diff options
| author | Job Snijders <job@cvs.openbsd.org> | 2023-03-12 11:54:57 +0000 |
|---|---|---|
| committer | Job Snijders <job@cvs.openbsd.org> | 2023-03-12 11:54:57 +0000 |
| commit | 895f6ce1f3826b69e29e6cd75c0489f9dcb8eead (patch) | |
| tree | 63a14379239c3657b3b8e1465b34756a130b9235 /usr.sbin/rpki-client/x509.c | |
| parent | cd2b4d1c84e2d10548a6e220ea43e92cd24d51f4 (diff) | |
Refactor expiration calculation
Unify common code paths which find the exact expiry moment into a new
helper function. Additionally, the new helper offers more accuracy by
checking more applicable CRLs whether their 'nextupdate' is 'sooner'.
tb@ noted: The helper adds a multiplier of log(#crls), but that's
certainly acceptable as it is still very cheap.
OK tb@
Diffstat (limited to 'usr.sbin/rpki-client/x509.c')
| -rw-r--r-- | usr.sbin/rpki-client/x509.c | 24 |
1 files changed, 23 insertions, 1 deletions
diff --git a/usr.sbin/rpki-client/x509.c b/usr.sbin/rpki-client/x509.c index 24a01f8baee..cd53ecf9c85 100644 --- a/usr.sbin/rpki-client/x509.c +++ b/usr.sbin/rpki-client/x509.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509.c,v 1.68 2023/03/10 12:44:56 job Exp $ */ +/* $OpenBSD: x509.c,v 1.69 2023/03/12 11:54:56 job Exp $ */ /* * Copyright (c) 2022 Theo Buehler <tb@openbsd.org> * Copyright (c) 2021 Claudio Jeker <claudio@openbsd.org> @@ -830,3 +830,25 @@ x509_convert_seqnum(const char *fn, const ASN1_INTEGER *i) BN_free(seqnum); return s; } + +/* + * Find the closest expiry moment by walking the chain of authorities. + */ +time_t +x509_find_expires(time_t notafter, struct auth *a, struct crl_tree *crlt) +{ + struct crl *crl; + time_t expires; + + expires = notafter; + + for (; a != NULL; a = a->parent) { + if (expires > a->cert->notafter) + expires = a->cert->notafter; + crl = crl_get(crlt, a); + if (crl != NULL && expires > crl->nextupdate) + expires = crl->nextupdate; + } + + return expires; +} |