1 files changed, 16 insertions, 5 deletions
diff --git a/src/usr.bin/openssl/x509.c b/src/usr.bin/openssl/x509.c
index b25a7c828c..14c61261ee 100644
--- a/src/usr.bin/openssl/x509.c
+++ b/src/usr.bin/openssl/x509.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509.c,v 1.17 2019/01/19 21:17:05 jsg Exp $ */
+/* $OpenBSD: x509.c,v 1.18 2020/05/10 17:13:31 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -774,12 +774,20 @@ x509_main(int argc, char **argv)
                        } else if (text == i) {
                                X509_print_ex(STDout, x, nmflag, certflag);
                        } else if (startdate == i) {
+                                ASN1_TIME *nB = X509_get_notBefore(x);
                                BIO_puts(STDout, "notBefore=");
-                                ASN1_TIME_print(STDout, X509_get_notBefore(x));
+                                if (ASN1_time_parse(nB->data, nB->length, NULL, 0) == -1)
+                                        BIO_puts(STDout, "INVALID RFC5280 TIME");
+                                else
+                                        ASN1_TIME_print(STDout, nB);
                                BIO_puts(STDout, "\n");
                        } else if (enddate == i) {
+                                ASN1_TIME *nA = X509_get_notAfter(x);
                                BIO_puts(STDout, "notAfter=");
-                                ASN1_TIME_print(STDout, X509_get_notAfter(x));
+                                if (ASN1_time_parse(nA->data, nA->length, NULL, 0) == -1)
+                                        BIO_puts(STDout, "INVALID RFC5280 TIME");
+                                else
+                                        ASN1_TIME_print(STDout, nA);
                                BIO_puts(STDout, "\n");
                        } else if (fingerprint == i) {
                                int j;
@@ -863,8 +871,11 @@ x509_main(int argc, char **argv)
        }
        if (checkend) {
                time_t tcheck = time(NULL) + checkoffset;
+                int timecheck = X509_cmp_time(X509_get_notAfter(x), &tcheck);
-                if (X509_cmp_time(X509_get_notAfter(x), &tcheck) < 0) {
+                if (timecheck == 0) {
+                        BIO_printf(out, "Certificate expiry time is invalid\n");
+                        ret = 1;
+                } else if (timecheck < 0) {
                        BIO_printf(out, "Certificate will expire\n");
                        ret = 1;
                } else {

diff --git a/src/usr.bin/openssl/x509.c b/src/usr.bin/openssl/x509.c index b25a7c828c..14c61261ee 100644 --- a/src/usr.bin/openssl/x509.c +++ b/src/usr.bin/openssl/x509.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: x509.c,v 1.17 2019/01/19 21:17:05 jsg Exp $ */	1	/* $OpenBSD: x509.c,v 1.18 2020/05/10 17:13:31 beck Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -774,12 +774,20 @@ x509_main(int argc, char **argv)
774	} else if (text == i) {	774	} else if (text == i) {
775	X509_print_ex(STDout, x, nmflag, certflag);	775	X509_print_ex(STDout, x, nmflag, certflag);
776	} else if (startdate == i) {	776	} else if (startdate == i) {
		777	ASN1_TIME *nB = X509_get_notBefore(x);
777	BIO_puts(STDout, "notBefore=");	778	BIO_puts(STDout, "notBefore=");
778	ASN1_TIME_print(STDout, X509_get_notBefore(x));	779	if (ASN1_time_parse(nB->data, nB->length, NULL, 0) == -1)
		780	BIO_puts(STDout, "INVALID RFC5280 TIME");
		781	else
		782	ASN1_TIME_print(STDout, nB);
779	BIO_puts(STDout, "\n");	783	BIO_puts(STDout, "\n");
780	} else if (enddate == i) {	784	} else if (enddate == i) {
		785	ASN1_TIME *nA = X509_get_notAfter(x);
781	BIO_puts(STDout, "notAfter=");	786	BIO_puts(STDout, "notAfter=");
782	ASN1_TIME_print(STDout, X509_get_notAfter(x));	787	if (ASN1_time_parse(nA->data, nA->length, NULL, 0) == -1)
		788	BIO_puts(STDout, "INVALID RFC5280 TIME");
		789	else
		790	ASN1_TIME_print(STDout, nA);
783	BIO_puts(STDout, "\n");	791	BIO_puts(STDout, "\n");
784	} else if (fingerprint == i) {	792	} else if (fingerprint == i) {
785	int j;	793	int j;
@@ -863,8 +871,11 @@ x509_main(int argc, char **argv)
863	}	871	}
864	if (checkend) {	872	if (checkend) {
865	time_t tcheck = time(NULL) + checkoffset;	873	time_t tcheck = time(NULL) + checkoffset;
866		874	int timecheck = X509_cmp_time(X509_get_notAfter(x), &tcheck);
867	if (X509_cmp_time(X509_get_notAfter(x), &tcheck) < 0) {	875	if (timecheck == 0) {
		876	BIO_printf(out, "Certificate expiry time is invalid\n");
		877	ret = 1;
		878	} else if (timecheck < 0) {
868	BIO_printf(out, "Certificate will expire\n");	879	BIO_printf(out, "Certificate will expire\n");
869	ret = 1;	880	ret = 1;
870	} else {	881	} else {