diff --git a/checks/certificate/validity/validity.go b/checks/certificate/validity/validity.go index b631f6d..7befc15 100644 --- a/checks/certificate/validity/validity.go +++ b/checks/certificate/validity/validity.go @@ -20,18 +20,30 @@ func Check(d *certdata.Data) *errors.Errors { switch d.Type { case "EV": - if d.Cert.NotBefore.After(d.Cert.NotBefore.AddDate(0, 27, 0)) { - e.Err("EV Certificate LifeTime exceeds 27 months") - return e + if d.Cert.NotBefore.After(time.Date(2017, 3, 17, 0, 0, 0, 0, time.UTC)) { + if d.Cert.NotAfter.After(d.Cert.NotBefore.AddDate(0, 0, 825)) { + e.Err("EV Certificate LifeTime exceeds 825 days") + return e + } + } else { + if d.Cert.NotAfter.After(d.Cert.NotBefore.AddDate(0, 27, 0)) { + e.Err("EV Certificate LifeTime exceeds 27 months") + return e + } } case "DV", "OV": - if d.Cert.NotBefore.After(time.Date(2015, 4, 1, 0, 0, 0, 0, time.UTC)) { - if d.Cert.NotBefore.After(d.Cert.NotBefore.AddDate(0, 39, 0)) { + if d.Cert.NotBefore.After(time.Date(2018, 3, 1, 0, 0, 0, 0, time.UTC)) { + if d.Cert.NotAfter.After(d.Cert.NotBefore.AddDate(0, 0, 825)) { + e.Err("Certificate LifeTime exceeds 825 days") + return e + } + } else if d.Cert.NotBefore.After(time.Date(2016, 7, 1, 0, 0, 0, 0, time.UTC)) { + if d.Cert.NotAfter.After(d.Cert.NotBefore.AddDate(0, 39, 0)) { e.Err("Certificate LifeTime exceeds 39 months") return e } } else { - if d.Cert.NotBefore.After(d.Cert.NotBefore.AddDate(0, 60, 0)) { + if d.Cert.NotAfter.After(d.Cert.NotBefore.AddDate(0, 60, 0)) { e.Err("Certificate LifeTime exceeds 60 months") return e } diff --git a/testdata/evissues.pem.golden b/testdata/evissues.pem.golden index f2528c2..8c2be6a 100644 --- a/testdata/evissues.pem.golden +++ b/testdata/evissues.pem.golden @@ -1,8 +1,9 @@ Incomplete chain for VR IDENT EV SSL CA 2016 W1.DONNER.DE 68636c860bca0d94ab2be &{[] 0 {0 0}} Processed Certificate Type: EV -Certificate Errors: 5 +Certificate Errors: 6 Priority: Error, Message: Certificate contains no Authority Info Access Issuers Priority: Error, Message: businessCategory is required for EV certificates Priority: Error, Message: jurisdictionCountryName is required for EV certificates Priority: Error, Message: serialNumber is required for EV certificates Priority: Info, Message: commonName field is deprecated + Priority: Error, Message: EV Certificate LifeTime exceeds 27 months