1 files changed, 5 insertions, 0 deletions

diff --git a/rpkid/rpki/x509.py b/rpkid/rpki/x509.py
index 00c7c448..3b64c907 100644
--- a/rpkid/rpki/x509.py
+++ b/rpkid/rpki/x509.py
@@ -956,6 +956,11 @@ class CMS_object(DER_object):
       if len(crls) > 1:
         raise rpki.exceptions.UnexpectedCMSCRLs # , crls
 
+    now = rpki.sundial.now()
+    for x in certs:
+      if x.getNotAfter() < now:
+        raise rpki.exceptions.CMSCertHasExpired # , x
+
     try:
       content = cms.verify(store)
     except (rpki.async.ExitNow, SystemExit):