From: Theo Buehler <tb@theobuehler.org>
Subject: rpki-client: introduce x509_get_generalized_time()
To: tech@openbsd.org
Date: Thu, 11 Sep 2025 03:58:27 +0200

Simple refactor that packs four copy-pasted stanzas into a helper.

Index: ccr.c
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/ccr.c,v
diff -u -p -r1.7 ccr.c
--- ccr.c	9 Sep 2025 13:22:38 -0000	1.7
+++ ccr.c	11 Sep 2025 01:27:39 -0000
@@ -928,17 +928,9 @@ parse_manifeststate(const char *fn, stru
 	if (ccr->mfts_hash == NULL)
 		goto out;
 
-	/*
-	 * XXX: refactor into a x509_get_generalized_time() function.
-	 */
-	if (ASN1_STRING_length(state->mostRecentUpdate) != GENTIME_LENGTH) {
-		warnx("%s: mostRecentUpdate time format invalid", fn);
+	if (!x509_get_generalized_time(fn, "CCR mostRecentUpdate", 
+	    state->mostRecentUpdate, &ccr->most_recent_update))
 		goto out;
-	}
-	if (!x509_get_time(state->mostRecentUpdate, &ccr->most_recent_update)) {
-		warnx("%s: parsing CCR mostRecentUpdate failed", fn);
-		goto out;
-	}
 
 	if (!parse_mft_refs(fn, ccr, state->mftrefs))
 		goto out;
@@ -1355,14 +1347,9 @@ ccr_parse(const char *fn, const unsigned
 	if ((ccr = calloc(1, sizeof(*ccr))) == NULL)
 		err(1, NULL);
 
-	if (ASN1_STRING_length(ccr_asn1->producedAt) != GENTIME_LENGTH) {
-		warnx("%s: embedded from time format invalid", fn);
+	if (!x509_get_generalized_time(fn, "CCR producedAt",
+	    ccr_asn1->producedAt, &ccr->producedat))
 		goto out;
-	}
-	if (!x509_get_time(ccr_asn1->producedAt, &ccr->producedat)) {
-		warnx("%s: parsing CCR producedAt failed", fn);
-		goto out;
-	}
 
 	if (ccr_asn1->mfts == NULL && ccr_asn1->vrps == NULL &&
 	    ccr_asn1->vaps == NULL && ccr_asn1->tas == NULL) {
Index: extern.h
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/extern.h,v
diff -u -p -r1.262 extern.h
--- extern.h	9 Sep 2025 08:23:24 -0000	1.262
+++ extern.h	11 Sep 2025 01:27:29 -0000
@@ -975,6 +975,8 @@ struct ibuf	*io_buf_get(struct msgbuf *)
 void		 x509_init_oid(void);
 char		*x509_pubkey_get_ski(X509_PUBKEY *, const char *);
 int		 x509_get_time(const ASN1_TIME *, time_t *);
+int		 x509_get_generalized_time(const char *, const char *,
+		    const ASN1_TIME *, time_t *);
 char		*x509_convert_seqnum(const char *, const char *,
 		    const ASN1_INTEGER *);
 int		 x509_valid_seqnum(const char *, const char *,
Index: mft.c
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/mft.c,v
diff -u -p -r1.131 mft.c
--- mft.c	9 Sep 2025 08:23:24 -0000	1.131
+++ mft.c	11 Sep 2025 01:29:57 -0000
@@ -310,27 +310,13 @@ mft_parse_econtent(const char *fn, struc
 	if (mft->seqnum == NULL)
 		goto out;
 
-	/*
-	 * OpenSSL's DER decoder implementation will accept a GeneralizedTime
-	 * which doesn't conform to RFC 5280. So, double check.
-	 */
-	if (ASN1_STRING_length(mft_asn1->thisUpdate) != GENTIME_LENGTH) {
-		warnx("%s: embedded from time format invalid", fn);
+	if (!x509_get_generalized_time(fn, "manifest thisUpdate",
+	    mft_asn1->thisUpdate, &mft->thisupdate))
 		goto out;
-	}
-	if (ASN1_STRING_length(mft_asn1->nextUpdate) != GENTIME_LENGTH) {
-		warnx("%s: embedded until time format invalid", fn);
-		goto out;
-	}
 
-	if (!x509_get_time(mft_asn1->thisUpdate, &mft->thisupdate)) {
-		warnx("%s: parsing manifest thisUpdate failed", fn);
-		goto out;
-	}
-	if (!x509_get_time(mft_asn1->nextUpdate, &mft->nextupdate)) {
-		warnx("%s: parsing manifest nextUpdate failed", fn);
+	if (!x509_get_generalized_time(fn, "manifest nextUpdate",
+	    mft_asn1->nextUpdate, &mft->nextupdate))
 		goto out;
-	}
 
 	if (mft->thisupdate > mft->nextupdate) {
 		warnx("%s: bad update interval", fn);
Index: rpki-asn1.h
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/rpki-asn1.h,v
diff -u -p -r1.4 rpki-asn1.h
--- rpki-asn1.h	9 Sep 2025 08:23:24 -0000	1.4
+++ rpki-asn1.h	11 Sep 2025 01:19:28 -0000
@@ -24,8 +24,6 @@
 #include <openssl/asn1.h>
 #include <openssl/asn1t.h>
 
-#define GENTIME_LENGTH 15
-
 /*
  * Autonomous System Provider Authorization (ASPA)
  * reference: draft-ietf-sidrops-aspa-profile
Index: x509.c
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/x509.c,v
diff -u -p -r1.118 x509.c
--- x509.c	9 Sep 2025 08:23:24 -0000	1.118
+++ x509.c	11 Sep 2025 01:31:14 -0000
@@ -28,6 +28,8 @@
 
 #include "extern.h"
 
+#define GENTIME_LENGTH 15
+
 ASN1_OBJECT	*certpol_oid;	/* id-cp-ipAddr-asNumber cert policy */
 ASN1_OBJECT	*caissuers_oid;	/* 1.3.6.1.5.5.7.48.2 (caIssuers) */
 ASN1_OBJECT	*carepo_oid;	/* 1.3.6.1.5.5.7.48.5 (caRepository) */
@@ -308,6 +310,21 @@ x509_get_time(const ASN1_TIME *at, time_
 		return 0;
 	if ((*t = timegm(&tm)) == -1)
 		errx(1, "timegm failed");
+	return 1;
+}
+
+int
+x509_get_generalized_time(const char *fn, const char *descr,
+    const ASN1_TIME *at, time_t *t)
+{
+	if (at->length != GENTIME_LENGTH) {
+		warnx("%s: %s time format invalid", fn, descr);
+		return 0;
+	}
+	if (!x509_get_time(at, t)) {
+		warnx("%s: parsing %s failed", fn, descr);
+		return 0;
+	}
 	return 1;
 }