From 1c11f14cb2ff26e52a72d97ad2647946ca21c974 Mon Sep 17 00:00:00 2001
From: Andrew Cullen <awcullen@users.noreply.github.com>
Date: Mon, 13 Sep 2021 22:33:00 -0400
Subject: [PATCH] Check remote certificate validity.

---
 UaClient/ServiceModel/Ua/DirectoryStore.cs | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/UaClient/ServiceModel/Ua/DirectoryStore.cs b/UaClient/ServiceModel/Ua/DirectoryStore.cs
index fe04591..6f937a6 100644
--- a/UaClient/ServiceModel/Ua/DirectoryStore.cs
+++ b/UaClient/ServiceModel/Ua/DirectoryStore.cs
@@ -15,6 +15,7 @@
 using Org.BouncyCastle.OpenSsl;
 using Org.BouncyCastle.Pkix;
 using Org.BouncyCastle.Security;
+using Org.BouncyCastle.Security.Certificates;
 using Org.BouncyCastle.X509;
 using Org.BouncyCastle.X509.Extension;
 using Org.BouncyCastle.X509.Store;
@@ -277,6 +278,13 @@ public Task<bool> ValidateRemoteCertificateAsync(X509Certificate target, ILogger
                 throw new ArgumentNullException(nameof(target));
             }
 
+            if (!target.IsValidNow)
+            {
+                logger?.LogError($"Error validatingRemoteCertificate. Certificate is expired or not yet valid.");
+                StoreInRejectedFolder(target);
+                return Task.FromResult(false);
+            }
+
             var trustedCerts = new Org.BouncyCastle.Utilities.Collections.HashSet();
             var trustedCertsInfo = new DirectoryInfo(Path.Combine(_pkiPath, "trusted"));
             if (!trustedCertsInfo.Exists)
@@ -314,7 +322,7 @@ public Task<bool> ValidateRemoteCertificateAsync(X509Certificate target, ILogger
                     }
                 }
             }
-
+            
             if (IsSelfSigned(target))
             {
                 // Create the selector that specifies the starting certificate