From: Claudio Jeker Subject: Re: rpki-client: simplify ta_parse() To: Theo Buehler Cc: tech@openbsd.org Date: Wed, 5 Jun 2024 16:20:17 +0200 On Wed, Jun 05, 2024 at 03:56:17PM +0200, Theo Buehler wrote: > ta_parse() is always called after cert_parse_pre() which already stores > notbefore and notafter in struct cert, so we can use a time_t comparison. > Of course this assumes that we're not on a 32-time_t operating system, > which we do elsewhere already. > > Index: cert.c > =================================================================== > RCS file: /cvs/src/usr.sbin/rpki-client/cert.c,v > diff -u -p -r1.136 cert.c > --- cert.c 4 Jun 2024 14:10:53 -0000 1.136 > +++ cert.c 5 Jun 2024 11:29:35 -0000 > @@ -1073,7 +1073,6 @@ struct cert * > ta_parse(const char *fn, struct cert *p, const unsigned char *pkey, > size_t pkeysz) > { > - ASN1_TIME *notBefore, *notAfter; > EVP_PKEY *pk, *opk; > time_t now = get_current_time(); > > @@ -1095,20 +1094,11 @@ ta_parse(const char *fn, struct cert *p, > "pubkey does not match TAL pubkey", fn); > goto badcert; > } > - > - if ((notBefore = X509_get_notBefore(p->x509)) == NULL) { > - warnx("%s: certificate has invalid notBefore", fn); > - goto badcert; > - } > - if ((notAfter = X509_get_notAfter(p->x509)) == NULL) { > - warnx("%s: certificate has invalid notAfter", fn); > - goto badcert; > - } > - if (X509_cmp_time(notBefore, &now) != -1) { > + if (p->notbefore >= now) { > warnx("%s: certificate not yet valid", fn); > goto badcert; > } > - if (X509_cmp_time(notAfter, &now) != 1) { > + if (p->notafter <= now) { > warnx("%s: certificate has expired", fn); > goto badcert; > } > @@ -1139,7 +1129,7 @@ ta_parse(const char *fn, struct cert *p, > EVP_PKEY_free(pk); > return p; > > -badcert: > + badcert: > EVP_PKEY_free(pk); > cert_free(p); > return NULL; > OK claudio@ -- :wq Claudio