moving the 2 year validity issue to the Verisign plugin, and address it there

This commit is contained in:
Hossein Shafagh 2019-01-29 16:17:08 -08:00
parent c47fa0f9a2
commit 48ad20faca
3 changed files with 17 additions and 10 deletions

View File

@ -16,9 +16,7 @@ def convert_validity_years(data):
data['validity_start'] = now.isoformat() data['validity_start'] = now.isoformat()
end = now.replace(years=+int(data['validity_years'])) end = now.replace(years=+int(data['validity_years']))
# some CAs want to see exactly two years validity, and not two years plus one day, as is the case currently
# 1/25/2019 + 2 years ==> 1/25/2019 (two years and 1 day extra, violating the 2 year's limit)
end = end.replace(days=-1)
if not current_app.config.get('LEMUR_ALLOW_WEEKEND_EXPIRATION', True): if not current_app.config.get('LEMUR_ALLOW_WEEKEND_EXPIRATION', True):
if is_weekend(end): if is_weekend(end):
end = end.replace(days=-2) end = end.replace(days=-2)

View File

@ -111,10 +111,19 @@ def process_options(options):
data['subject_alt_names'] = ",".join(get_additional_names(options)) data['subject_alt_names'] = ",".join(get_additional_names(options))
if options.get('validity_end') > arrow.utcnow().replace(years=2):
raise Exception("Verisign issued certificates cannot exceed two years in validity")
if options.get('validity_end'): if options.get('validity_end'):
# VeriSign (Symantec) only accepts strictly smaller than 2 year end date
if options.get('validity_end') < arrow.utcnow().replace(years=2).replace(days=-1):
period = get_default_issuance(options) period = get_default_issuance(options)
data['specificEndDate'] = options['validity_end'].format("MM/DD/YYYY") data['specificEndDate'] = options['validity_end'].format("MM/DD/YYYY")
data['validityPeriod'] = period data['validityPeriod'] = period
else:
# allowing Symantec website setting the end date, given the validity period
data['validityPeriod'] = str(get_default_issuance(options))
options.pop('validity_end', None)
elif options.get('validity_years'): elif options.get('validity_years'):
if options['validity_years'] in [1, 2]: if options['validity_years'] in [1, 2]:

View File

@ -6,12 +6,12 @@ from freezegun import freeze_time
def test_convert_validity_years(session): def test_convert_validity_years(session):
from lemur.common.missing import convert_validity_years from lemur.common.missing import convert_validity_years
with freeze_time("2016-01-02"): with freeze_time("2016-01-01"):
data = convert_validity_years(dict(validity_years=2)) data = convert_validity_years(dict(validity_years=2))
assert data['validity_start'] == arrow.utcnow().isoformat() assert data['validity_start'] == arrow.utcnow().isoformat()
assert data['validity_end'] == arrow.utcnow().replace(years=+2, days=-1).isoformat() assert data['validity_end'] == arrow.utcnow().replace(years=+2).isoformat()
with freeze_time("2015-01-11"): with freeze_time("2015-01-10"):
data = convert_validity_years(dict(validity_years=1)) data = convert_validity_years(dict(validity_years=1))
assert data['validity_end'] == arrow.utcnow().replace(years=+1, days=-3).isoformat() assert data['validity_end'] == arrow.utcnow().replace(years=+1, days=-2).isoformat()