Enforce 825 day BR compliance period for publicly trusted certs |
||
Issue descriptionFollowing the adoption of Ballot 193, in Baseline Requirements version 1.4.4., the maximum validity period of certificates is limited to 825 days for certificates issued on/after 2018-03-01. Consistent with the meta-issue Issue 102949, enforce the validity period for such certificates.
,
Jan 23 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/1f9eb9f1f6345f1992e54346044dc5022ad50c11 commit 1f9eb9f1f6345f1992e54346044dc5022ad50c11 Author: Ryan Sleevi <rsleevi@chromium.org> Date: Tue Jan 23 21:25:14 2018 Enforce 825-day cert limit, per the Baseline Requirements Ballot 193 / BR version 1.4.4 limits the lifetime of certificates to 825 days if issued on or after 2018-03-01. Update the lifetime enforcement in CertVerifyProc::HasTooLongValidity() to enforce this date range, in addition to the existing tests. Unlike the existing calculations, which are based on months, and thus inherently fuzzy as to what constitutes a month (see CA/B Forum archives), this is based on base::TimeDelta functions, which measures in microseconds and ignores leap seconds. BUG= 799896 Change-Id: I260ac3b46cbcf066fea286231ed0c7045608879c Reviewed-on: https://chromium-review.googlesource.com/853893 Commit-Queue: Ryan Sleevi <rsleevi@chromium.org> Reviewed-by: Eric Roman <eroman@chromium.org> Cr-Commit-Position: refs/heads/master@{#531354} [modify] https://crrev.com/1f9eb9f1f6345f1992e54346044dc5022ad50c11/net/BUILD.gn [modify] https://crrev.com/1f9eb9f1f6345f1992e54346044dc5022ad50c11/net/cert/cert_verify_proc.cc [modify] https://crrev.com/1f9eb9f1f6345f1992e54346044dc5022ad50c11/net/cert/cert_verify_proc.h [modify] https://crrev.com/1f9eb9f1f6345f1992e54346044dc5022ad50c11/net/cert/cert_verify_proc_unittest.cc [add] https://crrev.com/1f9eb9f1f6345f1992e54346044dc5022ad50c11/net/data/ssl/certificates/825_days_1_second_after_2018_03_01.pem [add] https://crrev.com/1f9eb9f1f6345f1992e54346044dc5022ad50c11/net/data/ssl/certificates/825_days_after_2018_03_01.pem [add] https://crrev.com/1f9eb9f1f6345f1992e54346044dc5022ad50c11/net/data/ssl/certificates/826_days_after_2018_03_01.pem [modify] https://crrev.com/1f9eb9f1f6345f1992e54346044dc5022ad50c11/net/data/ssl/scripts/generate-test-certs.sh
,
Jan 27 2018
|
||
►
Sign in to add a comment |
||
Comment 1 by rsleevi@chromium.org
, Jan 8 2018