Audit required: (*crypto/x509.Certificate).Verify does not use the system time for verification GO-S1032
Security
Major
a02
owasp top 10
cwe-324
(*crypto/x509.Certificate).Verify accepts a CurrentTime parameter to specify the system time used to verify the certificate. Providing
something other than the current system time may allow expired certificates to
be marked as valid.
Bad practice
package main
import (
"crypto/x509"
"encoding/pem"
"time"
)
func main() {
const rootPEM = "..."
const certPEM = "..."
roots := x509.NewCertPool()
ok := roots.AppendCertsFromPEM([]byte(rootPEM))
if !ok {
// ...
}
block, _ := pem.Decode([]byte(certPEM))
if block == nil {
// ...
}
cert, err := x509.ParseCertificate(block.Bytes)
if err != nil {
// ...
}
opts := x509.VerifyOptions{
DNSName: "deepsource.io",
Roots: roots,
CurrentTime: time.Parse(time.RFC822Z, "02 April 2022 10:10 +0530"),
}
if _, err := cert.Verify(opts); err != nil { // it uses some other time for verification
panic("failed to verify certificate: " + err.Error())
}
}
Recommended
package main
import (
"crypto/x509"
"encoding/pem"
"time"
)
func main() {
const rootPEM = "..."
const certPEM = "..."
roots := x509.NewCertPool()
ok := roots.AppendCertsFromPEM([]byte(rootPEM))
if !ok {
// ...
}
block, _ := pem.Decode([]byte(certPEM))
if block == nil {
// ...
}
cert, err := x509.ParseCertificate(block.Bytes)
if err != nil {
// ...
}
opts := x509.VerifyOptions{
DNSName: "deepsource.io",
Roots: roots,
CurrentTime: time.Now(),
}
// or
opts := x509.VerifyOptions{
DNSName: "deepsource.io",
Roots: roots,
}
if _, err := cert.Verify(opts); err != nil {
panic("failed to verify certificate: " + err.Error())
}
}