CBL-7107: Identity/Cert expiration date should not be too old (#3474)

Author: velicuvlad

Objective-C/Tests/TLSIdentityTest.m

@@ -522,6 +522,20 @@ - (void) testCreateIdentityWithNoAttributes {
     Assert([error.localizedDescription containsString: @"-67655"]);
 }
 
+- (void) testCertificateExpirationAlreadyPast {
+    XCTSkipUnless(self.keyChainAccessAllowed);
+    NSDate* expired = [NSDate distantPast];
+
+    [self expectException: @"NSInvalidArgumentException" in:^{
+        NSError* error;
+        [CBLTLSIdentity createIdentityForKeyUsages: kCBLKeyUsagesServerAuth
+                                        attributes: kServerCertAttrs
+                                        expiration: expired
+                                             label: kServerCertLabel
+                                             error: &error];
+    }];
+}
+
 - (void) testCertificateExpiration {
     XCTSkipUnless(self.keyChainAccessAllowed);
 

Swift/Tests/TLSIdentityTest.swift

@@ -412,6 +412,21 @@ class TLSIdentityTest: CBLTestCase {
         }
     }
 
+    func testCertificateExpirationAlreadyPast() throws {
+        try XCTSkipUnless(keyChainAccessAllowed)
+
+        // A date definitely in the past
+        let expired = Date.distantPast
+
+        expectException(exception: .invalidArgumentException) {
+            _ = try? TLSIdentity.createIdentity(
+                for: .serverAuth,
+                attributes: [certAttrCommonName: "CBL-Server"],
+                expiration: expired,
+                label: self.serverCertLabel)
+        }
+    }
+    
     func testCertificateExpiration() throws {
         try XCTSkipUnless(keyChainAccessAllowed)