summaryrefslogtreecommitdiff
path: root/usr.sbin/rpki-client
diff options
context:
space:
mode:
authorTheo Buehler <tb@cvs.openbsd.org>2024-10-07 12:19:53 +0000
committerTheo Buehler <tb@cvs.openbsd.org>2024-10-07 12:19:53 +0000
commit45c10a6160e7a298c7e396d1e1c5a3f6a51aff6f (patch)
tree2168c8545b2462f5ab7003d48438dc5a1a6ef2ff /usr.sbin/rpki-client
parentc96d2db037a36fe656b841d04ab1914c131c14a3 (diff)
rpki-client: fix validity interval check
The language in RFC 5280, section 4.1.2.5 includes the end points of the validity interval. Reported by Tom Harrison ok claudio job
Diffstat (limited to 'usr.sbin/rpki-client')
-rw-r--r--usr.sbin/rpki-client/cert.c6
1 files changed, 3 insertions, 3 deletions
diff --git a/usr.sbin/rpki-client/cert.c b/usr.sbin/rpki-client/cert.c
index 6d6d6efda32..882d11d38e2 100644
--- a/usr.sbin/rpki-client/cert.c
+++ b/usr.sbin/rpki-client/cert.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: cert.c,v 1.150 2024/07/08 15:31:58 tb Exp $ */
+/* $OpenBSD: cert.c,v 1.151 2024/10/07 12:19:52 tb Exp $ */
/*
* Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
* Copyright (c) 2021 Job Snijders <job@openbsd.org>
@@ -1085,11 +1085,11 @@ ta_parse(const char *fn, struct cert *p, const unsigned char *pkey,
"pubkey does not match TAL pubkey", fn);
goto badcert;
}
- if (p->notbefore >= now) {
+ if (p->notbefore > now) {
warnx("%s: certificate not yet valid", fn);
goto badcert;
}
- if (p->notafter <= now) {
+ if (p->notafter < now) {
warnx("%s: certificate has expired", fn);
goto badcert;
}