From 94f46d377608a1374b0dfadcc2e8ef9053df1fa5 Mon Sep 17 00:00:00 2001
From: Rodolphe Breard <rodolphe@what.tf>
Date: Wed, 12 Jun 2019 11:28:34 +0200
Subject: [PATCH] Remove the bad OpenSSL ASN.1 time parsing

---
 acme_common/Cargo.toml                        |  1 +
 acme_common/src/crypto/openssl_certificate.rs | 27 +++----------------
 2 files changed, 5 insertions(+), 23 deletions(-)

diff --git a/acme_common/Cargo.toml b/acme_common/Cargo.toml
index 6d3c9e3..f620273 100644
--- a/acme_common/Cargo.toml
+++ b/acme_common/Cargo.toml
@@ -28,6 +28,7 @@ serde_json = "1.0"
 syslog = "4.0"
 time = "0.1"
 toml = "0.5"
+x509-parser = "0.4"
 
 [target.'cfg(unix)'.dependencies]
 nix = "0.14"
diff --git a/acme_common/src/crypto/openssl_certificate.rs b/acme_common/src/crypto/openssl_certificate.rs
index 9fbe858..0b6d59c 100644
--- a/acme_common/src/crypto/openssl_certificate.rs
+++ b/acme_common/src/crypto/openssl_certificate.rs
@@ -8,7 +8,7 @@ use openssl::stack::Stack;
 use openssl::x509::extension::{BasicConstraints, SubjectAlternativeName};
 use openssl::x509::{X509Builder, X509Extension, X509NameBuilder, X509Req, X509ReqBuilder, X509};
 use std::collections::HashSet;
-use time::strptime;
+use x509_parser::parse_x509_der;
 
 const APP_ORG: &str = "ACMEd";
 const APP_NAME: &str = "ACMEd";
@@ -75,29 +75,10 @@ impl X509Certificate {
         Ok(pub_key)
     }
 
-    // OpenSSL ASN1_TIME_print madness
-    // The real fix would be to add Asn1TimeRef access in the openssl crate.
-    //
-    // https://github.com/sfackler/rust-openssl/issues/687
-    // https://github.com/sfackler/rust-openssl/pull/673
     pub fn not_after(&self) -> Result<time::Tm, Error> {
-        let formats = [
-            "%b %d %T %Y %Z",
-            "%b  %d %T %Y %Z",
-            "%b %d %T %Y",
-            "%b  %d %T %Y",
-            "%b %d %T.%f %Y %Z",
-            "%b  %d %T.%f %Y %Z",
-            "%b %d %T.%f %Y",
-            "%b  %d %T.%f %Y",
-        ];
-        let not_after = self.inner_cert.not_after().to_string();
-        for fmt in formats.iter() {
-            if let Ok(t) = strptime(&not_after, fmt) {
-                return Ok(t);
-            }
-        }
-        Err(format!("invalid time string: {}", &not_after).into())
+        let raw_crt = self.inner_cert.to_der()?;
+        let (_, crt) = parse_x509_der(&raw_crt).map_err(|_| Error::from("Invalid certificate."))?;
+        Ok(crt.tbs_certificate.validity.not_after)
     }
 
     pub fn subject_alt_names(&self) -> HashSet<String> {