7 files changed, 45 insertions, 91 deletions

diff --git a/src/pluto/ac.c b/src/pluto/ac.c
index e35245845..14806c3cc 100644
--- a/src/pluto/ac.c
+++ b/src/pluto/ac.c
@@ -158,7 +158,7 @@ bool verify_x509acert(x509acert_t *x509ac, bool strict)
 	chunk_t issuer_dn = issuer->get_encoding(issuer);
 	chunk_t authKeyID = ac->get_authKeyIdentifier(ac);
 	x509cert_t *aacert;
-	time_t valid_until;
+	time_t notBefore, valid_until;
 
 	DBG(DBG_CONTROL,
 		DBG_log("holder: '%Y'", subject);
@@ -167,10 +167,12 @@ bool verify_x509acert(x509acert_t *x509ac, bool strict)
 
 	if (!cert_ac->get_validity(cert_ac, NULL, NULL, &valid_until))
 	{
+		plog("attribute certificate is invalid (valid from %T to %T)",
+			 &notBefore, FALSE, &valid_until, FALSE);
 		return FALSE;
 	}
 	DBG(DBG_CONTROL,
-		DBG_log("attribute certificate is valid until %T", &valid_until, TRUE)
+		DBG_log("attribute certificate is valid until %T", &valid_until, FALSE)
 	)
 
 	lock_authcert_list("verify_x509acert");
diff --git a/src/pluto/connections.c b/src/pluto/connections.c
index e1a28cade..6c2872609 100644
--- a/src/pluto/connections.c
+++ b/src/pluto/connections.c
@@ -717,8 +717,6 @@ static void load_end_certificate(char *filename, struct end *dst)
 
 	if (valid_cert)
 	{
-		err_t ugh = NULL;
-
 		switch (cert.type)
 		{
 		case CERT_PGP:
@@ -738,20 +736,18 @@ static void load_end_certificate(char *filename, struct end *dst)
 			select_x509cert_id(cert.u.x509, &dst->id);
 
 			if (cached_cert)
+			{
 				dst->cert = cert;
+			}
 			else
 			{
-				time_t valid_until = 0;
-
-				/* check validity of cert */
-				ugh = check_validity(cert.u.x509, &valid_until);
-				if (ugh != NULL)
+				certificate_t *certificate = cert.u.x509->cert;
+				
+				if (!certificate->get_validity(certificate, NULL, NULL, &valid_until))
 				{
-					plog("  %s", ugh);
 					free_x509cert(cert.u.x509);
 					break;
 				}
-
 				DBG(DBG_CONTROL,
 					DBG_log("certificate is valid")
 				)
diff --git a/src/pluto/crl.c b/src/pluto/crl.c
index 01d4839fc..54f08f9d6 100644
--- a/src/pluto/crl.c
+++ b/src/pluto/crl.c
@@ -414,7 +414,7 @@ cert_status_t verify_by_crl(const x509cert_t *cert, time_t *until,
 		crl_t *crl = (crl_t*)cert_crl;
 		chunk_t authKeyID = crl->get_authKeyIdentifier(crl);
 		x509cert_t *issuer_cert;
-		bool valid;
+		bool trusted, valid;
 
 		DBG(DBG_CONTROL,
 			DBG_log("crl found")
@@ -435,32 +435,39 @@ cert_status_t verify_by_crl(const x509cert_t *cert, time_t *until,
 		lock_authcert_list("verify_by_crl");
 
 		issuer_cert = get_authcert(issuer_dn, authKeyID, X509_CA);
-		valid = cert_crl->issued_by(cert_crl, issuer_cert->cert);
+		trusted = cert_crl->issued_by(cert_crl, issuer_cert->cert);
 
 		unlock_authcert_list("verify_by_crl");
 
-		if (valid)
+		if (trusted)
 		{
-			time_t now, nextUpdate;
 			cert_status_t status;
 
