CVSROOT: /cvs
Module name: src
Changes by: j...@cvs.openbsd.org 2023/03/13 13:46:56
Modified files:
usr.sbin/rpki-client: cms.c
Log message:
Check that the CMS signing-time isn't after the X.509 notAfter
The CMS signing-time is the purported 'now' from the perspective of the
issuer. It doesn't make sense for an issuer to sign objects that have a
validity window that falls entirely in the past (from the perspective of
the signer). Although CMS signing-time is not a trusted timestamp, it
should never be after X.509 notAfter.
OK tb@
