From c2aedb0231c0ee40df95acc12ad2cc89b2f93b81 Mon Sep 17 00:00:00 2001 From: Bryan Pitcher Date: Fri, 7 Dec 2018 16:53:33 -0700 Subject: [PATCH 1/3] Previously, validity checks would always pass due to typo. Now compare NotAfter to (NotBefore + offset) --- checks/certificate/validity/validity.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/checks/certificate/validity/validity.go b/checks/certificate/validity/validity.go index b631f6d..8f57d6a 100644 --- a/checks/certificate/validity/validity.go +++ b/checks/certificate/validity/validity.go @@ -20,18 +20,18 @@ func Check(d *certdata.Data) *errors.Errors { switch d.Type { case "EV": - if d.Cert.NotBefore.After(d.Cert.NotBefore.AddDate(0, 27, 0)) { + if d.Cert.NotAfter.After(d.Cert.NotBefore.AddDate(0, 27, 0)) { e.Err("EV Certificate LifeTime exceeds 27 months") return e } case "DV", "OV": if d.Cert.NotBefore.After(time.Date(2015, 4, 1, 0, 0, 0, 0, time.UTC)) { - if d.Cert.NotBefore.After(d.Cert.NotBefore.AddDate(0, 39, 0)) { + if d.Cert.NotAfter.After(d.Cert.NotBefore.AddDate(0, 39, 0)) { e.Err("Certificate LifeTime exceeds 39 months") return e } } else { - if d.Cert.NotBefore.After(d.Cert.NotBefore.AddDate(0, 60, 0)) { + if d.Cert.NotAfter.After(d.Cert.NotBefore.AddDate(0, 60, 0)) { e.Err("Certificate LifeTime exceeds 60 months") return e } From e49b03c71044245dc52cf98a4680dfc98fa3478e Mon Sep 17 00:00:00 2001 From: Bryan Pitcher Date: Fri, 7 Dec 2018 19:29:31 -0700 Subject: [PATCH 2/3] Updated validity checks to reflect recent BR and EV guidelines impacted by ballot 193 --- checks/certificate/validity/validity.go | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/checks/certificate/validity/validity.go b/checks/certificate/validity/validity.go index 8f57d6a..7befc15 100644 --- a/checks/certificate/validity/validity.go +++ b/checks/certificate/validity/validity.go @@ -20,12 +20,24 @@ func Check(d *certdata.Data) *errors.Errors { switch d.Type { case "EV": - if d.Cert.NotAfter.After(d.Cert.NotBefore.AddDate(0, 27, 0)) { - e.Err("EV Certificate LifeTime exceeds 27 months") - return e + if d.Cert.NotBefore.After(time.Date(2017, 3, 17, 0, 0, 0, 0, time.UTC)) { + if d.Cert.NotAfter.After(d.Cert.NotBefore.AddDate(0, 0, 825)) { + e.Err("EV Certificate LifeTime exceeds 825 days") + return e + } + } else { + if d.Cert.NotAfter.After(d.Cert.NotBefore.AddDate(0, 27, 0)) { + e.Err("EV Certificate LifeTime exceeds 27 months") + return e + } } case "DV", "OV": - if d.Cert.NotBefore.After(time.Date(2015, 4, 1, 0, 0, 0, 0, time.UTC)) { + if d.Cert.NotBefore.After(time.Date(2018, 3, 1, 0, 0, 0, 0, time.UTC)) { + if d.Cert.NotAfter.After(d.Cert.NotBefore.AddDate(0, 0, 825)) { + e.Err("Certificate LifeTime exceeds 825 days") + return e + } + } else if d.Cert.NotBefore.After(time.Date(2016, 7, 1, 0, 0, 0, 0, time.UTC)) { if d.Cert.NotAfter.After(d.Cert.NotBefore.AddDate(0, 39, 0)) { e.Err("Certificate LifeTime exceeds 39 months") return e From d33269ed60329fe6f34574215ac2f6d4272bf564 Mon Sep 17 00:00:00 2001 From: Bryan Pitcher Date: Fri, 4 Jan 2019 18:27:10 -0700 Subject: [PATCH 3/3] Updated golden test files to reflect updated validity check. --- testdata/evissues.pem.golden | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/testdata/evissues.pem.golden b/testdata/evissues.pem.golden index f2528c2..8c2be6a 100644 --- a/testdata/evissues.pem.golden +++ b/testdata/evissues.pem.golden @@ -1,8 +1,9 @@ Incomplete chain for VR IDENT EV SSL CA 2016 W1.DONNER.DE 68636c860bca0d94ab2be &{[] 0 {0 0}} Processed Certificate Type: EV -Certificate Errors: 5 +Certificate Errors: 6 Priority: Error, Message: Certificate contains no Authority Info Access Issuers Priority: Error, Message: businessCategory is required for EV certificates Priority: Error, Message: jurisdictionCountryName is required for EV certificates Priority: Error, Message: serialNumber is required for EV certificates Priority: Info, Message: commonName field is deprecated + Priority: Error, Message: EV Certificate LifeTime exceeds 27 months