Revert commitid ANSBO0rBvIUtTi45:

   Make rpki-client choose the verification time of the time it is invoked
   rather than always getting the current system time for every certificate
   verification. This will result in output that is not variable on run-time.

Using the time of invocation does not work well with fast publishing CAs. It
can take a few minutes to reach a repo and that CA may have issued certificates
that are not yet valid if that startup time of rpki-client is used to validate.

This still keeps the -P option to specify a fixed validation time.
OK beck@ job@ tb@

1 files changed, 8 insertions, 5 deletions

diff --git a/usr.sbin/rpki-client/parser.c b/usr.sbin/rpki-client/parser.c
index 7da33377ac3..93c0eca95b8 100644
--- a/usr.sbin/rpki-client/parser.c
+++ b/usr.sbin/rpki-client/parser.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: parser.c,v 1.94 2023/05/11 20:13:30 job Exp $ */
+/*	$OpenBSD: parser.c,v 1.95 2023/05/30 12:14:48 claudio Exp $ */
 /*
  * Copyright (c) 2019 Claudio Jeker <claudio@openbsd.org>
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
@@ -312,6 +312,9 @@ static struct mft *
 proc_parser_mft_post(char *file, struct mft *mft, const char *path,
     const char *errstr)
 {
+	/* check that now is not before from */
+	time_t now = get_current_time();
+
 	if (mft == NULL) {
 		if (errstr == NULL)
 			errstr = "no valid mft available";
@@ -319,14 +322,14 @@ proc_parser_mft_post(char *file, struct mft *mft, const char *path,
 		return NULL;
 	}
 
-	/* check that evaluation_time is not before from */
-	if (evaluation_time < mft->thisupdate) {
+	/* check that now is not before from */
+	if (now < mft->thisupdate) {
 		warnx("%s: mft not yet valid %s", file,
 		    time2str(mft->thisupdate));
 		mft->stale = 1;
 	}
-	/* check that evaluation_time is not after until */
-	if (evaluation_time > mft->nextupdate) {
+	/* check that now is not after until */
+	if (now > mft->nextupdate) {
 		warnx("%s: mft expired on %s", file,
 		    time2str(mft->nextupdate));
 		mft->stale = 1;