You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The validity period for a certificate is the period of time from
notBefore through notAfter, inclusive.
This means that a certificate with a notBefore timestamp of 2021-01-01 01:01:01 GMT and a notAfter timestamp of 2021-01-01 02:01:01 GMT actually has a "validity period" of 1 hour and one second.
For the purpose of calculations, a day is measured as 86,400 seconds. Any amount of
time greater than this, including fractional seconds and/or leap seconds, shall represent
an additional day. For this reason, Subscriber Certificates SHOULD NOT be issued for
the maximum permissible time by default, in order to account for such adjustments.
When zlint calculates the validity period of a certificate (in the apple, cabf_br, and ev versions of the 825_days and 39_months lints) it does so using this computation:
In other words, it adds 825 days to the notBefore, and checks to see if that date falls before the notAfter. This does not account for the maximum validity period being inclusive of the time represented by the notAfter timestamp.
I have created a pair of tests. The first one uses a certificate with a lifetime of exactly 825 days, inclusive, and passes:
funcTestSubCertValidTimeExactly825DaysInclusive(t*testing.T) {
// This certificate has a notBefore of XXX and a notAfter of YYY, giving it// a validity period (calculated inclusive of both endpoints, as per RFC5280)// of exactly 825 days (71280000 seconds).inputPath:="subCertExactly825DaysInclusive.pem"expected:=lint.Passout:=test.TestLint("e_sub_cert_valid_time_longer_than_825_days", inputPath)
ifout.Status!=expected {
t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status)
}
}
The second one uses a certificate with a validity period of 825 days and one second, which should be rejected, but the test fails as zlint sees no problem with this certificate:
funcTestSubCertValidTimeExactly825DaysExclusive(t*testing.T) {
// This certificate has a notBefore of XXX and a notAfter of YYY, giving it// a validity period (calculated inclusive of both endpoints, as per RFC5280)// of exactly 825 days and one second (71280001 seconds).inputPath:="subCertExactly825DaysExclusive.pem"expected:=lint.Errorout:=test.TestLint("e_sub_cert_valid_time_longer_than_825_days", inputPath)
ifout.Status!=expected {
t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status)
}
}
Unfortunately, fixing this is not as trivial as simply offsetting the calculation by one second. Per RFC 5280, the notBefore and notAfter timestamps may be encoded either as UTCTime or as GenralizedTime (with requirements on which is used based on the date being represented). Unfortunately, UTCTime allows timestamp granularity of either seconds or minutes. Meaning that a fully correct implementation of this must determine the granularity of the timestamp and perform the inclusive validity time computation accordingly.
The text was updated successfully, but these errors were encountered:
The context being that there were existing lints that used the old BR definitions. The new lints that were added for 398 day certs - also part of SC31 - use the definition that accompanied that ballot
RFC 5280, Section 4.1.2.5, says:
This means that a certificate with a notBefore timestamp of 2021-01-01 01:01:01 GMT and a notAfter timestamp of 2021-01-01 02:01:01 GMT actually has a "validity period" of 1 hour and one second.
The Baseline Requirements, Section 6.3.2, say:
When zlint calculates the validity period of a certificate (in the apple, cabf_br, and ev versions of the 825_days and 39_months lints) it does so using this computation:
zlint/v3/lints/cabf_br/lint_sub_cert_valid_time_longer_than_825_days.go
Line 45 in 7e75dc3
In other words, it adds 825 days to the
notBefore
, and checks to see if that date falls before thenotAfter
. This does not account for the maximum validity period being inclusive of the time represented by thenotAfter
timestamp.I have created a pair of tests. The first one uses a certificate with a lifetime of exactly 825 days, inclusive, and passes:
The second one uses a certificate with a validity period of 825 days and one second, which should be rejected, but the test fails as zlint sees no problem with this certificate:
You can see both tests here: master...aarongable:validity-period-tests
Unfortunately, fixing this is not as trivial as simply offsetting the calculation by one second. Per RFC 5280, the
notBefore
andnotAfter
timestamps may be encoded either as UTCTime or as GenralizedTime (with requirements on which is used based on the date being represented). Unfortunately, UTCTime allows timestamp granularity of either seconds or minutes. Meaning that a fully correct implementation of this must determine the granularity of the timestamp and perform the inclusive validity time computation accordingly.The text was updated successfully, but these errors were encountered: