CVSROOT: /cvs Module name: src Changes by: j...@cvs.openbsd.org 2023/03/13 13:46:56
Modified files: usr.sbin/rpki-client: cms.c Log message: Check that the CMS signing-time isn't after the X.509 notAfter The CMS signing-time is the purported 'now' from the perspective of the issuer. It doesn't make sense for an issuer to sign objects that have a validity window that falls entirely in the past (from the perspective of the signer). Although CMS signing-time is not a trusted timestamp, it should never be after X.509 notAfter. OK tb@