increase ca validity to five years

Author: Ananth Bhaskararaman

cmd/bf/ca.go

@@ -203,7 +203,11 @@ var caIssueCmd = &cli.Command{
 			return cli.Exit("Error creating certificate request", 1)
 		}
 
-		notBefore, notAfter, err := tinyca.ParseValidity(notBeforeTime, notAfterTime)
+		notBefore, notAfter, err := tinyca.ParseValidity(
+			notBeforeTime,
+			notAfterTime,
+			tinyca.MaximumIssueValidity,
+		)
 		if err != nil {
 			bifrost.Logger().ErrorContext(ctx, "error parsing validity", "error", err)
 			return cli.Exit("Error parsing validity", 1)

cmd/bf/new.go

@@ -146,7 +146,11 @@ var newCmd = &cli.Command{
 				}
 
 				id := key.UUID(namespace)
-				notBefore, notAfter, err := tinyca.ParseValidity(notBeforeTime, notAfterTime)
+				notBefore, notAfter, err := tinyca.ParseValidity(
+					notBeforeTime,
+					notAfterTime,
+					tinyca.MaximumCACertValidity,
+				)
 				if err != nil {
 					return err
 				}

tinyca/ca.go

@@ -29,6 +29,11 @@ import (
 	"github.com/google/uuid"
 )
 
+const (
+	MaximumIssueValidity  = 24 * time.Hour           // 1 day
+	MaximumCACertValidity = 5 * 365 * 24 * time.Hour // 5 year
+)
+
 // CA is a simple Certificate Authority.
 // The CA issues client certificates signed by a root certificate and private key.
 // The CA provides an HTTP handler to issue certificates.
@@ -92,7 +97,7 @@ func (ca *CA) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 
 	ctx := r.Context()
 
-	notBefore, notAfter, err := ParseValidity(nb, na)
+	notBefore, notAfter, err := ParseValidity(nb, na, MaximumIssueValidity)
 	if err != nil {
 		writeHTTPError(ctx, w, err.Error(), http.StatusBadRequest)
 		return

tinyca/validity.go

@@ -6,17 +6,18 @@ import (
 	"time"
 )
 
-// MaxIssueValidity is the maximum validity period for issued certificates.
-const MaxIssueValidity = 30 * 24 * time.Hour
-
 // ParseValidity parses notBefore and notAfter into time.Time values.
 // notBefore and notAfter can either be in RFC3339 format or a duration
 // offset from the current time.
 // Offset durations are parsed using time.ParseDuration.
 // If notBefore is empty or set to "now", it defaults to the current time.
 // If notAfter is empty, it behaves as if it is set to "+1h".
 // Negative validity periods are not allowed.
-func ParseValidity(notBefore string, notAfter string) (time.Time, time.Time, error) {
+func ParseValidity(
+	notBefore string,
+	notAfter string,
+	maxIssueValidity time.Duration,
+) (time.Time, time.Time, error) {
 	now := time.Now()
 	nbf := now
 	if notBefore != "" && notBefore != "now" {
@@ -38,7 +39,7 @@ func ParseValidity(notBefore string, notAfter string) (time.Time, time.Time, err
 		return time.Time{}, time.Time{}, errors.New("negative validity period")
 	}
 
-	if naf.Sub(nbf) > MaxIssueValidity {
+	if naf.Sub(nbf) > maxIssueValidity {
 		return time.Time{}, time.Time{}, errors.New("validity period is too long")
 	}