From 84b60d265aa95a8a19ec5e95d4df9a44ead290ce Mon Sep 17 00:00:00 2001
From: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
Date: Wed, 20 Jul 2016 18:00:34 -0700
Subject: [PATCH] Also add checks for delegation certs

Signed-off-by: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
---
 tuf/tuf.go | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/tuf/tuf.go b/tuf/tuf.go
index eb838957ad..a6dacd3551 100644
--- a/tuf/tuf.go
+++ b/tuf/tuf.go
@@ -245,6 +245,17 @@ func (tr *Repo) GetDelegationRole(name string) (data.DelegationRole, error) {
 				if err != nil {
 					return err
 				}
+				// Check all public key certificates in the role for expiry
+				// Currently we do not reject expired delegation keys but warn if they might expire soon or have already
+				for keyID, pubKey := range delgRole.Keys {
+					certFromKey, err := utils.LoadCertFromPEM(pubKey.Public())
+					if err != nil {
+						continue
+					}
+					if err := utils.ValidateCertificate(certFromKey, true); err != nil {
+						logrus.Warnf("error with delegation %s key ID %d: %s", delgRole.Name, keyID, err)
+					}
+				}
 				foundRole = &delgRole
 				return StopWalk{}
 			}