More explicit certificate expiration checks in CMS verify (see #94).

svn path=/rcynic/rcynic.c; revision=4012
author: Rob Austein <sra@hactrn.net> 2011-10-04 23:33:24 +0000
committer: Rob Austein <sra@hactrn.net> 2011-10-04 23:33:24 +0000
commit: 2f34183fd2b73005eeee80ab1076ec8000acd62b (patch)
tree: 7743be0bfaa69c79e4077a7fba144414e67aec83 /rpkid/rpki/x509.py
parent: 6819dd607b1c34d37811d59d0c7897e571ccb687 (diff)
1 files changed, 6 insertions, 2 deletions
diff --git a/rpkid/rpki/x509.py b/rpkid/rpki/x509.py
index 3b64c907..bcaa3646 100644
--- a/rpkid/rpki/x509.py
+++ b/rpkid/rpki/x509.py
@@ -926,13 +926,18 @@ class CMS_object(DER_object):
 
     store = rpki.POW.X509Store()
 
+    now = rpki.sundial.now()
+
     trusted_ee = None
 
     for x in X509.normalize_chain(ta):
       if self.debug_cms_certs:
         rpki.log.debug("CMS trusted cert issuer %s subject %s SKI %s" % (x.getIssuer(), x.getSubject(), x.hSKI()))
+      if x.getNotAfter() < now:
+        raise rpki.exceptions.TrustedCMSCertHasExpired
       if not x.is_CA():
-        assert trusted_ee is None, "Can't have two EE certs in the same validation chain"
+        if trusted_ee is not None:
+          raise rpki.exceptions.MultipleCMSEECert
         trusted_ee = x
       store.addTrust(x.get_POW())
 
@@ -956,7 +961,6 @@ class CMS_object(DER_object):
       if len(crls) > 1:
         raise rpki.exceptions.UnexpectedCMSCRLs # , crls
 
-    now = rpki.sundial.now()
     for x in certs:
       if x.getNotAfter() < now:
         raise rpki.exceptions.CMSCertHasExpired # , x
author	Rob Austein <sra@hactrn.net>	2011-10-04 23:33:24 +0000
committer	Rob Austein <sra@hactrn.net>	2011-10-04 23:33:24 +0000
commit	2f34183fd2b73005eeee80ab1076ec8000acd62b (patch)
tree	7743be0bfaa69c79e4077a7fba144414e67aec83 /rpkid/rpki/x509.py
parent	6819dd607b1c34d37811d59d0c7897e571ccb687 (diff)