diff --git a/security/certverifier/NSSCertDBTrustDomain.cpp b/security/certverifier/NSSCertDBTrustDomain.cpp index 1498ea9713e..805365799aa 100644 --- a/security/certverifier/NSSCertDBTrustDomain.cpp +++ b/security/certverifier/NSSCertDBTrustDomain.cpp @@ -914,7 +914,8 @@ NSSCertDBTrustDomain::CheckValidityIsAcceptable(Time notBefore, Time notAfter, return Success; } - Duration DURATION_39_MONTHS((3 * 365 + 3 * 31) * Time::ONE_DAY_IN_SECONDS); + Duration DURATION_27_MONTHS_PLUS_SLOP((2 * 365 + 3 * 31 + 7) * + Time::ONE_DAY_IN_SECONDS); Duration maxValidityDuration(UINT64_MAX); Duration validityDuration(notBefore, notAfter); @@ -922,12 +923,9 @@ NSSCertDBTrustDomain::CheckValidityIsAcceptable(Time notBefore, Time notAfter, case ValidityCheckingMode::CheckingOff: return Success; case ValidityCheckingMode::CheckForEV: - // The EV Guidelines say the maximum is 27 months, but we use a higher - // limit here: - // a) To (hopefully) minimize compatibility breakage. - // b) Because there was some talk about raising the limit to 39 months to - // match the BR limit. - maxValidityDuration = DURATION_39_MONTHS; + // The EV Guidelines say the maximum is 27 months, but we use a slightly + // higher limit here to (hopefully) minimize compatibility breakage. + maxValidityDuration = DURATION_27_MONTHS_PLUS_SLOP; break; default: PR_NOT_REACHED("We're not handling every ValidityCheckingMode type"); diff --git a/security/manager/ssl/tests/unit/pycert.py b/security/manager/ssl/tests/unit/pycert.py index 461a81fa235..fc78a3ecf2f 100755 --- a/security/manager/ssl/tests/unit/pycert.py +++ b/security/manager/ssl/tests/unit/pycert.py @@ -319,7 +319,7 @@ class Certificate(object): self.issuer = 'Default Issuer' actualNow = datetime.datetime.utcnow() self.now = datetime.datetime.strptime(str(actualNow.year), '%Y') - aYearAndAWhile = datetime.timedelta(days=550) + aYearAndAWhile = datetime.timedelta(days=400) self.notBefore = self.now - aYearAndAWhile self.notAfter = self.now + aYearAndAWhile self.subject = 'Default Subject' diff --git a/security/manager/ssl/tests/unit/test_validity.js b/security/manager/ssl/tests/unit/test_validity.js index a7d724bd3f5..4e4da00a5e9 100644 --- a/security/manager/ssl/tests/unit/test_validity.js +++ b/security/manager/ssl/tests/unit/test_validity.js @@ -63,7 +63,7 @@ function checkEVChains() { // Chain with an end entity cert with a validity period that is acceptable // for EV. const intFullName = "ev_int_60_months-evroot"; - let eeFullName = `ev_ee_39_months-${intFullName}`; + let eeFullName = `ev_ee_27_months-${intFullName}`; let expectedNamesForOCSP = gEVExpected ? [ intFullName, eeFullName ] @@ -73,7 +73,7 @@ function checkEVChains() { // Chain with an end entity cert with a validity period that is too long // for EV. - eeFullName = `ev_ee_40_months-${intFullName}`; + eeFullName = `ev_ee_28_months-${intFullName}`; expectedNamesForOCSP = gEVExpected ? [ intFullName, eeFullName ] diff --git a/security/manager/ssl/tests/unit/test_validity/ev_ee_39_months-ev_int_60_months-evroot.pem.certspec b/security/manager/ssl/tests/unit/test_validity/ev_ee_27_months-ev_int_60_months-evroot.pem.certspec similarity index 61% rename from security/manager/ssl/tests/unit/test_validity/ev_ee_39_months-ev_int_60_months-evroot.pem.certspec rename to security/manager/ssl/tests/unit/test_validity/ev_ee_27_months-ev_int_60_months-evroot.pem.certspec index ec7844e2394..d2c7fa12754 100644 --- a/security/manager/ssl/tests/unit/test_validity/ev_ee_39_months-ev_int_60_months-evroot.pem.certspec +++ b/security/manager/ssl/tests/unit/test_validity/ev_ee_27_months-ev_int_60_months-evroot.pem.certspec @@ -1,5 +1,5 @@ issuer:ev_int_60_months-evroot -subject:ev_ee_39_months-ev_int_60_months-evroot -validity:1188 -extension:authorityInformationAccess:http://www.example.com:8888/ev_ee_39_months-ev_int_60_months-evroot/ +subject:ev_ee_27_months-ev_int_60_months-evroot +validity:823 +extension:authorityInformationAccess:http://www.example.com:8888/ev_ee_27_months-ev_int_60_months-evroot/ extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1 diff --git a/security/manager/ssl/tests/unit/test_validity/ev_ee_40_months-ev_int_60_months-evroot.pem.certspec b/security/manager/ssl/tests/unit/test_validity/ev_ee_28_months-ev_int_60_months-evroot.pem.certspec similarity index 61% rename from security/manager/ssl/tests/unit/test_validity/ev_ee_40_months-ev_int_60_months-evroot.pem.certspec rename to security/manager/ssl/tests/unit/test_validity/ev_ee_28_months-ev_int_60_months-evroot.pem.certspec index 77274de44cb..2dcfb2e29ca 100644 --- a/security/manager/ssl/tests/unit/test_validity/ev_ee_40_months-ev_int_60_months-evroot.pem.certspec +++ b/security/manager/ssl/tests/unit/test_validity/ev_ee_28_months-ev_int_60_months-evroot.pem.certspec @@ -1,5 +1,5 @@ issuer:ev_int_60_months-evroot -subject:ev_ee_40_months-ev_int_60_months-evroot -validity:1219 -extension:authorityInformationAccess:http://www.example.com:8888/ev_ee_40_months-ev_int_60_months-evroot/ +subject:ev_ee_28_months-ev_int_60_months-evroot +validity:854 +extension:authorityInformationAccess:http://www.example.com:8888/ev_ee_28_months-ev_int_60_months-evroot/ extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1 diff --git a/security/manager/ssl/tests/unit/test_validity/moz.build b/security/manager/ssl/tests/unit/test_validity/moz.build index 8891f3e9557..993fd3db329 100644 --- a/security/manager/ssl/tests/unit/test_validity/moz.build +++ b/security/manager/ssl/tests/unit/test_validity/moz.build @@ -5,8 +5,8 @@ # file, You can obtain one at http://mozilla.org/MPL/2.0/. test_certificates = ( - 'ev_ee_39_months-ev_int_60_months-evroot.pem', - 'ev_ee_40_months-ev_int_60_months-evroot.pem', + 'ev_ee_27_months-ev_int_60_months-evroot.pem', + 'ev_ee_28_months-ev_int_60_months-evroot.pem', 'ev_int_60_months-evroot.pem', 'evroot.pem', )