From: Theo Buehler Subject: rpki-client: inline x509_get_not{before,after}() To: tech@openbsd.org Date: Fri, 11 Jul 2025 13:56:25 +0200 This is a small preparatory step towards removing this specialized API. The signed object parsing functions currently use it to parse this info directly out of an X509. I will make them use a struct cert soon, and at that point we can grab the info from there. Then we only need to parse the notBefore/notAfter in a single place. x509_get_time() will stay since we need it for thisUpdate/nextUpdate in the MFT econtent for CRLs and for some pretty printing. In filemode skip the comparison to now since that broke stuff. Index: cert.c =================================================================== RCS file: /cvs/src/usr.sbin/rpki-client/cert.c,v diff -u -p -r1.191 cert.c --- cert.c 11 Jul 2025 09:18:32 -0000 1.191 +++ cert.c 11 Jul 2025 10:12:25 -0000 @@ -1153,13 +1153,41 @@ cert_check_subject_and_issuer(const char static int cert_check_validity_period(const char *fn, struct cert *cert) { - if (!x509_get_notbefore(cert->x509, fn, &cert->notbefore)) + const ASN1_TIME *at; + time_t now = get_current_time(); + + if ((at = X509_get0_notBefore(cert->x509)) == NULL) { + warnx("%s: X509_get0_notBefore() failed", fn); + return 0; + } + if (!x509_get_time(at, &cert->notbefore)) { + warnx("%s: x509_get_time() failed", fn); + return 0; + } + + if ((at = X509_get0_notAfter(cert->x509)) == NULL) { + warnx("%s: X509_get0_notAfter() failed", fn); return 0; - if (!x509_get_notafter(cert->x509, fn, &cert->notafter)) + } + if (!x509_get_time(at, &cert->notafter)) { + warnx("%s: x509_get_time() failed", fn); return 0; + } if (cert->notbefore > cert->notafter) { warnx("%s: RFC 6487, 4.6: notAfter precedes notBefore", fn); + return 0; + } + + if (filemode) + return 1; + + if (cert->notbefore > now) { + warnx("%s: certificate not yet valid", fn); + return 0; + } + if (cert->notafter < now) { + warnx("%s: certificate has expired", fn); return 0; }