From 79764a5624acee85bcd03cd315c3d834a9a25a02 Mon Sep 17 00:00:00 2001
From: kali <kali@leap.se>
Date: Wed, 12 Sep 2012 10:00:29 +0900
Subject: time boundary check of certificate using gnutls

---
 src/leap/eip/checks.py | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

(limited to 'src/leap/eip/checks.py')

diff --git a/src/leap/eip/checks.py b/src/leap/eip/checks.py
index 4dd4a95c..f368c551 100644
--- a/src/leap/eip/checks.py
+++ b/src/leap/eip/checks.py
@@ -1,8 +1,10 @@
 import logging
 import ssl
 import platform
+import time
 import os
 
+from gnutls import crypto
 import netifaces
 import ping
 import requests
@@ -221,12 +223,13 @@ class ProviderCertChecker(object):
             certfile = self._get_client_cert_path()
         return os.path.isfile(certfile)
 
-    def is_cert_not_expired(self):
-        return True
-        # XXX TODO
-        # waiting on #507. If we're not using PyOpenSSL or anything alike
-        # we will have to roll our own x509 parsing to extract time info.
-        # XXX use gnutls
+    def is_cert_not_expired(self, certfile=None, now=time.gmtime):
+        if certfile is None:
+            certfile = self._get_client_cert_path()
+        with open(certfile) as cf:
+            cert_s = cf.read()
+        cert = crypto.X509Certificate(cert_s)
+        return cert.activation_time < now() < cert.expiration_time
 
     def is_valid_pemfile(self, cert_s=None):
         """
@@ -244,6 +247,9 @@ class ProviderCertChecker(object):
             # XXX get a real cert validation
             # so far this is only checking begin/end
             # delimiters :)
+            # XXX use gnutls for get proper
+            # validation.
+            # crypto.X509Certificate(cert_s)
             ssl.PEM_cert_to_DER_cert(cert_s)
         except:
             # XXX raise proper exception
-- 
cgit v1.2.3