More explicit certificate expiration checks in CMS verify (see #94).

svn path=/rcynic/rcynic.c; revision=4012

2 files changed, 16 insertions, 2 deletions

diff --git a/rpkid/rpki/exceptions.py b/rpkid/rpki/exceptions.py
index b1948337..4e4bc42a 100644
--- a/rpkid/rpki/exceptions.py
+++ b/rpkid/rpki/exceptions.py
@@ -331,3 +331,13 @@ class CMSCertHasExpired(RPKI_Exception):
   """
   CMS certificate has expired.
   """
+
+class TrustedCMSCertHasExpired(RPKI_Exception):
+  """
+  Trusted CMS certificate has expired.
+  """
+
+class MultipleCMSEECert(RPKI_Exception):
+  """
+  Can't have more than one CMS EE certificate in validation chain.
+  """
diff --git a/rpkid/rpki/x509.py b/rpkid/rpki/x509.py
index 3b64c907..bcaa3646 100644
--- a/rpkid/rpki/x509.py
+++ b/rpkid/rpki/x509.py
@@ -926,13 +926,18 @@ class CMS_object(DER_object):
 
     store = rpki.POW.X509Store()
 
+    now = rpki.sundial.now()
+
     trusted_ee = None
 
     for x in X509.normalize_chain(ta):
       if self.debug_cms_certs:
         rpki.log.debug("CMS trusted cert issuer %s subject %s SKI %s" % (x.getIssuer(), x.getSubject(), x.hSKI()))
+      if x.getNotAfter() < now:
+        raise rpki.exceptions.TrustedCMSCertHasExpired
       if not x.is_CA():
-        assert trusted_ee is None, "Can't have two EE certs in the same validation chain"
+        if trusted_ee is not None:
+          raise rpki.exceptions.MultipleCMSEECert
         trusted_ee = x
       store.addTrust(x.get_POW())
 
@@ -956,7 +961,6 @@ class CMS_object(DER_object):
       if len(crls) > 1:
         raise rpki.exceptions.UnexpectedCMSCRLs # , crls
 
-    now = rpki.sundial.now()
     for x in certs:
       if x.getNotAfter() < now:
         raise rpki.exceptions.CMSCertHasExpired # , x