From a879f702082b99cc415e32462ce9a630227cdaed Mon Sep 17 00:00:00 2001
From: schmidtw <Weston_Schmidt@alumni.purdue.edu>
Date: Thu, 21 Nov 2024 18:59:36 -0800
Subject: [PATCH] Mark time before the notBefore time as expired as well as
 after the notAfter time.

---
 token/claimBuilder.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/token/claimBuilder.go b/token/claimBuilder.go
index 1a0d4da..d872caf 100644
--- a/token/claimBuilder.go
+++ b/token/claimBuilder.go
@@ -230,7 +230,7 @@ func (cb *clientCertificateClaimBuilder) AddClaims(_ context.Context, r *Request
 		}
 
 		// special logic around expired certificates
-		expired := now.After(pc.NotAfter)
+		expired := now.Before(pc.NotBefore) || now.After(pc.NotAfter)
 		vo := x509.VerifyOptions{
 			// always set the current time so that we disambiguate expired
 			// from untrusted.