Bug 1222903 - Reject EV status for EV EE certs that are valid for longer than 27 months as well. r=keeler

2024-09-13 09:24:08 -07:00 · 2015-11-13 07:42:00 +01:00 · 2015-11-13 07:42:00 +01:00 · a764fbe8f1
commit a764fbe8f1
parent 878792ace5
6 changed files with 16 additions and 18 deletions
--- a/security/certverifier/NSSCertDBTrustDomain.cpp
+++ b/security/certverifier/NSSCertDBTrustDomain.cpp
@ -914,7 +914,8 @@ NSSCertDBTrustDomain::CheckValidityIsAcceptable(Time notBefore, Time notAfter,
    return Success;
  }

-  Duration DURATION_39_MONTHS((3 * 365 + 3 * 31) * Time::ONE_DAY_IN_SECONDS);
+  Duration DURATION_27_MONTHS_PLUS_SLOP((2 * 365 + 3 * 31 + 7) *
+                                        Time::ONE_DAY_IN_SECONDS);
  Duration maxValidityDuration(UINT64_MAX);
  Duration validityDuration(notBefore, notAfter);

@ -922,12 +923,9 @@ NSSCertDBTrustDomain::CheckValidityIsAcceptable(Time notBefore, Time notAfter,
    case ValidityCheckingMode::CheckingOff:
      return Success;
    case ValidityCheckingMode::CheckForEV:
-      // The EV Guidelines say the maximum is 27 months, but we use a higher
-      // limit here:
-      //  a) To (hopefully) minimize compatibility breakage.
-      //  b) Because there was some talk about raising the limit to 39 months to
-      //     match the BR limit.
-      maxValidityDuration = DURATION_39_MONTHS;
+      // The EV Guidelines say the maximum is 27 months, but we use a slightly
+      // higher limit here to (hopefully) minimize compatibility breakage.
+      maxValidityDuration = DURATION_27_MONTHS_PLUS_SLOP;
      break;
    default:
      PR_NOT_REACHED("We're not handling every ValidityCheckingMode type");
--- a/security/manager/ssl/tests/unit/pycert.py
+++ b/security/manager/ssl/tests/unit/pycert.py
@ -319,7 +319,7 @@ class Certificate(object):
        self.issuer = 'Default Issuer'
        actualNow = datetime.datetime.utcnow()
        self.now = datetime.datetime.strptime(str(actualNow.year), '%Y')
-        aYearAndAWhile = datetime.timedelta(days=550)
+        aYearAndAWhile = datetime.timedelta(days=400)
        self.notBefore = self.now - aYearAndAWhile
        self.notAfter = self.now + aYearAndAWhile
        self.subject = 'Default Subject'
--- a/security/manager/ssl/tests/unit/test_validity.js
+++ b/security/manager/ssl/tests/unit/test_validity.js
@ -63,7 +63,7 @@ function checkEVChains() {
  // Chain with an end entity cert with a validity period that is acceptable
  // for EV.
  const intFullName = "ev_int_60_months-evroot";
-  let eeFullName = `ev_ee_39_months-${intFullName}`;
+  let eeFullName = `ev_ee_27_months-${intFullName}`;
  let expectedNamesForOCSP = gEVExpected
                           ? [ intFullName,
                               eeFullName ]
@ -73,7 +73,7 @@ function checkEVChains() {

  // Chain with an end entity cert with a validity period that is too long
  // for EV.
-  eeFullName = `ev_ee_40_months-${intFullName}`;
+  eeFullName = `ev_ee_28_months-${intFullName}`;
  expectedNamesForOCSP = gEVExpected
                           ? [ intFullName,
                               eeFullName ]
--- a/security/manager/ssl/tests/unit/test_validity/ev_ee_27_months-ev_int_60_months-evroot.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_validity/ev_ee_27_months-ev_int_60_months-evroot.pem.certspec
@ -1,5 +1,5 @@
 issuer:ev_int_60_months-evroot
-subject:ev_ee_39_months-ev_int_60_months-evroot
-validity:1188
-extension:authorityInformationAccess:http://www.example.com:8888/ev_ee_39_months-ev_int_60_months-evroot/
+subject:ev_ee_27_months-ev_int_60_months-evroot
+validity:823
+extension:authorityInformationAccess:http://www.example.com:8888/ev_ee_27_months-ev_int_60_months-evroot/
 extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1
--- a/security/manager/ssl/tests/unit/test_validity/ev_ee_28_months-ev_int_60_months-evroot.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_validity/ev_ee_28_months-ev_int_60_months-evroot.pem.certspec
@ -1,5 +1,5 @@
 issuer:ev_int_60_months-evroot
-subject:ev_ee_40_months-ev_int_60_months-evroot
-validity:1219
-extension:authorityInformationAccess:http://www.example.com:8888/ev_ee_40_months-ev_int_60_months-evroot/
+subject:ev_ee_28_months-ev_int_60_months-evroot
+validity:854
+extension:authorityInformationAccess:http://www.example.com:8888/ev_ee_28_months-ev_int_60_months-evroot/
 extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1
--- a/security/manager/ssl/tests/unit/test_validity/moz.build
+++ b/security/manager/ssl/tests/unit/test_validity/moz.build
@ -5,8 +5,8 @@
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.

 test_certificates = (
-    'ev_ee_39_months-ev_int_60_months-evroot.pem',
-    'ev_ee_40_months-ev_int_60_months-evroot.pem',
+    'ev_ee_27_months-ev_int_60_months-evroot.pem',
+    'ev_ee_28_months-ev_int_60_months-evroot.pem',
    'ev_int_60_months-evroot.pem',
    'evroot.pem',
 )