CWE-298: Improper Validation of Certificate Expiration

Description

A certificate expiration is not validated or is incorrectly validated, so trust may be assigned to certificates that have been abandoned due to age.

Submission Date :

July 19, 2006, midnight

Modification Date :

2023-06-29 00:00:00+00:00

Organization :

MITRE
Extended Description

When the expiration of a certificate is not taken into account, no trust has necessarily been conveyed through it. Therefore, the validity of the certificate cannot be verified and all benefit of the certificate is lost.

Example Vulnerable Codes

Example - 1

The following OpenSSL code ensures that there is a certificate and allows the use of expired certificates.



// //do stuff// 
foo=SSL_get_verify_result(ssl);if ((X509_V_OK==foo) || (X509_V_ERR_CERT_HAS_EXPIRED==foo))if (cert = SSL_get_peer(certificate(ssl)) {

If the call to SSL_get_verify_result() returns X509_V_ERR_CERT_HAS_EXPIRED, this means that the certificate has expired. As time goes on, there is an increasing chance for attackers to compromise the certificate.

Related Weaknesses

This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined to give an overview of the different insight to similar items that may exist at higher and lower levels of abstraction.

CWE-295: Improper Certificate Validation
Go to
CWE-324: Use of a Key Past its Expiration Date
Go to
CWE-370: Missing Check for Certificate Revocation after Initial Check
Go to
CWE-672: Operation on a Resource after Expiration or Release
Go to

Visit http://cwe.mitre.org/ for more details.