Reject certificates that are valid for too long.

net/data/ssl/scripts/generate-test-certs.sh

Index: net/data/ssl/scripts/generate-test-certs.sh
diff --git a/net/data/ssl/scripts/generate-test-certs.sh b/net/data/ssl/scripts/generate-test-certs.sh
index d62bb988a5ddc2730068b83e4a0ce1e036d2cdc2..70c20e62ec2d91562c5f8acc372cb6f2575dcc28 100755
--- a/net/data/ssl/scripts/generate-test-certs.sh
+++ b/net/data/ssl/scripts/generate-test-certs.sh
@@ -124,7 +124,140 @@ try openssl req -x509 -days 3650 -extensions req_san_sanity \
 SUBJECT_NAME="req_punycode_dn" \
   try openssl req -x509 -days 3650 -extensions req_punycode \
     -config ../scripts/ee.cnf -newkey rsa:2048 -text \
-     -out ../certificates/punycodetest.pem
+    -out ../certificates/punycodetest.pem
+
+## Reject intranet hostnames in "publicly" trusted certs
+# 365 * 3 = 1095
+SUBJECT_NAME="req_dn" \
+  try openssl req -x509 -days 1095 \
+    -config ../scripts/ee.cnf -newkey rsa:2048 -text \
+    -out ../certificates/reject_intranet_hosts.pem
+
+## Validity too long unit test support.
+try openssl req -config ../scripts/ee.cnf \
+  -newkey rsa:2048 -text -out ../certificates/10_year_validity.req
+CA_COMMON_NAME="Test Root CA" \
+  try openssl ca \
+    -batch \
+    -extensions user_cert \
+    -startdate 081030000000Z \
+    -enddate 181029000000Z \
+    -in ../certificates/10_year_validity.req \
+    -out ../certificates/10_year_validity.pem \
+    -config ca.cnf
+# 365 * 11 = 4015
+try openssl req -config ../scripts/ee.cnf \
+  -newkey rsa:2048 -text -out ../certificates/11_year_validity.req
+CA_COMMON_NAME="Test Root CA" \
+  try openssl ca \
+    -batch \
+    -extensions user_cert \
+    -startdate 141030000000Z \
+    -days 4015 \
+    -in ../certificates/11_year_validity.req \
+    -out ../certificates/11_year_validity.pem \
+    -config ca.cnf
+try openssl req -config ../scripts/ee.cnf \
+  -newkey rsa:2048 -text -out ../certificates/39_months_after_2015_04.req
+CA_COMMON_NAME="Test Root CA" \
+  try openssl ca \
+    -batch \
+    -extensions user_cert \
+    -startdate 150402000000Z \
+    -enddate 180702000000Z \
+    -in ../certificates/39_months_after_2015_04.req \
+    -out ../certificates/39_months_after_2015_04.pem \
+    -config ca.cnf
+try openssl req -config ../scripts/ee.cnf \
+  -newkey rsa:2048 -text -out ../certificates/40_months_after_2015_04.req
+CA_COMMON_NAME="Test Root CA" \
+  try openssl ca \
+    -batch \
+    -extensions user_cert \
+    -startdate 150402000000Z \
+    -enddate 180801000000Z \
+    -in ../certificates/40_months_after_2015_04.req \
+    -out ../certificates/40_months_after_2015_04.pem \
+    -config ca.cnf
+try openssl req -config ../scripts/ee.cnf \
+  -newkey rsa:2048 -text -out ../certificates/60_months_after_2012_07.req
+CA_COMMON_NAME="Test Root CA" \
+  try openssl ca \
+    -batch \
+    -extensions user_cert \
+    -startdate 141030000000Z \
+    -enddate 190930000000Z \
+    -in ../certificates/60_months_after_2012_07.req \
+    -out ../certificates/60_months_after_2012_07.pem \
+    -config ca.cnf
+try openssl req -config ../scripts/ee.cnf \
+  -newkey rsa:2048 -text -out ../certificates/61_months_after_2012_07.req
+# 30 * 61 = 1830
+CA_COMMON_NAME="Test Root CA" \
+  try openssl ca \
+    -batch \
+    -extensions user_cert \
+    -startdate 141030000000Z \
+    -days 1830 \
+    -in ../certificates/61_months_after_2012_07.req \
+    -out ../certificates/61_months_after_2012_07.pem \
+    -config ca.cnf
+# start date after expiry date
+try openssl req -config ../scripts/ee.cnf \
+  -newkey rsa:2048 -text -out ../certificates/start_after_expiry.req
+CA_COMMON_NAME="Test Root CA" \
+  try openssl ca \
+    -batch \
+    -extensions user_cert \
+    -startdate 180901000000Z \
+    -enddate 150402000000Z \

[Ryan Sleevi, 2015/01/22 02:04:40]

You inconsistently align these dates in the file. Pick a form and stick with it
:)

(Compare 212-213 with 226-227)

[palmer, 2015/01/22 20:05:05]

Done.

+    -in ../certificates/start_after_expiry.req \
+    -out ../certificates/start_after_expiry.pem \
+    -config ca.cnf
+try openssl req -config ../scripts/ee.cnf \
+  -newkey rsa:2048 -text -out ../certificates/start_after_expiry.req
+# Issued pre-BRs, lifetime < 120 months, expires before 2019-07-01
+try openssl req -config ../scripts/ee.cnf \
+  -newkey rsa:2048 -text -out ../certificates/pre_br_validity_ok.req
+CA_COMMON_NAME="Test Root CA" \
+  try openssl ca \
+    -batch \
+    -extensions user_cert \
+    -startdate 080101000000Z \
+    -enddate   150101000000Z \
+    -in ../certificates/pre_br_validity_ok.req \
+    -out ../certificates/pre_br_validity_ok.pem \
+    -config ca.cnf
+try openssl req -config ../scripts/ee.cnf \
+  -newkey rsa:2048 -text -out ../certificates/pre_br_validity_ok.req
+# Issued pre-BRs, lifetime > 120 months, expires before 2019-07-01
+try openssl req -config ../scripts/ee.cnf \
+  -newkey rsa:2048 -text -out ../certificates/pre_br_validity_bad_121.req
+CA_COMMON_NAME="Test Root CA" \
+  try openssl ca \
+    -batch \
+    -extensions user_cert \
+    -startdate 080101000000Z \
+    -enddate   180501000000Z \
+    -in ../certificates/pre_br_validity_bad_121.req \
+    -out ../certificates/pre_br_validity_bad_121.pem \
+    -config ca.cnf
+try openssl req -config ../scripts/ee.cnf \
+  -newkey rsa:2048 -text -out ../certificates/pre_br_validity_bad_121.req
+# Issued pre-BRs, lifetime < 120 months, expires after 2019-07-01
+try openssl req -config ../scripts/ee.cnf \
+  -newkey rsa:2048 -text -out ../certificates/pre_br_validity_bad_2020.req
+CA_COMMON_NAME="Test Root CA" \
+  try openssl ca \
+    -batch \
+    -extensions user_cert \
+    -startdate 120501000000Z \
+    -enddate   190703000000Z \
+    -in ../certificates/pre_br_validity_bad_2020.req \
+    -out ../certificates/pre_br_validity_bad_2020.pem \
+    -config ca.cnf
+try openssl req -config ../scripts/ee.cnf \
+  -newkey rsa:2048 -text -out ../certificates/pre_br_validity_bad_2020.req
 
 # Regenerate CRLSets
 ## Block a leaf cert directly by SPKI