fix: on failure check certificate valid from and upto time.

MircoBabin · Apr 9, 2024 · aabc247 · aabc247
1 parent 167216d
commit aabc247
Showing 1 changed file with 53 additions and 0 deletions.
diff --git a/src/BuildStamp/CommandSignExecutable.cs b/src/BuildStamp/CommandSignExecutable.cs
@@ -1,6 +1,8 @@
 using System;
+using System.Globalization;
 using System.IO;
 using System.Security.Cryptography.X509Certificates;
+using System.Threading;
 
 namespace BuildStamp
 {
@@ -178,6 +180,10 @@ public ProgramExitCode Run(ProgramOutput output, ProgramArguments args)
                 {
                     output.WriteOutputLine("Error signing with authenticode.");
                     output.WriteOutputLine(ex.Message);
+
+                    var notValid = CheckCertificateValid(signingCertificate, output);
+                    if (notValid != ProgramExitCode.Success) return notValid;
+
                     return ProgramExitCode.SignSha1Error;
                 }
                 output.WriteOutputLine("Success: authenticode digital signature.");
@@ -202,6 +208,10 @@ public ProgramExitCode Run(ProgramOutput output, ProgramArguments args)
                 {
                     output.WriteOutputLine("Error signing with sha-256.");
                     output.WriteOutputLine(ex.Message);
+
+                    var notValid = CheckCertificateValid(signingCertificate, output);
+                    if (notValid != ProgramExitCode.Success) return notValid;
+
                     return ProgramExitCode.SignSha256Error;
                 }
                 output.WriteOutputLine("Success: sha-256 digital signature.");
@@ -259,6 +269,49 @@ public ProgramExitCode Run(ProgramOutput output, ProgramArguments args)
             return exitcode;
         }
 
+        private ProgramExitCode CheckCertificateValid(X509Certificate2 signingCertificate, ProgramOutput output)
+        {
+            DateTime validFrom;
+            DateTime validUpto;
+            {
+                var saveCulture = Thread.CurrentThread.CurrentCulture;
+                try
+                {
+                    Thread.CurrentThread.CurrentCulture = CultureInfo.InvariantCulture;
+                    validFrom = DateTime.Parse(signingCertificate.GetEffectiveDateString(), CultureInfo.InvariantCulture).ToUniversalTime();
+                    validUpto = DateTime.Parse(signingCertificate.GetExpirationDateString(), CultureInfo.InvariantCulture).ToUniversalTime();
+                }
+                finally
+                {
+                    Thread.CurrentThread.CurrentCulture = saveCulture;
+                }
+            }
+
+            var now = DateTime.Now.ToUniversalTime();
+            if (now < validFrom || now > validUpto)
+            {
+                output.WriteOutputLine();
+                output.WriteOutputLine("Current time: " + DateTimeToHumanString(now) + " UTC.");
+                output.WriteOutputLine("The certificate is not valid.");
+
+                if (now < validFrom)
+                {
+                    output.WriteOutputLine("The valid from time (effective time) of the certificate is in the future. The certificate is not yet valid.");
+                    output.WriteOutputLine("Valid from: " + DateTimeToHumanString(validFrom) + " UTC.");
+                }
+
+                if (now > validUpto)
+                {
+                    output.WriteOutputLine("The valid upto time (expiration time) of the certificate is in the past. The certificate has expired.");
+                    output.WriteOutputLine("Valid upto: " + DateTimeToHumanString(validUpto) + " UTC.");
+                }
+
+                return ProgramExitCode.CertificateError;
+            }
+
+            return ProgramExitCode.Success;
+        }
+
         public string OidToHumanString(string inputOid)
         {
             if (inputOid == Sha1Oid)