From: Theo Buehler Subject: acme-client timegm(3) To: tech@openbsd.org Date: Thu, 28 May 2026 03:43:10 +0200 An in-band error doesn't work here for the same reason that it doesn't work for timegm(3), so use a time_t * to set notbefore/notafter. Pebble exercises this code and is happy. Of course, with the aggressive push to very short-lived certificates in the Web PKI, negative epoch times won't happen here in practice. Maybe using 1 for success and 0 for error would be more in line with other acme-client helpers. Happy to switch to that in a follow-up if that is preferred. Index: revokeproc.c =================================================================== RCS file: /cvs/src/usr.sbin/acme-client/revokeproc.c,v diff -u -p -r1.28 revokeproc.c --- revokeproc.c 2 Mar 2026 10:38:44 -0000 1.28 +++ revokeproc.c 27 May 2026 19:34:31 -0000 @@ -37,8 +37,8 @@ /* * Convert the X509's notAfter time into a time_t value. */ -static time_t -X509notafter(X509 *x) +static int +X509notafter(const X509 *x, time_t *notafter) { ASN1_TIME *atim; struct tm t; @@ -51,14 +51,18 @@ X509notafter(X509 *x) if (!ASN1_TIME_to_tm(atim, &t)) return -1; - return timegm(&t); + t.tm_wday = -1; + if ((*notafter = timegm(&t)) == -1 && t.tm_wday == -1) + return -1; + + return 0; } /* * Convert the X509's notBefore time into a time_t value. */ -static time_t -X509notbefore(X509 *x) +static int +X509notbefore(const X509 *x, time_t *notbefore) { ASN1_TIME *atim; struct tm t; @@ -71,7 +75,11 @@ X509notbefore(X509 *x) if (!ASN1_TIME_to_tm(atim, &t)) return -1; - return timegm(&t); + t.tm_wday = -1; + if ((*notbefore = timegm(&t)) == -1 && t.tm_wday == -1) + return -1; + + return 0; } int @@ -141,12 +149,12 @@ revokeproc(int fd, const char *certfile, /* Read out the expiration date. */ - if ((notafter = X509notafter(x)) == -1) { + if (X509notafter(x, ¬after) == -1) { warnx("X509notafter"); goto out; } - if ((notbefore = X509notbefore(x)) == -1) { + if (X509notbefore(x, ¬before) == -1) { warnx("X509notbefore"); goto out; }