Merge pull request #1710 from tosticated/3.1dev

Added check for certificate validity longer than 398 days
2025-10-31 05:45:26 +01:00 · 2020-09-08 15:37:07 +02:00
parent b6bab1e1b5 ad8a52ec4f
commit 794bbe30af
3 changed files with 25 additions and 0 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -21,6 +21,7 @@
 * Don't penalize missing trust in rating when CA not in Java store
 * Added support for certificates with EdDSA signatures and pubilc keys
 * --add-ca can also now be a directory with \*.pem files
+* Warning of 398 day limit for certificates issued after 2020/9/1

 ### Features implemented / improvements in 3.0

--- a/CREDITS.md
+++ b/CREDITS.md
@@ -39,6 +39,9 @@ Full contribution, see git log.
 * Christoph Badura
  - NetBSD fixes

+* Jim Blankendaal
+  - maximum certificate lifespan of 398 days 
+
 * Frank Breedijk
  - Detection of insecure redirects
  - JSON and CSV output
--- a/testssl.sh
+++ b/testssl.sh
@@ -8353,6 +8353,7 @@ certificate_info() {
     local caa_node="" all_caa="" caa_property_name="" caa_property_value=""
     local response=""
     local yearstart yearend clockstart clockend y m d
+     local gt_398=false gt_398warn=false
     local gt_825=false gt_825warn=false
     local badocsp=1 

@@ -9111,6 +9112,26 @@ certificate_info() {
          out "$spaces"
          prln_svrty_medium ">= 5 years is too long"
          fileout "cert_validityPeriod${json_postfix}" "MEDIUM" "$((diffseconds / (3600 * 24) )) days"
+     elif [[ $diffseconds -ge $((3600 * 24 * 398 + 1)) ]]; then
+     # Also "official" certificates issued from september 1st 2020 (1598918400) aren't supposed
+     # to be valid longer than 398 days which is 34387200 in epoch seconds
+          gt_398=true
+          if "$HAS_OPENBSDDATE"; then
+               if [[ 20200901 -le ${yearstart//-/} ]]; then
+                    gt_398warn=true
+               fi
+          elif [[ $(parse_date "$startdate" "+%s" $'%F %H:%M') -ge 1598918400 ]]; then
+               gt_398warn=true
+          fi
+          # Now, the verdict, depending on the issuing date
+          out "$spaces"
+          if "$gt_398warn" && "$gt_398"; then
+               prln_svrty_medium "> 398 days issued after 2020/09/01 is too long"
+               fileout "cert_validityPeriod${json_postfix}" "MEDIUM" "$((diffseconds / (3600 * 24) )) > 398 days"
+          elif "$gt_398"; then
+               outln ">= 398 days certificate life time but issued before 2020/09/01"
+               fileout "cert_validityPeriod${json_postfix}" "INFO" "$((diffseconds / (3600 * 24) )) =< 398 days"
+          fi
     elif [[ $diffseconds -ge $((3600 * 24 * 825 + 1)) ]]; then
     # Also "official" certificates issued from March 1st, 2018 (1517353200) aren't supposed
     # to be valid longer than 825 days which is 1517353200 in epoch seconds