@@ -360,6 +360,48 @@ def finalize_order(kid:, order_id:, csr:)
360360 end
361361 end
362362
363+ it "rejects orders with notAfter beyond the maximum validity duration" do
364+ register_account
365+ kid = last_response . headers [ "Location" ]
366+
367+ get "/nonces"
368+ nonce = last_response . headers [ "Replay-Nonce" ]
369+
370+ jwk = {
371+ typ : "JWT" ,
372+ alg : "RS256" ,
373+ kid :,
374+ nonce :,
375+ url : "/orders"
376+ } . to_json
377+ encoded_jwk = acme_base64 ( jwk )
378+
379+ now = Time . now
380+ payload = {
381+ identifiers : [ { "type" => "dns" , "value" => "good.test.domain" } ] ,
382+ notBefore : ( now + 86_400 ) . iso8601 ,
383+ notAfter : ( now + ( 90 * 24 * 60 * 60 ) + 86_400 ) . iso8601
384+ } . to_json
385+ encoded_payload = acme_base64 ( payload )
386+ signature_data = "#{ encoded_jwk } .#{ encoded_payload } "
387+
388+ body = {
389+ protected : encoded_jwk ,
390+ payload : encoded_payload ,
391+ signature : acme_sign ( account_key , signature_data )
392+ } . to_json
393+
394+ post "/orders" , body , { "CONTENT_TYPE" => "application/jose+json" }
395+
396+ expect ( last_response . status ) . to eq ( 400 )
397+ expect ( last_response . headers [ "Content-Type" ] ) . to \
398+ eq ( "application/problem+json" )
399+
400+ parsed_body = JSON . parse ( last_response . body )
401+ expect ( parsed_body [ "type" ] ) . to \
402+ eq ( "urn:ietf:params:acme:error:invalidOrder" )
403+ end
404+
363405 it "rejects finalization with CSR for wrong domain" do
364406 register_account
365407 kid = last_response . headers [ "Location" ]
0 commit comments