Warn if the signing certificates have a validity period > 10 years (#2174).

[dcpomatic.git] / src / lib / config.cc

diff --git a/src/lib/config.cc b/src/lib/config.cc
index abf0eb42bcf6a19d3d2ab4088c618f65c2f9cfc6..37168296611746e713d1d6bb99b8089c127d5109 100644 (file)
--- a/src/lib/config.cc
+++ b/src/lib/config.cc
@@ -456,6 +456,9 @@ try
                if (i.has_utf8_strings()) {
                        bad = BAD_SIGNER_UTF8_STRINGS;
                }
+               if ((i.not_after().year() - i.not_before().year()) > 15) {
+                       bad = BAD_SIGNER_VALIDITY_TOO_LONG;
+               }
        }
 
        if (!_signer_chain->chain_valid() || !_signer_chain->private_key_valid()) {
@@ -472,6 +475,7 @@ try
                        switch (*bad) {
                        case BAD_SIGNER_UTF8_STRINGS:
                        case BAD_SIGNER_INCONSISTENT:
+                       case BAD_SIGNER_VALIDITY_TOO_LONG:
                                _signer_chain = create_certificate_chain ();
                                break;
                        case BAD_DECRYPTION_INCONSISTENT: