false;
} }
if(key.endTS != 0 && msgMeta.mPublishTs > key.endTS)
{
RsWarn() << __PRETTY_FUNCTION__ << " GxsSecurity::validateNxsMsg() TS out of range for key " << msgMeta.mAuthorId
<< " usage is limited to TS=[" << key.startTS << "," << key.endTS << "] and msg publish time is " << msgMeta.mPublishTs
<< " The validation still passes, but that key should be renewed." << std::endl;
// no return here. We still proceed checking the signature.
}
/* decode key */ /* decode key */
const unsigned char *keyptr = (const unsigned char *) key.keyData.bin_data; const unsigned char *keyptr = (const unsigned char *) key.keyData.bin_data;
long keylen = key.keyData.bin_len; long keylen = key.keyData.bin_len;
@ -1053,14 +1064,22 @@ bool GxsSecurity::validateNxsGrp(const RsNxsGrp& grp, const RsTlvKeySignature& s
/********************* check signature *******************/ /********************* check signature *******************/
/* check signature timeperiod */ /* check signature timeperiod */
if ((grpMeta.mPublishTs < key.startTS) || (key.endTS != 0 && grpMeta.mPublishTs > key.endTS)) if (grpMeta.mPublishTs < key.startTS)
{ {
#ifdef GXS_SECURITY_DEBUG RsWarn() << __PRETTY_FUNCTION__ << " GxsSecurity::validateNxsGrp() TS out of range for admin/publish key of group " << grpMeta.mGroupId
std::cerr << " GxsSecurity::validateNxsMsg() TS out of range"; << " The signed group has an inconsistent creation/modification time of " << grpMeta.mPublishTs
std::cerr << std::endl; << " whereas the key was created later at TS " << key.startTS
#endif << ". Validation rejected for security. If you see this, something irregular is going on." << std::endl;
return false; return false;
} }
if (key.endTS != 0 && grpMeta.mPublishTs > key.endTS)
{
RsWarn() << __PRETTY_FUNCTION__ << " GxsSecurity::validateNxsMsg() TS out of range for admin/publish key for group " << grpMeta.mGroupId
<< " usage is limited to TS=[" << key.startTS << "," << key.endTS << "] and msg publish time is " << grpMeta.mPublishTs
<< " The validation still passes, but that key should be renewed." << std::endl;
// no return. Still proceed checking signature.
}
/* decode key */ /* decode key */
const unsigned char *keyptr = (const unsigned char *) key.keyData.bin_data; const unsigned char *keyptr = (const unsigned char *) key.keyData.bin_data;