GNUTLS_X509_NO_WELL_DEFINED_EXPIRATION: deprecated

This removes the documented use of this macro. It was non-functional.
Given the nature of the definition of the non-well defined date for
certificates, it may be wise not to use a special macro at all. The
reason is that the no-well defined date is a real date (~year 9999),
and any approximation with seconds will be unstable due to irregular
leap seconds.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

diff --git a/NEWS b/NEWS
index 4cab2d1e726d7540c91291a23a63e1d74da9b967..ea0752831cc3ac8c82d9caf60a0f43116ad4aa7c 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -12,9 +12,13 @@ See the end for copying conditions.
    types via the priority strings. The raw public-key mechanism must be explicitly
    enabled via the GNUTLS_ENABLE_RAWPK init flag.
 
+** GNUTLS_X509_NO_WELL_DEFINED_EXPIRATION was marked as deprecated. The previous
+   definition was buggy and non-functional.
+
 ** API and ABI modifications:
 GNUTLS_ENABLE_RAWPK: Added
 GNUTLS_ENABLE_CERT_TYPE_NEG: Removed (was no-op; replaced by GNUTLS_ENABLE_RAWPK) 
+GNUTLS_X509_NO_WELL_DEFINED_EXPIRATION: Deprecated
 
 
 * Version 3.6.5 (released 2018-12-01)

diff --git a/doc/cha-upgrade.texi b/doc/cha-upgrade.texi
index 28c9249a7de889aa6fc2a24391b9195c01404dcc..286790de5b448f54af900da8b4043fd534fe7d12 100644 (file)
--- a/doc/cha-upgrade.texi
+++ b/doc/cha-upgrade.texi
@@ -258,4 +258,9 @@ before calling this function to avoid delays.
 @item Supplemental data is not supported under TLS 1.3
 @tab The TLS supplemental data handshake message (RFC 4680) is not supported under TLS 1.3, so if the application calls @funcref{gnutls_supplemental_register} or @funcref{gnutls_session_supplemental_register}, TLS 1.3 is disabled.
 
+@item The GNUTLS_X509_NO_WELL_DEFINED_EXPIRATION macro is a no-op
+@tab The macro was non-functional and because of the nature of the
+definition of the no-well-defined date for certificates (a real date),
+it will not be fixed or re-introduced.
+
 @end multitable

diff --git a/lib/includes/gnutls/x509.h b/lib/includes/gnutls/x509.h
index 13b642a840e6ba428bf606311e34a8e81a695281..e6a311aa7a79f95014cad5358350c73f71919fa0 100644 (file)
--- a/lib/includes/gnutls/x509.h
+++ b/lib/includes/gnutls/x509.h
@@ -421,6 +421,7 @@ int gnutls_x509_crl_sign2(gnutls_x509_crl_t crl,
 
 time_t gnutls_x509_crt_get_activation_time(gnutls_x509_crt_t cert);
 
+/* This macro is deprecated and defunc; do not use */
 #define GNUTLS_X509_NO_WELL_DEFINED_EXPIRATION ((time_t)4294197631)
 
 time_t gnutls_x509_crt_get_expiration_time(gnutls_x509_crt_t cert);

diff --git a/lib/x509/x509.c b/lib/x509/x509.c
index 998062fd6dbc6d8768969259c9dff82eea375fa7..b5de7cb7c84d80f6245fdd012e10c444c0c2d533 100644 (file)
--- a/lib/x509/x509.c
+++ b/lib/x509/x509.c
@@ -1174,12 +1174,9 @@ time_t gnutls_x509_crt_get_activation_time(gnutls_x509_crt_t cert)
  * gnutls_x509_crt_get_expiration_time:
  * @cert: should contain a #gnutls_x509_crt_t type
  *
- * This function will return the time this Certificate was or will be
+ * This function will return the time this certificate was or will be
  * expired.
  *
- * The no well defined expiration time can be checked against with the
- * %GNUTLS_X509_NO_WELL_DEFINED_EXPIRATION macro.
- *
  * Returns: expiration time, or (time_t)-1 on error.
  **/
 time_t gnutls_x509_crt_get_expiration_time(gnutls_x509_crt_t cert)

diff --git a/src/pkcs11.c b/src/pkcs11.c
index 66ef6b0fe028623fd205f0b9271364679c286f72..fe865f3f7170e083aa97eba84d726857cd181c07 100644 (file)
--- a/src/pkcs11.c
+++ b/src/pkcs11.c
@@ -314,10 +314,7 @@ pkcs11_list(FILE * outfile, const char *url, int type, unsigned int flags,
                }
 
                if (otype == GNUTLS_PKCS11_OBJ_X509_CRT && exp != -1) {
-                       if (exp == GNUTLS_X509_NO_WELL_DEFINED_EXPIRATION)
-                               fprintf(outfile, "\tExpires: Never\n");
-                       else
-                               fprintf(outfile, "\tExpires: %s", ctime(&exp));
+                       fprintf(outfile, "\tExpires: %s", ctime(&exp));
                }
 
                gnutls_free(output);