GNUTLS_X509_NO_WELL_DEFINED_EXPIRATION: deprecatedtmp-no-well-defined

This removes the documented use of this macro. It was non-functional.
Given the nature of the definition of the non-well defined date for
certificates, it may be wise not to use a special macro at all. The
reason is that the no-well defined date is a real date (~year 9999),
and any approximation with seconds will be unstable due to irregular
leap seconds.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

5 files changed, 12 insertions, 8 deletions

diff --git a/NEWS b/NEWS
index 4cab2d1e72..ea0752831c 100644
--- a/NEWS
+++ b/NEWS
@@ -12,9 +12,13 @@ See the end for copying conditions.
    types via the priority strings. The raw public-key mechanism must be explicitly
    enabled via the GNUTLS_ENABLE_RAWPK init flag.
 
+** GNUTLS_X509_NO_WELL_DEFINED_EXPIRATION was marked as deprecated. The previous
+   definition was buggy and non-functional.
+
 ** API and ABI modifications:
 GNUTLS_ENABLE_RAWPK: Added
 GNUTLS_ENABLE_CERT_TYPE_NEG: Removed (was no-op; replaced by GNUTLS_ENABLE_RAWPK) 
+GNUTLS_X509_NO_WELL_DEFINED_EXPIRATION: Deprecated
 
 
 * Version 3.6.5 (released 2018-12-01)
diff --git a/doc/cha-upgrade.texi b/doc/cha-upgrade.texi
index 28c9249a7d..286790de5b 100644
--- a/doc/cha-upgrade.texi
+++ b/doc/cha-upgrade.texi
@@ -258,4 +258,9 @@ before calling this function to avoid delays.
 @item Supplemental data is not supported under TLS 1.3
 @tab The TLS supplemental data handshake message (RFC 4680) is not supported under TLS 1.3, so if the application calls @funcref{gnutls_supplemental_register} or @funcref{gnutls_session_supplemental_register}, TLS 1.3 is disabled.
 
+@item The GNUTLS_X509_NO_WELL_DEFINED_EXPIRATION macro is a no-op
+@tab The macro was non-functional and because of the nature of the
+definition of the no-well-defined date for certificates (a real date),
+it will not be fixed or re-introduced.
+
 @end multitable
diff --git a/lib/includes/gnutls/x509.h b/lib/includes/gnutls/x509.h
index 13b642a840..e6a311aa7a 100644
--- a/lib/includes/gnutls/x509.h
+++ b/lib/includes/gnutls/x509.h
@@ -421,6 +421,7 @@ int gnutls_x509_crl_sign2(gnutls_x509_crl_t crl,
 
 time_t gnutls_x509_crt_get_activation_time(gnutls_x509_crt_t cert);
 
+/* This macro is deprecated and defunc; do not use */
 #define GNUTLS_X509_NO_WELL_DEFINED_EXPIRATION ((time_t)4294197631)
 
 time_t gnutls_x509_crt_get_expiration_time(gnutls_x509_crt_t cert);
diff --git a/lib/x509/x509.c b/lib/x509/x509.c
index 998062fd6d..b5de7cb7c8 100644
--- a/lib/x509/x509.c
+++ b/lib/x509/x509.c
@@ -1174,12 +1174,9 @@ time_t gnutls_x509_crt_get_activation_time(gnutls_x509_crt_t cert)
  * gnutls_x509_crt_get_expiration_time:
  * @cert: should contain a #gnutls_x509_crt_t type
  *
- * This function will return the time this Certificate was or will be
+ * This function will return the time this certificate was or will be
  * expired.
  *
- * The no well defined expiration time can be checked against with the
- * %GNUTLS_X509_NO_WELL_DEFINED_EXPIRATION macro.
- *
  * Returns: expiration time, or (time_t)-1 on error.
  **/
 time_t gnutls_x509_crt_get_expiration_time(gnutls_x509_crt_t cert)
diff --git a/src/pkcs11.c b/src/pkcs11.c
index 66ef6b0fe0..fe865f3f71 100644
--- a/src/pkcs11.c
+++ b/src/pkcs11.c
@@ -314,10 +314,7 @@ pkcs11_list(FILE * outfile, const char *url, int type, unsigned int flags,
 		}
 
 		if (otype == GNUTLS_PKCS11_OBJ_X509_CRT && exp != -1) {
-			if (exp == GNUTLS_X509_NO_WELL_DEFINED_EXPIRATION)
-				fprintf(outfile, "\tExpires: Never\n");
-			else
-				fprintf(outfile, "\tExpires: %s", ctime(&exp));
+			fprintf(outfile, "\tExpires: %s", ctime(&exp));
 		}
 
 		gnutls_free(output);