Validate certificate date against the IssueDate instead of current time

remia · Feb 1, 2024 · 5149899 · 5149899
1 parent ece684c
commit 5149899
Showing 1 changed file with 10 additions and 0 deletions.
diff --git a/clairmeta/dcp_check_sign.py b/clairmeta/dcp_check_sign.py
@@ -6,6 +6,7 @@
 import base64
 import hashlib
 from datetime import datetime, timedelta
+from dateutil import parser
 from OpenSSL import crypto
 from cryptography.hazmat.primitives import serialization
 from cryptography.x509.name import _ASN1Type
@@ -122,6 +123,11 @@ def run_checks(self):
             if not all_keys_in_dict(source_xml, ["Signer", "Signature"]):
                 continue
 
+            # See check_certif_date documentation note for rational.
+            if "IssueDate" in source_xml:
+                issue_date = parser.parse(source_xml["IssueDate"])
+                self.context_time = datetime.strftime(issue_date, "%Y%m%d%H%M%SZ")
+
             self.cert_list = []
             self.cert_store = crypto.X509Store()
             self.cert_chains = source_xml["Signature"]["KeyInfo"]["X509Data"]
@@ -350,8 +356,12 @@ def check_certif_multi_role(self, cert, index):
     def check_certif_date(self, cert, index):
         """Certificate date validation.
 
+        Note that as per DCI specification, the context time is set to that of
+        the IssueDate.
+
         References:
             SMPTE ST 430-2:2017 6.2 9
+            DCI DCSS (v1.4.4) 9.4.3.5 4.c
         """
         # 9. Check time validity
         # Note : Date are formatted in ASN.1 Time YYYYMMDDhhmmssZ