Add explicit check for certificate expiration in CMS verify (see #94).

svn path=/rpkid/rpki/exceptions.py; revision=4011
author: Rob Austein <sra@hactrn.net> 2011-10-04 22:56:27 +0000
committer: Rob Austein <sra@hactrn.net> 2011-10-04 22:56:27 +0000
commit: 6819dd607b1c34d37811d59d0c7897e571ccb687 (patch)
tree: 5a741356b376447e2c1867da44e74bee5ad66460 /rpkid
parent: 3a662b0f0ad0cfbf4d499d01cf09b84c17f80d39 (diff)
2 files changed, 10 insertions, 0 deletions
diff --git a/rpkid/rpki/exceptions.py b/rpkid/rpki/exceptions.py
index f57c679d..b1948337 100644
--- a/rpkid/rpki/exceptions.py
+++ b/rpkid/rpki/exceptions.py
@@ -326,3 +326,8 @@ class CommandParseFailure(RPKI_Exception):
   """
   Failed to parse command line.
   """
+
+class CMSCertHasExpired(RPKI_Exception):
+  """
+  CMS certificate has expired.
+  """
diff --git a/rpkid/rpki/x509.py b/rpkid/rpki/x509.py
index 00c7c448..3b64c907 100644
--- a/rpkid/rpki/x509.py
+++ b/rpkid/rpki/x509.py
@@ -956,6 +956,11 @@ class CMS_object(DER_object):
       if len(crls) > 1:
         raise rpki.exceptions.UnexpectedCMSCRLs # , crls
 
+    now = rpki.sundial.now()
+    for x in certs:
+      if x.getNotAfter() < now:
+        raise rpki.exceptions.CMSCertHasExpired # , x
+
     try:
       content = cms.verify(store)
     except (rpki.async.ExitNow, SystemExit):
author	Rob Austein <sra@hactrn.net>	2011-10-04 22:56:27 +0000
committer	Rob Austein <sra@hactrn.net>	2011-10-04 22:56:27 +0000
commit	6819dd607b1c34d37811d59d0c7897e571ccb687 (patch)
tree	5a741356b376447e2c1867da44e74bee5ad66460 /rpkid
parent	3a662b0f0ad0cfbf4d499d01cf09b84c17f80d39 (diff)