diff --git a/lemur/common/validators.py b/lemur/common/validators.py index e1dfe3c1..4aecb97e 100644 --- a/lemur/common/validators.py +++ b/lemur/common/validators.py @@ -152,6 +152,18 @@ def dates(data): data["authority"].authority_certificate.not_after ) ) + # Allow no more than PUBLIC_CA_MAX_VALIDITY_DAYS (Default: 397) days of validity + # for certs issued by public CA + # The list of public issuers can be managed through a config named PUBLIC_CA + public_CA = current_app.config.get("PUBLIC_CA", []) + if data["authority"].name.lower() in [ca.lower() for ca in public_CA]: + max_validity_days = current_app.config.get("PUBLIC_CA_MAX_VALIDITY_DAYS", 397) + if ( + (data.get("validity_end").date() - data.get("validity_start").date()).days + > max_validity_days + ): + raise ValidationError("Certificate cannot be valid for more than " + + str(max_validity_days) + " days") return data diff --git a/lemur/plugins/lemur_digicert/plugin.py b/lemur/plugins/lemur_digicert/plugin.py index e5c4b2ce..32a5375a 100644 --- a/lemur/plugins/lemur_digicert/plugin.py +++ b/lemur/plugins/lemur_digicert/plugin.py @@ -82,11 +82,11 @@ def determine_end_date(end_date): :param end_date: :return: validity_end """ - default_years = current_app.config.get("DIGICERT_DEFAULT_VALIDITY", 1) - max_validity_end = arrow.utcnow().shift(years=current_app.config.get("DIGICERT_MAX_VALIDITY", default_years)) + default_days = current_app.config.get("DIGICERT_DEFAULT_VALIDITY_DAYS", 397) + max_validity_end = arrow.utcnow().shift(days=current_app.config.get("DIGICERT_MAX_VALIDITY_DAYS", default_days)) if not end_date: - end_date = arrow.utcnow().shift(years=default_years) + end_date = arrow.utcnow().shift(days=default_days) if end_date > max_validity_end: end_date = max_validity_end