From 380397a6e914c48ea710c6922c112e1158085396 Mon Sep 17 00:00:00 2001 From: tb Date: Mon, 13 Apr 2026 03:14:28 +0000 Subject: [PATCH] rpki-client: ignore malformed revocationDate in CRLs Do not treat x509_get_time() failure as a hard error in file mode. Just skip the entry we can't format and emit a warning. ok claudio --- usr.sbin/rpki-client/print.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/usr.sbin/rpki-client/print.c b/usr.sbin/rpki-client/print.c index 1a74eab3958..ff82d989d8b 100644 --- a/usr.sbin/rpki-client/print.c +++ b/usr.sbin/rpki-client/print.c @@ -1,4 +1,4 @@ -/* $OpenBSD: print.c,v 1.75 2026/04/03 02:07:15 tb Exp $ */ +/* $OpenBSD: print.c,v 1.76 2026/04/13 03:14:28 tb Exp $ */ /* * Copyright (c) 2021 Claudio Jeker * Copyright (c) 2019 Kristaps Dzonsons @@ -424,10 +424,12 @@ crl_print(const struct crl *p) revlist = X509_CRL_get_REVOKED(p->x509_crl); for (i = 0; i < sk_X509_REVOKED_num(revlist); i++) { rev = sk_X509_REVOKED_value(revlist, i); + if (!x509_get_time(X509_REVOKED_get0_revocationDate(rev), &t)) { + warnx("x509_get_time() failed - malformed ASN.1?"); + continue; + } serial = x509_convert_seqnum(__func__, "serial number", X509_REVOKED_get0_serialNumber(rev)); - if (!x509_get_time(X509_REVOKED_get0_revocationDate(rev), &t)) - errx(1, "x509_get_time() failed - malformed ASN.1?"); if (serial != NULL) { if (outformats & FORMAT_JSON) { json_do_object("cert", 1);