Skip to content

Commit f858418

Browse files
authored
Merge pull request #104 from jgnagy/fix/cert-validity-constant
fix: replace undefined CERT_VALIDITY_DURATION constant with config call
2 parents ea45e01 + 8dc0ed0 commit f858418

2 files changed

Lines changed: 43 additions & 1 deletion

File tree

lib/bullion/helpers/acme.rb

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -174,7 +174,7 @@ def validate_order_nb_and_na(not_before, not_after)
174174
# don't allow nonsense certs
175175
raise Bullion::Acme::Errors::InvalidOrder unless nb < na
176176
# don't allow far-future certs
177-
if nb > Time.now + (7 * 86_400) || na > Time.now + CERT_VALIDITY_DURATION
177+
if nb > Time.now + (7 * 86_400) || na > Time.now + Bullion.config.ca.cert_validity_duration
178178
raise Bullion::Acme::Errors::InvalidOrder
179179
end
180180

spec/bullion/services/ca_negative_spec.rb

Lines changed: 42 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -360,6 +360,48 @@ def finalize_order(kid:, order_id:, csr:)
360360
end
361361
end
362362

363+
it "rejects orders with notAfter beyond the maximum validity duration" do
364+
register_account
365+
kid = last_response.headers["Location"]
366+
367+
get "/nonces"
368+
nonce = last_response.headers["Replay-Nonce"]
369+
370+
jwk = {
371+
typ: "JWT",
372+
alg: "RS256",
373+
kid:,
374+
nonce:,
375+
url: "/orders"
376+
}.to_json
377+
encoded_jwk = acme_base64(jwk)
378+
379+
now = Time.now
380+
payload = {
381+
identifiers: [{ "type" => "dns", "value" => "good.test.domain" }],
382+
notBefore: (now + 86_400).iso8601,
383+
notAfter: (now + (90 * 24 * 60 * 60) + 86_400).iso8601
384+
}.to_json
385+
encoded_payload = acme_base64(payload)
386+
signature_data = "#{encoded_jwk}.#{encoded_payload}"
387+
388+
body = {
389+
protected: encoded_jwk,
390+
payload: encoded_payload,
391+
signature: acme_sign(account_key, signature_data)
392+
}.to_json
393+
394+
post "/orders", body, { "CONTENT_TYPE" => "application/jose+json" }
395+
396+
expect(last_response.status).to eq(400)
397+
expect(last_response.headers["Content-Type"]).to \
398+
eq("application/problem+json")
399+
400+
parsed_body = JSON.parse(last_response.body)
401+
expect(parsed_body["type"]).to \
402+
eq("urn:ietf:params:acme:error:invalidOrder")
403+
end
404+
363405
it "rejects finalization with CSR for wrong domain" do
364406
register_account
365407
kid = last_response.headers["Location"]

0 commit comments

Comments
 (0)