validate() doesn't check the "Not Before" date

mreinstein / alexa-verifier

✓ Verify HTTP requests sent to an Alexa skill are sent from Amazon

MIT License

76 stars 23 forks source link

validate() doesn't check the "Not Before" date #23

Closed navzam closed 7 years ago

navzam commented 7 years ago

In validate-cert.js, this code

var notAfter = new Date(cert.validity.notAfter)
var remainingDays = notAfter.getTime() - new Date().getTime()
// check that the signing certificate has not expired (examine both the Not
// Before and Not After dates)
if (remainingDays < 1) {
  return 'certificate expiration check failed'
}

checks the "Not After" date, but it doesn't check the "Not Before" date.

mreinstein commented 7 years ago

This is another case of the comment not matching the actual check. I'd be open to either updating the comment, or accepting a PR that adds the "not before" check.

good catch! 👍

navzam commented 7 years ago

I'm in favor for adding a "not before" check, since the Checking the Signature of the Request docs say to check both Not After and Not Before

mreinstein commented 7 years ago

closed via #25