 			DBG(DBG_CONTROL,
 				DBG_log("crl signature is valid")
 			)
-		   /* return the expiration date */
-			time(&now);
-			cert_crl->get_validity(cert_crl, &now, NULL, &nextUpdate);
-			*until = nextUpdate;
+
+			/* return the expiration date */
+			valid = cert_crl->get_validity(cert_crl, NULL, NULL, until);
 
 			/* has the certificate been revoked? */
 			status = check_revocation(crl, x509->get_serial(x509), revocationDate
 								, revocationReason);
 
-			if (*until < now)
+			if (valid)
+			{
+				unlock_crl_list("verify_by_crl");
+				DBG(DBG_CONTROL,
+					DBG_log("crl is valid: until %T", until, FALSE)
+				)
+			}
+			else
 			{
 				fetch_req_t *req;
 
-				plog("crl update is overdue since %T", until, TRUE);
+				DBG(DBG_CONTROL,
+					DBG_log("crl is stale: since %T", until, FALSE)
+				)
 
 				/* try to fetch a crl update */
 				req = build_crl_fetch_request(issuer_dn, authKeyID,
@@ -470,13 +477,6 @@ cert_status_t verify_by_crl(const x509cert_t *cert, time_t *until,
 				add_crl_fetch_request(req);
 				wake_fetch_thread("verify_by_crl");
 			}
-			else
-			{
-				unlock_crl_list("verify_by_crl");
-				DBG(DBG_CONTROL,
-					DBG_log("crl is valid")
-				)
-			}
 			return status;
 		}
 		else
diff --git a/src/pluto/ocsp.c b/src/pluto/ocsp.c
index d980e7f14..041df2452 100644
--- a/src/pluto/ocsp.c
+++ b/src/pluto/ocsp.c
@@ -424,7 +424,7 @@ cert_status_t verify_by_ocsp(const x509cert_t *cert, time_t *until,
 	chunk_t serialNumber = x509->get_serial(x509);
 	cert_status_t status;
 	ocsp_location_t location;
-	time_t nextUpdate = 0;
+	time_t nextUpdate;
 
 	*revocationDate = UNDEFINED_TIME;
 	*revocationReason = CRL_REASON_UNSPECIFIED;
@@ -1008,9 +1008,6 @@ static bool valid_ocsp_response(response_t *res)
 
 	for (pathlen = 0; pathlen < MAX_CA_PATH_LEN; pathlen++)
 	{
-		err_t ugh = NULL;
-		time_t until;
-
 		x509cert_t *cert = authcert;
 		certificate_t *certificate = cert->cert;
 		x509_t *x509 = (x509_t*)certificate;
@@ -1021,21 +1018,17 @@ static bool valid_ocsp_response(response_t *res)
 		DBG(DBG_CONTROL,
 			DBG_log("subject: '%Y'", subject);
 			DBG_log("issuer:  '%Y'", issuer);
-			if (authKeyID.ptr != NULL)
+			if (authKeyID.ptr)
 			{
 				DBG_log("authkey:  %#B", &authKeyID);
 			}
 		)
 
-		ugh = check_validity(authcert, &until);
-
-		if (ugh != NULL)
+		if (!certificate->get_validity(certificate, NULL, NULL, NULL))
 		{
-			plog("%s", ugh);
 			unlock_authcert_list("valid_ocsp_response");
 			return FALSE;
 		}
-
 		DBG(DBG_CONTROL,
 			DBG_log("certificate is valid")
 		)
diff --git a/src/pluto/smartcard.c b/src/pluto/smartcard.c
index 97074f52e..cf50a5bba 100644
--- a/src/pluto/smartcard.c
+++ b/src/pluto/smartcard.c
@@ -570,21 +570,15 @@ static void scx_find_cert_objects(CK_SLOT_ID slot, CK_SESSION_HANDLE session)
 
