From 3334d3b4a648e9c600f27ec3789dbb8abb199e67 Mon Sep 17 00:00:00 2001
From: Carl Hetherington <cth@carlh.net>
Date: Thu, 13 Nov 2025 11:28:02 +0100
Subject: Don't check the certificate not before/after validity in
 chain_valid().

I think this should be checked separately, as out-of-date certificates
are still useful (e.g. if they are related to KDM decryption).
---
 test/certificates_test.cc | 10 ++++++++++
 1 file changed, 10 insertions(+)

(limited to 'test')

diff --git a/test/certificates_test.cc b/test/certificates_test.cc
index 32b2f95c..68892049 100644
--- a/test/certificates_test.cc
+++ b/test/certificates_test.cc
@@ -302,3 +302,13 @@ BOOST_AUTO_TEST_CASE(certificate_dn_qualifiers)
 	}
 }
 
+
+BOOST_AUTO_TEST_CASE(chain_valid_checks_do_not_check_dates)
+{
+	dcp::CertificateChain chain;
+	chain.add(dcp::Certificate(dcp::file_to_string(private_test / "old-certificates" / "root")));
+	chain.add(dcp::Certificate(dcp::file_to_string(private_test / "old-certificates" / "intermediate")));
+	chain.add(dcp::Certificate(dcp::file_to_string(private_test / "old-certificates" / "leaf")));
+	BOOST_CHECK(chain.chain_valid());
+}
+
-- 
cgit v1.2.3