Ignore the expiration of certificate in SHA2 check

vcsjones · vcsjones · commit 2b95e6d2775e · 2016-04-13T18:24:05.000-04:00
The purpose of this check is not to validate the chain, completely. The chain is needed so we know which certificate is the root and intermediates so we know which to validate and which not to validate. It is possible to have a valid authenticode signature if the certificate is expired but was timestamped while it was valid. In this case we still want to successfully build a chain to perform validation.

The expirely rules will be covered in the VerifyTrust check.
diff --git a/AuthenticodeLint/Rules/SigningCertificateDigestAlgorithmRule.cs b/AuthenticodeLint/Rules/SigningCertificateDigestAlgorithmRule.cs
@@ -23,6 +23,7 @@ public RuleResult Validate(Graph<Signature> graph, SignatureLoggerBase verboseWr
                 {
                     chain.ChainPolicy.ExtraStore.AddRange(certificates);
                     chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
+                    chain.ChainPolicy.VerificationFlags = X509VerificationFlags.IgnoreNotTimeValid;
                     bool success = chain.Build(signature.SignerInfo.Certificate);
                     if (!success)
                     {

Original file line number	Diff line number	Diff line change
`@@ -23,6 +23,7 @@ public RuleResult Validate(Graph<Signature> graph, SignatureLoggerBase verboseWr`
`23`	`23`	`{`
`24`	`24`	`chain.ChainPolicy.ExtraStore.AddRange(certificates);`
`25`	`25`	`chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;`
	`26`	`+ chain.ChainPolicy.VerificationFlags = X509VerificationFlags.IgnoreNotTimeValid;`
`26`	`27`	`bool success = chain.Build(signature.SignerInfo.Certificate);`
`27`	`28`	`if (!success)`
`28`	`29`	`{`