 		/* check validity of certificate */
 		cert = sc->last_cert.u.x509;
-		valid_until = cert->notAfter;
-		ugh = check_validity(cert, &valid_until);
-		if (ugh != NULL)
+		if (!cert->cert->get_validity(cert->cert, NULL, NULL, &valid_until)
 		{
-			plog("  %s", ugh);
 			free_x509cert(cert);
 			scx_free(sc);
 			continue;
 		}
-		else
-		{
-			DBG(DBG_CONTROL,
-				DBG_log("  certificate is valid")
-			)
-		}
+		DBG(DBG_CONTROL,
+			DBG_log("  certificate is valid")
+		)
 
 		sc = scx_add(sc);
 
diff --git a/src/pluto/x509.c b/src/pluto/x509.c
index 61d263948..77c5156bf 100644
--- a/src/pluto/x509.c
+++ b/src/pluto/x509.c
@@ -1316,41 +1316,6 @@ void parse_authorityKeyIdentifier(chunk_t blob, int level0,
 }
 
 /**
- * Verify the validity of a certificate by
- * checking the notBefore and notAfter dates
- */
-err_t check_validity(const x509cert_t *cert, time_t *until)
-{
-	time_t current_time, notBefore, notAfter;
-	certificate_t *certificate = cert->cert;
-	
-	time(&current_time);
-	certificate->get_validity(certificate, &current_time, &notBefore, &notAfter);
-	DBG(DBG_CONTROL | DBG_PARSING ,
-		DBG_log("  not before  : %T", &notBefore, TRUE);
-		DBG_log("  current time: %T", &current_time, TRUE);
-		DBG_log("  not after   : %T", &notAfter, TRUE);
-	)
-
-	if (*until == 0 || notAfter < *until)
-	{
-		*until = notAfter;
-	}
-	if (current_time < notBefore)
-	{
-		return "certificate is not valid yet";
-	}
-	if (current_time > notAfter)
-	{
-		return "certificate has expired";
-	}
-	else
-	{
-		return NULL;
-	}
-}
-
-/**
  * Verifies a X.509 certificate
  */
 bool verify_x509cert(const x509cert_t *cert, bool strict, time_t *until)
@@ -1367,25 +1332,30 @@ bool verify_x509cert(const x509cert_t *cert, bool strict, time_t *until)
 		x509_t *x509 = (x509_t*)certificate;
 		chunk_t authKeyID = x509->get_authKeyIdentifier(x509);
 		x509cert_t *issuer_cert;
-		err_t ugh = NULL;
+		time_t notBefore, notAfter;
+		bool valid;
 
 		DBG(DBG_CONTROL,
 			DBG_log("subject: '%Y'", subject);
 			DBG_log("issuer:  '%Y'", issuer);
-			if (authKeyID.ptr != NULL)
+			if (authKeyID.ptr)
 			{
 				DBG_log("authkey:  %#B", &authKeyID);
 			}
 		)
 
-		ugh = check_validity(cert, until);
-
-		if (ugh != NULL)
+		valid = certificate->get_validity(certificate, NULL,
+										  &notBefore, &notAfter);
+		if (*until == UNDEFINED_TIME || notAfter < *until)
 		{
-			plog("%s", ugh);
+			*until = notAfter;
+		}
+		if (!valid)
+		{
+			plog("certificate is invalid (valid from %T to %T)",
+				 &notBefore, FALSE, &notAfter, FALSE);
 			return FALSE;
 		}
-
 		DBG(DBG_CONTROL,
 			DBG_log("certificate is valid")
 		)
diff --git a/src/pluto/x509.h b/src/pluto/x509.h
index a61d6c06b..e9b61a492 100644
--- a/src/pluto/x509.h
+++ b/src/pluto/x509.h
@@ -77,7 +77,6 @@ extern void parse_authorityKeyIdentifier(chunk_t blob, int level0,
 										 chunk_t *authKeyID,
 										 chunk_t *authKeySerialNumber);
 extern chunk_t get_directoryName(chunk_t blob, int level, bool implicit);
-extern err_t check_validity(const x509cert_t *cert, time_t *until);
 extern bool x509_check_signature(chunk_t tbs, chunk_t sig, int algorithm,
 								 certificate_t *issuer_cert);
 extern chunk_t x509_build_signature(chunk_t tbs, int algorithm,