On Wed, Jun 05, 2024 at 03:56:17PM +0200, Theo Buehler wrote:
> ta_parse() is always called after cert_parse_pre() which already stores
> notbefore and notafter in struct cert, so we can use a time_t comparison.
> Of course this assumes that we're not on a 32-time_t operating system,
> which we do elsewhere already.
> 
> Index: cert.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/rpki-client/cert.c,v
> diff -u -p -r1.136 cert.c
> --- cert.c	4 Jun 2024 14:10:53 -0000	1.136
> +++ cert.c	5 Jun 2024 11:29:35 -0000
> @@ -1073,7 +1073,6 @@ struct cert *
>  ta_parse(const char *fn, struct cert *p, const unsigned char *pkey,
>      size_t pkeysz)
>  {
> -	ASN1_TIME	*notBefore, *notAfter;
>  	EVP_PKEY	*pk, *opk;
>  	time_t		 now = get_current_time();
>  
> @@ -1095,20 +1094,11 @@ ta_parse(const char *fn, struct cert *p,
>  		    "pubkey does not match TAL pubkey", fn);
>  		goto badcert;
>  	}
> -
> -	if ((notBefore = X509_get_notBefore(p->x509)) == NULL) {
> -		warnx("%s: certificate has invalid notBefore", fn);
> -		goto badcert;
> -	}
> -	if ((notAfter = X509_get_notAfter(p->x509)) == NULL) {
> -		warnx("%s: certificate has invalid notAfter", fn);
> -		goto badcert;
> -	}
> -	if (X509_cmp_time(notBefore, &now) != -1) {
> +	if (p->notbefore >= now) {
>  		warnx("%s: certificate not yet valid", fn);
>  		goto badcert;
>  	}
> -	if (X509_cmp_time(notAfter, &now) != 1) {
> +	if (p->notafter <= now) {
>  		warnx("%s: certificate has expired", fn);
>  		goto badcert;
>  	}
> @@ -1139,7 +1129,7 @@ ta_parse(const char *fn, struct cert *p,
>  	EVP_PKEY_free(pk);
>  	return p;
>  
> -badcert:
> + badcert:
>  	EVP_PKEY_free(pk);
>  	cert_free(p);
>  	return NULL;
> 

OK claudio@

-- 
:wq Claudio