CWE Rule 324

Use of a Key Past its Expiration Date

Since R2026a

expand all in page

Description

Use of a Key Past its Expiration Date

Polyspace Implementation

The rule checker checks for the issue Use of expired key.

Examples

expand all

Issue

This issue occurs if the return value of SSL_get_verify_result() is checked against one of these error codes:

  • X509_V_ERR_CRL_NOT_YET_VALID

  • X509_V_ERR_CRL_HAS_EXPIRED

  • X509_V_ERR_CERT_NOT_YET_VALID

  • X509_V_ERR_CERT_HAS_EXPIRED

This usage indicate that the code accepts the use of certificates and keys that are expired or not yet valid.

Risk

Expired keys can be compromised. Use of expired key reduces the security of your code.

Fix

To fix this violation, check the key against the error code X509_V_OK.

Example


            
            
#include <openssl/ssl.h>
#include <openssl/x509.h>
#include <stdio.h>

void checkCertificate(SSL *ssl) {
	// Assume ssl is already initialized and connected
	X509 *cert = SSL_get_peer_certificate(ssl);
	if(cert == NULL) {
		fprintf(stderr, "No certificate found.\n");
		return;
	}

	int verifyResult = SSL_get_verify_result(ssl);

	// Incorrectly allowing expired certificates
	if(verifyResult == X509_V_OK || verifyResult == X509_V_ERR_CRL_NOT_YET_VALID ) { //Noncompliant
		printf("Certificate is valid.\n");
	} else {
		fprintf(stderr, "Certificate verification failed: %s\n", X509_verify_cert_error_string(verifyResult));
	}

	X509_free(cert);
}

Correction

To fix this violation, check the validity of the jey against the error code X509_V_OK.

#include <openssl/ssl.h>
#include <openssl/x509.h>
#include <stdio.h>

void checkCertificate(SSL *ssl) {
	// Assume ssl is already initialized and connected
	X509 *cert = SSL_get_peer_certificate(ssl);
	if(cert == NULL) {
		fprintf(stderr, "No certificate found.\n");
		return;
	}

	int verifyResult = SSL_get_verify_result(ssl);

	// Expired certificates not allowed
	if(verifyResult == X509_V_OK ) { //Compliant
		printf("Certificate is valid.\n");
	} else {
		fprintf(stderr, "Certificate verification failed: %s\n", X509_verify_cert_error_string(verifyResult));
	}

	X509_free(cert);
}

Check Information

Category: Cryptographic Issues
PQL Name: std.cwe_native.R324

Version History

Introduced in R2026a

See Also

Topics

External Websites