summaryrefslogtreecommitdiff
path: root/usr.sbin/rpki-client
diff options
context:
space:
mode:
authorTheo Buehler <tb@cvs.openbsd.org>2024-06-06 03:29:53 +0000
committerTheo Buehler <tb@cvs.openbsd.org>2024-06-06 03:29:53 +0000
commit8b60c20640e5057db590b42a58d6e655f5cc5bf5 (patch)
treec1505b948529a56026b03fc398035c7a1cad1327 /usr.sbin/rpki-client
parenta9b24414f400e7aa8039d4006d138a51b288c38c (diff)
rpki-client: simplify ta_parse()
Since this is always called after cert_parse_pre(), notBefore and notAfter are available in struct cert, so we can use time_t comparison. ok claudio
Diffstat (limited to 'usr.sbin/rpki-client')
-rw-r--r--usr.sbin/rpki-client/cert.c18
1 files changed, 4 insertions, 14 deletions
diff --git a/usr.sbin/rpki-client/cert.c b/usr.sbin/rpki-client/cert.c
index 76d4e4eb816..ff662ce1a35 100644
--- a/usr.sbin/rpki-client/cert.c
+++ b/usr.sbin/rpki-client/cert.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: cert.c,v 1.136 2024/06/04 14:10:53 tb Exp $ */
+/* $OpenBSD: cert.c,v 1.137 2024/06/06 03:29:52 tb Exp $ */
/*
* Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
* Copyright (c) 2021 Job Snijders <job@openbsd.org>
@@ -1073,7 +1073,6 @@ struct cert *
ta_parse(const char *fn, struct cert *p, const unsigned char *pkey,
size_t pkeysz)
{
- ASN1_TIME *notBefore, *notAfter;
EVP_PKEY *pk, *opk;
time_t now = get_current_time();
@@ -1095,20 +1094,11 @@ ta_parse(const char *fn, struct cert *p, const unsigned char *pkey,
"pubkey does not match TAL pubkey", fn);
goto badcert;
}
-
- if ((notBefore = X509_get_notBefore(p->x509)) == NULL) {
- warnx("%s: certificate has invalid notBefore", fn);
- goto badcert;
- }
- if ((notAfter = X509_get_notAfter(p->x509)) == NULL) {
- warnx("%s: certificate has invalid notAfter", fn);
- goto badcert;
- }
- if (X509_cmp_time(notBefore, &now) != -1) {
+ if (p->notbefore >= now) {
warnx("%s: certificate not yet valid", fn);
goto badcert;
}
- if (X509_cmp_time(notAfter, &now) != 1) {
+ if (p->notafter <= now) {
warnx("%s: certificate has expired", fn);
goto badcert;
}
@@ -1139,7 +1129,7 @@ ta_parse(const char *fn, struct cert *p, const unsigned char *pkey,
EVP_PKEY_free(pk);
return p;
-badcert:
+ badcert:
EVP_PKEY_free(pk);
cert_free(p);
return NULL;