Check that KDM validity periods are safely within the validity periods

of the signing certificate chain. This does cause problems when you try to create a KDM for a certificate you just made (due to the fact that certificates always have a start-valid time of "now") but hopefully this can be fixed up in another commit.
author: Carl Hetherington <cth@carlh.net> 2019-12-01 23:13:25 +0100
committer: Carl Hetherington <cth@carlh.net> 2019-12-01 23:13:25 +0100
commit: 9a5809be580c1a12864d751a710f6783363d3de7 (patch)
tree: 2039fc251ed6bb5abcfe2fd6daa2fe572fac144e /src/decrypted_kdm.cc
parent: c78523806e89e4c43015816fcd20db2549992464 (diff)
1 files changed, 8 insertions, 0 deletions
diff --git a/src/decrypted_kdm.cc b/src/decrypted_kdm.cc
index 4bd9a9d5..9468aabc 100644
--- a/src/decrypted_kdm.cc
+++ b/src/decrypted_kdm.cc
@@ -312,6 +312,14 @@ DecryptedKDM::encrypt (
 {
 	DCP_ASSERT (!_keys.empty ());
 
+	BOOST_FOREACH (dcp::Certificate i, signer->leaf_to_root()) {
+		if (day_greater_than_or_equal(i.not_before(), _not_valid_before)) {
+			throw BadKDMDateError (true);
+		} else if (day_less_than_or_equal(i.not_after(), _not_valid_after)) {
+			throw BadKDMDateError (false);
+		}
+	}
+
 	list<pair<string, string> > key_ids;
 	list<string> keys;
 	BOOST_FOREACH (DecryptedKDMKey const & i, _keys) {
author	Carl Hetherington <cth@carlh.net>	2019-12-01 23:13:25 +0100
committer	Carl Hetherington <cth@carlh.net>	2019-12-01 23:13:25 +0100
commit	9a5809be580c1a12864d751a710f6783363d3de7 (patch)
tree	2039fc251ed6bb5abcfe2fd6daa2fe572fac144e /src/decrypted_kdm.cc
parent	c78523806e89e4c43015816fcd20db2549992464 (diff)