Check certificate notBefore and notAfter times

2020-09-27 21:37:10 -04:00 · 2020-09-27 21:37:10 -04:00 · 5535cff842
commit 5535cff842
parent 5a0f7cf631
1 changed files with 19 additions and 0 deletions
--- a/client.go
+++ b/client.go
@ -10,6 +10,7 @@ import (
 	"net/url"
 	"strconv"
 	"strings"
+	"time"
 )

 // Client errors.
@ -218,6 +219,10 @@ func (c *Client) Send(req *Request) (*Response, error) {
 			if err != nil {
 				return err
 			}
+			// Validate the certificate
+			if !validCertificate(cert) {
+				return ErrInvalidCertificate
+			}
 			// Check that the certificate is valid for the hostname
 			// Use our own implementation of verifyHostname
 			if err := verifyHostname(cert, req.Hostname()); err != nil {
@ -258,6 +263,20 @@ func (c *Client) Send(req *Request) (*Response, error) {
 	return resp, nil
 }

+// validCertificate determines whether cert is a valid certificate
+func validCertificate(cert *x509.Certificate) bool {
+	// Check notBefore and notAfter
+	now := time.Now()
+	if cert.NotBefore.After(now) {
+		return false
+	}
+	if cert.NotAfter.Before(now) {
+		return false
+	}
+	// No need to check hash algorithms, hopefully tls has checked for us already
+	return true
+}
+
 // hostname extracts the host name from a valid host or host:port
 func hostname(host string) string {
 	i := strings.LastIndexByte(host, ':')