Allow override for certificate expiry

The user is able to ignore certificate expiry and continue loading the page regardless. This adds a one hour exception to the expiration date.
author: Jaakko Keränen <jaakko.keranen@iki.fi> 2021-07-16 22:46:30 +0300
committer: Jaakko Keränen <jaakko.keranen@iki.fi> 2021-07-16 22:46:30 +0300
commit: 1b1dc94c49368b7d7060244fde2bef31cc70d480 (patch)
tree: bca58bf618418adbc0060a85d289c3b1ebbca636 /src/gmcerts.c
parent: 8fb7695dc1cf4e136806fbd77557ebd644d71801 (diff)
1 files changed, 14 insertions, 12 deletions
diff --git a/src/gmcerts.c b/src/gmcerts.c
index 32e47b40..d8e77b12 100644
--- a/src/gmcerts.c
+++ b/src/gmcerts.c
@@ -456,13 +456,8 @@ iBool checkTrust_GmCerts(iGmCerts *d, iRangecc domain, uint16_t port, const iTls
    if (!cert) {
        return iFalse;
    }
-    if (isExpired_TlsCertificate(cert)) {
-        return iFalse;
-    }
    /* We trust CA verification implicitly. */
-    //const iBool isAuth = verify_TlsCertificate(cert) == authority_TlsCertificateVerifyStatus;
+    if (!verifyDomain_GmCerts(cert, domain)) {
-//    const iBool isAuth = iFalse; /* CA verification done during handshake */
-    if (/*!isAuth &&*/ !verifyDomain_GmCerts(cert, domain)) {
        return iFalse;
    }
    /* TODO: Could call setTrusted_GmCerts() instead of duplicating the trust-setting. */
@@ -474,11 +469,12 @@ iBool checkTrust_GmCerts(iGmCerts *d, iRangecc domain, uint16_t port, const iTls
    init_String(&key);
    makeTrustKey_(domain, port, &key);
    lock_Mutex(d->mtx);
+    iBool ok = !isExpired_TlsCertificate(cert);
    iTrustEntry *trust = value_StringHash(d->trusted, &key);
    if (trust) {
        /* We already have it, check if it matches the one we trust for this domain (if it's
           still valid. */
-        if (/*!isAuth && */elapsedSeconds_Time(&trust->validUntil) < 0) {
+        if (elapsedSeconds_Time(&trust->validUntil) < 0) {
            /* Trusted cert is still valid. */
            const iBool isTrusted = cmp_Block(fingerprint, &trust->fingerprint) == 0;
            unlock_Mutex(d->mtx);
@@ -487,17 +483,23 @@ iBool checkTrust_GmCerts(iGmCerts *d, iRangecc domain, uint16_t port, const iTls
            return isTrusted;
        }
        /* Update the trusted cert. */
-        init_Time(&trust->validUntil, &until);
+        if (ok) {
-        set_Block(&trust->fingerprint, fingerprint);
+            init_Time(&trust->validUntil, &until);
+            set_Block(&trust->fingerprint, fingerprint);
+        }
    }
    else {
-        insert_StringHash(d->trusted, &key, iClob(new_TrustEntry(fingerprint, &until)));
+        if (ok) {
+            insert_StringHash(d->trusted, &key, iClob(new_TrustEntry(fingerprint, &until)));
+        }
+    }
+    if (ok) {
+        save_GmCerts_(d);
    }
-    save_GmCerts_(d);
    unlock_Mutex(d->mtx);
    delete_Block(fingerprint);
    deinit_String(&key);
-    return iTrue;
+    return ok;
 }
 void setTrusted_GmCerts(iGmCerts *d, iRangecc domain, uint16_t port, const iBlock *fingerprint,
author	Jaakko Keränen <jaakko.keranen@iki.fi>	2021-07-16 22:46:30 +0300
committer	Jaakko Keränen <jaakko.keranen@iki.fi>	2021-07-16 22:46:30 +0300
commit	1b1dc94c49368b7d7060244fde2bef31cc70d480 (patch)
tree	bca58bf618418adbc0060a85d289c3b1ebbca636 /src/gmcerts.c
parent	8fb7695dc1cf4e136806fbd77557ebd644d71801 (diff)