Cert validity should not exceed 397 days for publicly trusted issuers

This commit is contained in:
sayali 2020-08-10 17:30:34 -07:00 committed by Hossein Shafagh
parent a7082f7332
commit 25125f3257
2 changed files with 15 additions and 3 deletions

View File

@ -152,6 +152,18 @@ def dates(data):
data["authority"].authority_certificate.not_after data["authority"].authority_certificate.not_after
) )
) )
# Allow no more than PUBLIC_CA_MAX_VALIDITY_DAYS (Default: 397) days of validity
# for certs issued by public CA
# The list of public issuers can be managed through a config named PUBLIC_CA
public_CA = current_app.config.get("PUBLIC_CA", [])
if data["authority"].name.lower() in [ca.lower() for ca in public_CA]:
max_validity_days = current_app.config.get("PUBLIC_CA_MAX_VALIDITY_DAYS", 397)
if (
(data.get("validity_end").date() - data.get("validity_start").date()).days
> max_validity_days
):
raise ValidationError("Certificate cannot be valid for more than " +
str(max_validity_days) + " days")
return data return data

View File

@ -82,11 +82,11 @@ def determine_end_date(end_date):
:param end_date: :param end_date:
:return: validity_end :return: validity_end
""" """
default_years = current_app.config.get("DIGICERT_DEFAULT_VALIDITY", 1) default_days = current_app.config.get("DIGICERT_DEFAULT_VALIDITY_DAYS", 397)
max_validity_end = arrow.utcnow().shift(years=current_app.config.get("DIGICERT_MAX_VALIDITY", default_years)) max_validity_end = arrow.utcnow().shift(days=current_app.config.get("DIGICERT_MAX_VALIDITY_DAYS", default_days))
if not end_date: if not end_date:
end_date = arrow.utcnow().shift(years=default_years) end_date = arrow.utcnow().shift(days=default_days)
if end_date > max_validity_end: if end_date > max_validity_end:
end_date = max_validity_end end_date = max_validity_end