Cert validity should not exceed 397 days for publicly trusted issuers

2020-08-10 17:30:34 -07:00
parent 9bcfcebb3a
commit 7a83799bcd
2 changed files with 15 additions and 3 deletions
--- a/lemur/common/validators.py
+++ b/lemur/common/validators.py
@ -152,6 +152,18 @@ def dates(data):
                        data["authority"].authority_certificate.not_after
                    )
                )
+            # Allow no more than PUBLIC_CA_MAX_VALIDITY_DAYS (Default: 397) days of validity
+            # for certs issued by public CA
+            # The list of public issuers can be managed through a config named PUBLIC_CA
+            public_CA = current_app.config.get("PUBLIC_CA", [])
+            if data["authority"].name.lower() in [ca.lower() for ca in public_CA]:
+                max_validity_days = current_app.config.get("PUBLIC_CA_MAX_VALIDITY_DAYS", 397)
+                if (
+                    (data.get("validity_end").date() - data.get("validity_start").date()).days
+                    > max_validity_days
+                ):
+                    raise ValidationError("Certificate cannot be valid for more than " +
+                                          str(max_validity_days) + " days")

    return data