From 81fe2f6d7d54144691f65b87a78cd782e9915fb3 Mon Sep 17 00:00:00 2001 From: tb Date: Mon, 7 Oct 2024 12:19:52 +0000 Subject: [PATCH] rpki-client: fix validity interval check The language in RFC 5280, section 4.1.2.5 includes the end points of the validity interval. Reported by Tom Harrison ok claudio job --- usr.sbin/rpki-client/cert.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/usr.sbin/rpki-client/cert.c b/usr.sbin/rpki-client/cert.c index 6d6d6efda32..882d11d38e2 100644 --- a/usr.sbin/rpki-client/cert.c +++ b/usr.sbin/rpki-client/cert.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cert.c,v 1.150 2024/07/08 15:31:58 tb Exp $ */ +/* $OpenBSD: cert.c,v 1.151 2024/10/07 12:19:52 tb Exp $ */ /* * Copyright (c) 2022 Theo Buehler * Copyright (c) 2021 Job Snijders @@ -1085,11 +1085,11 @@ ta_parse(const char *fn, struct cert *p, const unsigned char *pkey, "pubkey does not match TAL pubkey", fn); goto badcert; } - if (p->notbefore >= now) { + if (p->notbefore > now) { warnx("%s: certificate not yet valid", fn); goto badcert; } - if (p->notafter <= now) { + if (p->notafter < now) { warnx("%s: certificate has expired", fn); goto badcert; } -- 2.20.1