From eb6a1ebc9d3b886ab816a992eeb22fffbc78c5d1 Mon Sep 17 00:00:00 2001
From: Eugene Medvedev <rn3aoh.g@gmail.com>
Date: Mon, 19 Jun 2023 19:39:28 +0300
Subject: [PATCH] =?UTF-8?q?=F0=9F=90=9B=20Oh,=20that's=20nasty.?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 main.go | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/main.go b/main.go
index 2c951aa..4b94e5b 100644
--- a/main.go
+++ b/main.go
@@ -372,8 +372,12 @@ func main() {
 		_, err = cert.Verify(x509.VerifyOptions{
 			Intermediates: extraCerts,
 			Roots:         roots,
-			CurrentTime:   verificationTime,
-			KeyUsages:     []x509.ExtKeyUsage{x509.ExtKeyUsageAny},
+			// LoTW intermediate certificates are *expected* to expire during
+			// the public key's lifetime, so we must verify it with time
+			// set to the day it was issued, rather than any other day,
+			// otherwise verification can fail for no good reason.
+			CurrentTime: cert.NotBefore.Add(time.Hour),
+			KeyUsages:   []x509.ExtKeyUsage{x509.ExtKeyUsageAny},
 		})
 		check(err, "Failed to verify public key:")