Download raw body.
acme-client timegm(3)
An in-band error doesn't work here for the same reason that it doesn't
work for timegm(3), so use a time_t * to set notbefore/notafter.
Pebble exercises this code and is happy. Of course, with the aggressive
push to very short-lived certificates in the Web PKI, negative epoch
times won't happen here in practice.
Maybe using 1 for success and 0 for error would be more in line with
other acme-client helpers. Happy to switch to that in a follow-up if
that is preferred.
Index: revokeproc.c
===================================================================
RCS file: /cvs/src/usr.sbin/acme-client/revokeproc.c,v
diff -u -p -r1.28 revokeproc.c
--- revokeproc.c 2 Mar 2026 10:38:44 -0000 1.28
+++ revokeproc.c 27 May 2026 19:34:31 -0000
@@ -37,8 +37,8 @@
/*
* Convert the X509's notAfter time into a time_t value.
*/
-static time_t
-X509notafter(X509 *x)
+static int
+X509notafter(const X509 *x, time_t *notafter)
{
ASN1_TIME *atim;
struct tm t;
@@ -51,14 +51,18 @@ X509notafter(X509 *x)
if (!ASN1_TIME_to_tm(atim, &t))
return -1;
- return timegm(&t);
+ t.tm_wday = -1;
+ if ((*notafter = timegm(&t)) == -1 && t.tm_wday == -1)
+ return -1;
+
+ return 0;
}
/*
* Convert the X509's notBefore time into a time_t value.
*/
-static time_t
-X509notbefore(X509 *x)
+static int
+X509notbefore(const X509 *x, time_t *notbefore)
{
ASN1_TIME *atim;
struct tm t;
@@ -71,7 +75,11 @@ X509notbefore(X509 *x)
if (!ASN1_TIME_to_tm(atim, &t))
return -1;
- return timegm(&t);
+ t.tm_wday = -1;
+ if ((*notbefore = timegm(&t)) == -1 && t.tm_wday == -1)
+ return -1;
+
+ return 0;
}
int
@@ -141,12 +149,12 @@ revokeproc(int fd, const char *certfile,
/* Read out the expiration date. */
- if ((notafter = X509notafter(x)) == -1) {
+ if (X509notafter(x, ¬after) == -1) {
warnx("X509notafter");
goto out;
}
- if ((notbefore = X509notbefore(x)) == -1) {
+ if (X509notbefore(x, ¬before) == -1) {
warnx("X509notbefore");
goto out;
}
acme-client timegm(3)