This is a small preparatory step towards removing this specialized API.
The signed object parsing functions currently use it to parse this info
directly out of an X509. I will make them use a struct cert soon, and at
that point we can grab the info from there. Then we only need to parse
the notBefore/notAfter in a single place.

x509_get_time() will stay since we need it for thisUpdate/nextUpdate in
the MFT econtent for CRLs and for some pretty printing.

In filemode skip the comparison to now since that broke stuff.

Index: cert.c
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/cert.c,v
diff -u -p -r1.191 cert.c
--- cert.c	11 Jul 2025 09:18:32 -0000	1.191
+++ cert.c	11 Jul 2025 10:12:25 -0000
@@ -1153,13 +1153,41 @@ cert_check_subject_and_issuer(const char
 static int
 cert_check_validity_period(const char *fn, struct cert *cert)
 {
-	if (!x509_get_notbefore(cert->x509, fn, &cert->notbefore))
+	const ASN1_TIME *at;
+	time_t		 now = get_current_time();
+
+	if ((at = X509_get0_notBefore(cert->x509)) == NULL) {
+		warnx("%s: X509_get0_notBefore() failed", fn);
+		return 0;
+	}
+	if (!x509_get_time(at, &cert->notbefore)) {
+		warnx("%s: x509_get_time() failed", fn);
+		return 0;
+	}
+
+	if ((at = X509_get0_notAfter(cert->x509)) == NULL) {
+		warnx("%s: X509_get0_notAfter() failed", fn);
 		return 0;
-	if (!x509_get_notafter(cert->x509, fn, &cert->notafter))
+	}
+	if (!x509_get_time(at, &cert->notafter)) {
+		warnx("%s: x509_get_time() failed", fn);
 		return 0;
+	}
 
 	if (cert->notbefore > cert->notafter) {
 		warnx("%s: RFC 6487, 4.6: notAfter precedes notBefore", fn);
+		return 0;
+	}
+
+	if (filemode)
+		return 1;
+
+	if (cert->notbefore > now) {
+		warnx("%s: certificate not yet valid", fn);
+		return 0;
+	}
+	if (cert->notafter < now) {
+		warnx("%s: certificate has expired", fn);
 		return 0;
 	}