From 1066617378e4348727c65c2ce81a771e606389af Mon Sep 17 00:00:00 2001
From: tb <tb@openbsd.org>
Date: Mon, 13 Nov 2023 11:50:36 +0000
Subject: [PATCH] Check notBefore/notAfter validity with ASN1_TIME_to_tm(3)

ok beck
---
 usr.bin/openssl/x509.c | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/usr.bin/openssl/x509.c b/usr.bin/openssl/x509.c
index 7c8f34f64ce..8e8a9f2dc32 100644
--- a/usr.bin/openssl/x509.c
+++ b/usr.bin/openssl/x509.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509.c,v 1.33 2023/04/14 06:47:07 tb Exp $ */
+/* $OpenBSD: x509.c,v 1.34 2023/11/13 11:50:36 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1156,8 +1156,7 @@ x509_main(int argc, char **argv)
 				ASN1_TIME *nB = X509_get_notBefore(x);
 
 				BIO_puts(STDout, "notBefore=");
-				if (ASN1_time_parse(nB->data, nB->length, NULL,
-				    0) == -1)
+				if (!ASN1_TIME_to_tm(nB, NULL))
 					BIO_puts(STDout,
 					    "INVALID RFC5280 TIME");
 				else
@@ -1167,8 +1166,7 @@ x509_main(int argc, char **argv)
 				ASN1_TIME *nA = X509_get_notAfter(x);
 
 				BIO_puts(STDout, "notAfter=");
-				if (ASN1_time_parse(nA->data, nA->length, NULL,
-				    0) == -1)
+				if (!ASN1_TIME_to_tm(nA, NULL))
 					BIO_puts(STDout,
 					    "INVALID RFC5280 TIME");
 				else
-- 
2.20.1