1 files changed, 31 insertions, 7 deletions

diff --git a/certdata2pem.py b/certdata2pem.py
index f91422b..5af0def 100644
--- a/certdata2pem.py
+++ b/certdata2pem.py
@@ -21,11 +21,17 @@
 # USA.
 
 import base64
+import datetime
+import io
 import os.path
+import pathlib
 import re
 import sys
 import textwrap
-import io
+
+DATE_FMT = "%a %b %d %H:%M:%S %Y"
+VERSION = pathlib.Path(__file__).parent / "VERSION"
+VERSION = datetime.datetime.strptime(VERSION.read_text().strip(), "%Y%m%d")
 
 objects = []
 
@@ -43,9 +49,6 @@ for line in io.open('certdata.txt', 'rt', encoding='utf8'):
         if line.startswith('BEGINDATA'):
             in_data = True
         continue
-    # Ignore comment lines.
-    if line.startswith('#'):
-        continue
     # Empty lines are significant if we are inside an object.
     if in_obj and len(line.strip()) == 0:
         objects.append(obj)
@@ -54,6 +57,17 @@ for line in io.open('certdata.txt', 'rt', encoding='utf8'):
         continue
     if len(line.strip()) == 0:
         continue
+    if line.startswith("# Not Valid Before: "):
+        line = line.replace("# Not Valid Before: ", "", 1).strip()
+        obj["before"] = datetime.datetime.strptime(line, DATE_FMT)
+        continue
+    if line.startswith("# Not Valid After : "):
+        line = line.replace("# Not Valid After : ", "", 1).strip()
+        obj["after"] = datetime.datetime.strptime(line, DATE_FMT)
+        continue
+    # Ignore comment lines.
+    if line.startswith('#'):
+        continue
     if in_multiline:
         if not line.startswith('END'):
             if type == 'MULTILINE_OCTAL':
@@ -97,15 +111,23 @@ if os.path.exists('blacklist.txt'):
 
 # Build up trust database.
 trust = dict()
+next_expiring = None
 for obj in objects:
     if obj['CKA_CLASS'] != 'CKO_NSS_TRUST':
         continue
     if obj['CKA_LABEL'] in blacklist:
         print("Certificate %s blacklisted, ignoring." % obj['CKA_LABEL'])
     elif obj['CKA_TRUST_SERVER_AUTH'] == 'CKT_NSS_TRUSTED_DELEGATOR':
-        trust[obj['CKA_LABEL']] = True
-    elif obj['CKA_TRUST_EMAIL_PROTECTION'] == 'CKT_NSS_TRUSTED_DELEGATOR':
-        trust[obj['CKA_LABEL']] = True
+        if VERSION < obj["before"] or VERSION > obj["after"]:
+            print('!'*74)
+            print("EXPIRED BUT NOT BLACKLISTED CERTIFICATE FOUND: %s" % obj['CKA_LABEL'])
+            print('!'*74)
+        else:
+            if not next_expiring:
+                next_expiring = obj
+            elif obj['after'] < next_expiring['after']:
+                next_expiring = obj
+            trust[obj['CKA_LABEL']] = True
     elif obj['CKA_TRUST_SERVER_AUTH'] == 'CKT_NSS_NOT_TRUSTED':
         print('!'*74)
         print("UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: %s" % obj['CKA_LABEL'])
@@ -115,6 +137,8 @@ for obj in objects:
               (obj['CKA_LABEL'], obj['CKA_TRUST_SERVER_AUTH'],
                obj['CKA_TRUST_EMAIL_PROTECTION']))
 
+print('Next expiring certificate:', next_expiring['CKA_LABEL'], next_expiring['after'])
+
 for obj in objects:
     if obj['CKA_CLASS'] == 'CKO_CERTIFICATE':
         if not obj['CKA_LABEL'] in trust or not trust[obj['CKA_LABEL']]: