From a9724e73830be5c6ee00f6cd81bf2aff6865b071 Mon Sep 17 00:00:00 2001 From: Hossein Shafagh Date: Thu, 24 Jan 2019 17:23:40 -0800 Subject: [PATCH 1/3] Resolving the 2 years error from UI during cert creation: Though a CA would accept two year validity, we were getting error for being beyond 2 years. This is because our current conversion is just current date plus 2 years, 1/25/2019 + 2 years ==> 1/25/2019 This is more strictly seen two years and 1 day extra, violating the 2 year's limit. --- lemur/common/missing.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/lemur/common/missing.py b/lemur/common/missing.py index a4bbba77..508019b2 100644 --- a/lemur/common/missing.py +++ b/lemur/common/missing.py @@ -16,6 +16,9 @@ def convert_validity_years(data): data['validity_start'] = now.isoformat() end = now.replace(years=+int(data['validity_years'])) + # some CAs want to see exactly two years validity, and not two years plus one day, as is the case currently + # 1/25/2019 + 2 years ==> 1/25/2019 (two years and 1 day extra, violating the 2 year's limit) + end = end.replace(days=-1) if not current_app.config.get('LEMUR_ALLOW_WEEKEND_EXPIRATION', True): if is_weekend(end): end = end.replace(days=-2) From c47fa0f9a23689f0fce6e02364f12288bbf7c7db Mon Sep 17 00:00:00 2001 From: Hossein Shafagh Date: Thu, 24 Jan 2019 17:52:22 -0800 Subject: [PATCH 2/3] adjusting the tests to reflect on the new full year convert limit! --- lemur/tests/test_missing.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/lemur/tests/test_missing.py b/lemur/tests/test_missing.py index 4f2c20c6..80a7df48 100644 --- a/lemur/tests/test_missing.py +++ b/lemur/tests/test_missing.py @@ -6,12 +6,12 @@ from freezegun import freeze_time def test_convert_validity_years(session): from lemur.common.missing import convert_validity_years - with freeze_time("2016-01-01"): + with freeze_time("2016-01-02"): data = convert_validity_years(dict(validity_years=2)) assert data['validity_start'] == arrow.utcnow().isoformat() - assert data['validity_end'] == arrow.utcnow().replace(years=+2).isoformat() + assert data['validity_end'] == arrow.utcnow().replace(years=+2, days=-1).isoformat() - with freeze_time("2015-01-10"): + with freeze_time("2015-01-11"): data = convert_validity_years(dict(validity_years=1)) - assert data['validity_end'] == arrow.utcnow().replace(years=+1, days=-2).isoformat() + assert data['validity_end'] == arrow.utcnow().replace(years=+1, days=-3).isoformat() From 48ad20facaba794a8a14c249af5fb83f206b7006 Mon Sep 17 00:00:00 2001 From: Hossein Shafagh Date: Tue, 29 Jan 2019 16:17:08 -0800 Subject: [PATCH 3/3] moving the 2 year validity issue to the Verisign plugin, and address it there --- lemur/common/missing.py | 4 +--- lemur/plugins/lemur_verisign/plugin.py | 15 ++++++++++++--- lemur/tests/test_missing.py | 8 ++++---- 3 files changed, 17 insertions(+), 10 deletions(-) diff --git a/lemur/common/missing.py b/lemur/common/missing.py index 508019b2..5c7dffac 100644 --- a/lemur/common/missing.py +++ b/lemur/common/missing.py @@ -16,9 +16,7 @@ def convert_validity_years(data): data['validity_start'] = now.isoformat() end = now.replace(years=+int(data['validity_years'])) - # some CAs want to see exactly two years validity, and not two years plus one day, as is the case currently - # 1/25/2019 + 2 years ==> 1/25/2019 (two years and 1 day extra, violating the 2 year's limit) - end = end.replace(days=-1) + if not current_app.config.get('LEMUR_ALLOW_WEEKEND_EXPIRATION', True): if is_weekend(end): end = end.replace(days=-2) diff --git a/lemur/plugins/lemur_verisign/plugin.py b/lemur/plugins/lemur_verisign/plugin.py index 3e672a43..3f16f997 100644 --- a/lemur/plugins/lemur_verisign/plugin.py +++ b/lemur/plugins/lemur_verisign/plugin.py @@ -111,10 +111,19 @@ def process_options(options): data['subject_alt_names'] = ",".join(get_additional_names(options)) + if options.get('validity_end') > arrow.utcnow().replace(years=2): + raise Exception("Verisign issued certificates cannot exceed two years in validity") + if options.get('validity_end'): - period = get_default_issuance(options) - data['specificEndDate'] = options['validity_end'].format("MM/DD/YYYY") - data['validityPeriod'] = period + # VeriSign (Symantec) only accepts strictly smaller than 2 year end date + if options.get('validity_end') < arrow.utcnow().replace(years=2).replace(days=-1): + period = get_default_issuance(options) + data['specificEndDate'] = options['validity_end'].format("MM/DD/YYYY") + data['validityPeriod'] = period + else: + # allowing Symantec website setting the end date, given the validity period + data['validityPeriod'] = str(get_default_issuance(options)) + options.pop('validity_end', None) elif options.get('validity_years'): if options['validity_years'] in [1, 2]: diff --git a/lemur/tests/test_missing.py b/lemur/tests/test_missing.py index 80a7df48..4f2c20c6 100644 --- a/lemur/tests/test_missing.py +++ b/lemur/tests/test_missing.py @@ -6,12 +6,12 @@ from freezegun import freeze_time def test_convert_validity_years(session): from lemur.common.missing import convert_validity_years - with freeze_time("2016-01-02"): + with freeze_time("2016-01-01"): data = convert_validity_years(dict(validity_years=2)) assert data['validity_start'] == arrow.utcnow().isoformat() - assert data['validity_end'] == arrow.utcnow().replace(years=+2, days=-1).isoformat() + assert data['validity_end'] == arrow.utcnow().replace(years=+2).isoformat() - with freeze_time("2015-01-11"): + with freeze_time("2015-01-10"): data = convert_validity_years(dict(validity_years=1)) - assert data['validity_end'] == arrow.utcnow().replace(years=+1, days=-3).isoformat() + assert data['validity_end'] == arrow.utcnow().replace(years=+1, days=-2).isoformat()