follow up feedback from Richard

lib/hpke/include/hpke/certificate.h

@@ -29,12 +29,12 @@ struct Certificate
 
   using ParsedName = std::map<int, std::string>;
 
-  // Certificate Status
-  enum struct Status
+  // Certificate Expiration Status
+  enum struct ExpirationStatus
   {
-    expired,
-    inactive,
-    active
+    inactive, // now < notBefore
+    active,   // notBefore < now < notAfter
+    expired,  // notAfter < now
   };
 
   explicit Certificate(const bytes& der);
@@ -53,7 +53,7 @@ struct Certificate
   ParsedName issuer() const;
   ParsedName subject() const;
   bool is_ca() const;
-  Status status() const;
+  ExpirationStatus expiration_status() const;
 
   std::optional<bytes> subject_key_id() const;
   std::optional<bytes> authority_key_id() const;

lib/hpke/src/certificate.cpp

@@ -234,20 +234,20 @@ struct Certificate::ParsedCertificate
     return make_typed_unique<EVP_PKEY>(X509_get_pubkey(x509.get()));
   }
 
-  Certificate::Status status() const
+  Certificate::ExpirationStatus expiration_status() const
   {
     auto* not_before = X509_get_notBefore(x509.get());
     auto* not_after = X509_get_notAfter(x509.get());
 
     if (X509_cmp_current_time(not_before) > 0) {
-      return Certificate::Status::inactive;
+      return Certificate::ExpirationStatus::inactive;
     }
 
     if (X509_cmp_current_time(not_after) < 0) {
-      return Certificate::Status::expired;
+      return Certificate::ExpirationStatus::expired;
     }
 
-    return Certificate::Status::active;
+    return Certificate::ExpirationStatus::active;
   }
 
   bytes raw() const
@@ -383,10 +383,10 @@ Certificate::is_ca() const
   return parsed_cert->is_ca;
 }
 
-Certificate::Status
-Certificate::status() const
+Certificate::ExpirationStatus
+Certificate::expiration_status() const
 {
-  return parsed_cert->status();
+  return parsed_cert->expiration_status();
 }
 
 std::optional<bytes>

lib/hpke/test/certificate.cpp

@@ -73,8 +73,6 @@ TEST_CASE("Certificate Known-Answer depth 2")
   CHECK_FALSE(issuing.valid_from(leaf));
   CHECK_FALSE(root.valid_from(issuing));
   CHECK_FALSE(root.valid_from(leaf));
-  auto status = root.status();
-  REQUIRE(status == Certificate::Status::expired);
 }
 
 TEST_CASE("Certificate Known-Answer depth 2 with SKID/ADID")
@@ -489,8 +487,7 @@ TEST_CASE("Test Certificate notBefore status")
     "4d134de11eca367f9d967d6eae14192454770a2fc278963602");
 
   auto root = Certificate{ root_der };
-  auto status = root.status();
-  REQUIRE(status == Certificate::Status::inactive);
+  REQUIRE(root.expiration_status() == Certificate::ExpirationStatus::inactive);
 }
 
 TEST_CASE("Test Certificate notAfter status")
@@ -509,8 +506,7 @@ TEST_CASE("Test Certificate notAfter status")
     "e4e7d2b0606050b2e0edcfc8d6390b373e21f08116910b");
 
   auto root = Certificate{ root_der };
-  auto status = root.status();
-  REQUIRE(status == Certificate::Status::expired);
+  REQUIRE(root.expiration_status() == Certificate::ExpirationStatus::expired);
 }
 
 TEST_CASE("Test Certificate active status")
@@ -530,6 +526,5 @@ TEST_CASE("Test Certificate active status")
     "16a821444907e84cd4fb88167f1c3a4d4911f8260dafb21b05");
 
   auto root = Certificate{ root_der };
-  auto status = root.status();
-  REQUIRE(status == Certificate::Status::active);
+  REQUIRE(root.expiration_status() == Certificate::ExpirationStatus::active);
 }

scripts/cert-gen.go

@@ -17,7 +17,6 @@ import (
 )
 
 var (
-
     notBefore = time.Now().Add(-2 * 24 * time.Hour)
     notAfter  = time.Now().Add(99 * 365 * 24 * time.Hour)