Also add checks for delegation certs

Signed-off-by: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
notaryproject · Jul 21, 2016 · 84b60d2 · 84b60d2
1 parent fad315b
commit 84b60d2
Showing 1 changed file with 11 additions and 0 deletions.
diff --git a/tuf/tuf.go b/tuf/tuf.go
@@ -245,6 +245,17 @@ func (tr *Repo) GetDelegationRole(name string) (data.DelegationRole, error) {
 				if err != nil {
 					return err
 				}
+				// Check all public key certificates in the role for expiry
+				// Currently we do not reject expired delegation keys but warn if they might expire soon or have already
+				for keyID, pubKey := range delgRole.Keys {
+					certFromKey, err := utils.LoadCertFromPEM(pubKey.Public())
+					if err != nil {
+						continue
+					}
+					if err := utils.ValidateCertificate(certFromKey, true); err != nil {
+						logrus.Warnf("error with delegation %s key ID %d: %s", delgRole.Name, keyID, err)
+					}
+				}
 				foundRole = &delgRole
 				return StopWalk{}
 			}