From b020142b82e9993b8623dce7fdc15ba2e5b5bcf8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?William=20Tis=C3=A4ter?= <william@mason.app>
Date: Mon, 30 Oct 2023 15:56:29 +0100
Subject: [PATCH 1/3] Fix raise_on_expired

---
 CHANGELOG.md   |  6 +++---
 Cargo.lock     |  2 +-
 Cargo.toml     |  2 +-
 pyproject.toml |  2 +-
 src/lib.rs     | 12 ++++++------
 5 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index cddf5c8..7f77a37 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,8 +1,8 @@
-## Unreleased
+## 0.6.4
 
-Released YYYY-MM-DD
+Released 2023-10-30
 
-* No changes yet.
+* Fix `raise_on_expired` to properly raise `CertificateExpiredError` when the token is expired on verify.
 
 ## 0.6.3
 
diff --git a/Cargo.lock b/Cargo.lock
index 15877fe..f8aa592 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -281,7 +281,7 @@ dependencies = [
 
 [[package]]
 name = "rsmime"
-version = "0.6.3"
+version = "0.6.4"
 dependencies = [
  "openssl",
  "pyo3",
diff --git a/Cargo.toml b/Cargo.toml
index d8d76c2..d24c726 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "rsmime"
-version = "0.6.3"
+version = "0.6.4"
 edition = "2021"
 
 [lib]
diff --git a/pyproject.toml b/pyproject.toml
index 0c82c0e..daf6a15 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -4,7 +4,7 @@ build-backend = "maturin"
 
 [project]
 name = "rsmime"
-version = "0.6.3"
+version = "0.6.4"
 description = "Python package for signing and verifying S/MIME messages"
 classifiers = [
     "License :: OSI Approved :: MIT License",
diff --git a/src/lib.rs b/src/lib.rs
index 4521b22..dd13c95 100644
--- a/src/lib.rs
+++ b/src/lib.rs
@@ -65,16 +65,16 @@ fn validate_expiry(certs: &StackRef<X509>) -> Result<(), Error> {
 fn _verify(message: &[u8], raise_on_expired: bool) -> PyResult<Vec<u8>> {
     let certs = Stack::new().unwrap();
     let store = X509StoreBuilder::new().unwrap().build();
-
-    if raise_on_expired {
-        validate_expiry(certs.as_ref())
-            .map_err(|err| CertificateExpiredError::new_err(err.to_string()))?;
-    }
+    let mut out: Vec<u8> = Vec::new();
 
     let (pkcs7, indata) =
         Pkcs7::from_smime(message).map_err(|err| VerifyError::new_err(err.to_string()))?;
 
-    let mut out: Vec<u8> = Vec::new();
+    if raise_on_expired {
+        let signer_certs = pkcs7.signers(certs.as_ref(), Pkcs7Flags::empty()).unwrap();
+        validate_expiry(signer_certs.as_ref())
+            .map_err(|err| CertificateExpiredError::new_err(err.to_string()))?;
+    }
 
     pkcs7
         .verify(

From d9c9f4c3a2c7a28f45a08c5df12b29cc2c0314e8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?William=20Tis=C3=A4ter?= <william@mason.app>
Date: Mon, 30 Oct 2023 15:59:14 +0100
Subject: [PATCH 2/3] Link Github PR

---
 CHANGELOG.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 7f77a37..96e9709 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,7 +2,7 @@
 
 Released 2023-10-30
 
-* Fix `raise_on_expired` to properly raise `CertificateExpiredError` when the token is expired on verify.
+* [GH2](https://github.com/tiwilliam/rsmime/pull/2) - Fix `raise_on_expired` to properly raise `CertificateExpiredError` when the token is expired on verify.
 
 ## 0.6.3
 

From d1cbc8df06748e15eb063685dffa7f0893395718 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?William=20Tis=C3=A4ter?= <william@mason.app>
Date: Mon, 30 Oct 2023 16:05:33 +0100
Subject: [PATCH 3/3] GH2 -> #2

---
 CHANGELOG.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 96e9709..bbed987 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,7 +2,7 @@
 
 Released 2023-10-30
 
-* [GH2](https://github.com/tiwilliam/rsmime/pull/2) - Fix `raise_on_expired` to properly raise `CertificateExpiredError` when the token is expired on verify.
+* [#2](https://github.com/tiwilliam/rsmime/pull/2) - Fix `raise_on_expired` to properly raise `CertificateExpiredError` when the token is expired on verify.
 
 ## 0.6.3