From 348fb4dceb7e0efe56eff35e9e2a5e04b899c225 Mon Sep 17 00:00:00 2001
From: Joe Steele <joe@madewell.net>
Date: Wed, 27 Aug 2014 16:23:26 -0400
Subject: [PATCH] Validate client certificate dates

---
 res/values/strings.xml                          | 3 ++-
 src/com/fsck/k9/net/ssl/KeyChainKeyManager.java | 9 +++++++++
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/res/values/strings.xml b/res/values/strings.xml
index 3139b079f..f3a841d67 100644
--- a/res/values/strings.xml
+++ b/res/values/strings.xml
@@ -1129,6 +1129,7 @@ Please submit bug reports, contribute new features and ask questions at
     <string name="account_setup_basics_client_certificate">Use client certificate</string>
     <string name="client_certificate_spinner_empty">No client certificate</string>
     <string name="client_certificate_spinner_delete">Remove client certificate selection</string>
-    <string name="client_certificate_retrieval_failure">"Failed to retrieve client certificate for alias <xliff:g id="alias">%s</xliff:g>"</string>
+    <string name="client_certificate_retrieval_failure">"Failed to retrieve client certificate for alias \"<xliff:g id="alias">%s</xliff:g>\""</string>
     <string name="client_certificate_advanced_options">Advanced options</string>
+    <string name="client_certificate_expired">"Client certificate \"<xliff:g id="certificate_alias">%1$s</xliff:g>\" has expired or is not yet valid (<xliff:g id="exception_message">%2$s</xliff:g>)"</string>
 </resources>
diff --git a/src/com/fsck/k9/net/ssl/KeyChainKeyManager.java b/src/com/fsck/k9/net/ssl/KeyChainKeyManager.java
index 3efbf4c36..c15fc58ad 100644
--- a/src/com/fsck/k9/net/ssl/KeyChainKeyManager.java
+++ b/src/com/fsck/k9/net/ssl/KeyChainKeyManager.java
@@ -4,6 +4,7 @@ package com.fsck.k9.net.ssl;
 import java.net.Socket;
 import java.security.Principal;
 import java.security.PrivateKey;
+import java.security.cert.CertificateException;
 import java.security.cert.X509Certificate;
 import java.util.Arrays;
 import java.util.List;
@@ -76,6 +77,14 @@ public class KeyChainKeyManager extends X509ExtendedKeyManager {
         if (chain == null || chain.length == 0) {
             throw new MessagingException("No certificate chain found for: " + alias);
         }
+        try {
+            for (X509Certificate certificate : chain) {
+                certificate.checkValidity();
+            }
+        } catch (CertificateException e) {
+            // Client certificate has expired or is not yet valid
+            throw new CertificateValidationException(context.getString(R.string.client_certificate_expired, alias, e.toString()));
+        }
 
         return chain;
     }