Ceremony: add checks for too-large validity period (#8446)

aarongable · web-flow · commit 7d873fe3f5f8 · 2025-10-17T14:48:44.000-07:00
We commit to these values in our CP/CPS, we should enforce them in code
as well.
diff --git a/cmd/ceremony/cert.go b/cmd/ceremony/cert.go
@@ -252,11 +252,23 @@ func makeTemplate(randReader io.Reader, profile *certProfile, pubKey []byte, tbc
 		if err != nil {
 			return nil, err
 		}
-		cert.NotBefore = notBefore
 		notAfter, err := time.Parse(time.DateTime, profile.NotAfter)
 		if err != nil {
 			return nil, err
 		}
+		validity := notAfter.Add(time.Second).Sub(notBefore)
+		if ct == rootCert && validity >= 9132*24*time.Hour {
+			// The value 9132 comes directly from the BRs, where it is described
+			// as "approximately 25 years". It's equal to 365 * 25 + 7, to allow
+			// for some leap years.
+			return nil, fmt.Errorf("root cert validity too large: %s >= 25 years", validity)
+		} else if (ct == intermediateCert || ct == crossCert) && validity >= 8*365*24*time.Hour {
+			// Our CP/CPS states "at most 8 years", so we calculate that number
+			// in the most conservative way (i.e. not accounting for leap years)
+			// to give ourselves a buffer.
+			return nil, fmt.Errorf("subordinate CA cert validity too large: %s >= 8 years", validity)
+		}
+		cert.NotBefore = notBefore
 		cert.NotAfter = notAfter
 	}
 
diff --git a/test/certs/intermediate-cert-ceremony-ecdsa-cross.yaml b/test/certs/intermediate-cert-ceremony-ecdsa-cross.yaml
@@ -15,8 +15,8 @@ certificate-profile:
     common-name: {{ .CommonName }}
     organization: good guys
     country: US
-    not-before: 2020-01-01 12:00:00
-    not-after: 2040-01-01 12:00:00
+    not-before: 2025-07-01 00:00:00
+    not-after: 2030-06-30 23:59:59
     crl-url:  http://rsa.example.com/crl
     issuer-url:  http://rsa.example.com/cert
     policies:
diff --git a/test/certs/intermediate-cert-ceremony-ecdsa.yaml b/test/certs/intermediate-cert-ceremony-ecdsa.yaml
@@ -14,8 +14,8 @@ certificate-profile:
     common-name: {{ .CommonName }}
     organization: good guys
     country: US
-    not-before: 2020-01-01 12:00:00
-    not-after: 2040-01-01 12:00:00
+    not-before: 2025-07-01 00:00:00
+    not-after: 2030-06-30 23:59:59
     crl-url:  http://ecdsa.example.com/crl
     issuer-url:  http://ecdsa.example.com/cert
     policies:
diff --git a/test/certs/intermediate-cert-ceremony-rsa.yaml b/test/certs/intermediate-cert-ceremony-rsa.yaml
@@ -14,8 +14,8 @@ certificate-profile:
     common-name: {{ .CommonName }}
     organization: good guys
     country: US
-    not-before: 2020-01-01 12:00:00
-    not-after: 2040-01-01 12:00:00
+    not-before: 2025-07-01 00:00:00
+    not-after: 2030-06-30 23:59:59
     crl-url:  http://rsa.example.com/crl
     issuer-url:  http://rsa.example.com/cert
     policies:
