On Fri, Dec 05, 2025 at 12:14:55PM -0700, Bob Beck wrote:
> On Fri, Dec 05, 2025 at 11:07:49AM -0700, Bob Beck wrote:
> > 
> > 
> > > On Nov 24, 2025, at 23:07, Theo Buehler <tb@theobuehler.org> wrote:
> > > 
> > > On Mon, Nov 24, 2025 at 03:31:58PM +0100, Theo Buehler wrote:
> > >> beck and davidben have plans to make ASN1_STRING opaque in OpenSSL 4 [1].
> > >> This breaks somewhere in the vicinity of 200 ports, so I don't think we'll
> > >> flip the switch anytime soon in libressl, but I want base to be ready for
> > >> that since that makes my life easier.
> > > 
> > > Here's the second step. This allows things that aren't really kosher in
> > > modern X.509 like omitting seconds or allowing local times.
> > > 
> > > Since this transforms notBefore and notAfter into a string to be used in
> > > a keynote assertion, existing libcrypto interfaces aren't suitable, so I
> > > kept this mechanical by assigning the data and length fields to local
> > > variables accessors and replacing tm->data by data and tm->length by
> > > len, only occasionally fixing up whitespace and omitting parentheses.
> > > 
> > > The whole dance should be deduplicated, but I'll leave that for someone
> > > else.
> > 
> > I *think* this is ok? But that code is uglier than my butthole after a week of hiking. 
> > 
> > I suspect a lot of the nonconformant crap mattered 20 years ago and is not used at all today so could be removed. 
> > 
> > But don???t do that here. 
> 
> I.E. I suspect this would work fine (passes regress) but I'd just land yours for now, if
> we want to do this we put it in and ask isakmp people to test later.

Yeah, I had something similar in mind. What made me pause is that the
x509 part of the regress tests is completely busted. As I wrote in my
first mail in this thread:

 (In case you wonder: x509_cert_subjectaltname() isn't static because it
 is "used" from regress/isakmpd/x509. That thing is completely broken and
 hasn't been successfully compiled since reyk removed math_mp.h back in
 2010, possibly much longer.)