Merge pull request #2 from tiwilliam/raise_on_expired

tiwilliam · web-flow · commit f1cada360218 · 2023-10-30T16:18:04.000+01:00
Fix raise_on_expired
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,8 +1,8 @@
-## Unreleased
+## 0.6.4
 
-Released YYYY-MM-DD
+Released 2023-10-30
 
-* No changes yet.
+* [#2](https://github.com/tiwilliam/rsmime/pull/2) - Fix `raise_on_expired` to properly raise `CertificateExpiredError` when the token is expired on verify.
 
 ## 0.6.3
 
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "rsmime"
-version = "0.6.3"
+version = "0.6.4"
 edition = "2021"
 
 [lib]
diff --git a/pyproject.toml b/pyproject.toml
@@ -4,7 +4,7 @@ build-backend = "maturin"
 
 [project]
 name = "rsmime"
-version = "0.6.3"
+version = "0.6.4"
 description = "Python package for signing and verifying S/MIME messages"
 classifiers = [
     "License :: OSI Approved :: MIT License",
diff --git a/src/lib.rs b/src/lib.rs
@@ -65,16 +65,16 @@ fn validate_expiry(certs: &StackRef<X509>) -> Result<(), Error> {
 fn _verify(message: &[u8], raise_on_expired: bool) -> PyResult<Vec<u8>> {
     let certs = Stack::new().unwrap();
     let store = X509StoreBuilder::new().unwrap().build();
-
-    if raise_on_expired {
-        validate_expiry(certs.as_ref())
-            .map_err(|err| CertificateExpiredError::new_err(err.to_string()))?;
-    }
+    let mut out: Vec<u8> = Vec::new();
 
     let (pkcs7, indata) =
         Pkcs7::from_smime(message).map_err(|err| VerifyError::new_err(err.to_string()))?;
 
-    let mut out: Vec<u8> = Vec::new();
+    if raise_on_expired {
+        let signer_certs = pkcs7.signers(certs.as_ref(), Pkcs7Flags::empty()).unwrap();
+        validate_expiry(signer_certs.as_ref())
+            .map_err(|err| CertificateExpiredError::new_err(err.to_string()))?;
+    }
 
     pkcs7
         .verify(
