Warn if the signing certificates have a validity period > 10 years (#2174).

author: Carl Hetherington <cth@carlh.net> 2022-02-12 23:11:44 +0100
committer: Carl Hetherington <cth@carlh.net> 2022-02-12 23:15:31 +0100
commit: 3e6b2d886961177c8d89b3f9168393d33c13bff2 (patch)
tree: 34db251b8c936579d91a549a4a40928c413396a4 /src/lib/config.cc
parent: 9bda3fda70912d73266a2dbac5470ca23d2ff6fd (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/src/lib/config.cc b/src/lib/config.cc
index abf0eb42b..371682966 100644
--- a/src/lib/config.cc
+++ b/src/lib/config.cc
@@ -456,6 +456,9 @@ try
 		if (i.has_utf8_strings()) {
 			bad = BAD_SIGNER_UTF8_STRINGS;
 		}
+		if ((i.not_after().year() - i.not_before().year()) > 15) {
+			bad = BAD_SIGNER_VALIDITY_TOO_LONG;
+		}
 	}
 
 	if (!_signer_chain->chain_valid() || !_signer_chain->private_key_valid()) {
@@ -472,6 +475,7 @@ try
 			switch (*bad) {
 			case BAD_SIGNER_UTF8_STRINGS:
 			case BAD_SIGNER_INCONSISTENT:
+			case BAD_SIGNER_VALIDITY_TOO_LONG:
 				_signer_chain = create_certificate_chain ();
 				break;
 			case BAD_DECRYPTION_INCONSISTENT:
author	Carl Hetherington <cth@carlh.net>	2022-02-12 23:11:44 +0100
committer	Carl Hetherington <cth@carlh.net>	2022-02-12 23:15:31 +0100
commit	3e6b2d886961177c8d89b3f9168393d33c13bff2 (patch)
tree	34db251b8c936579d91a549a4a40928c413396a4 /src/lib/config.cc
parent	9bda3fda70912d73266a2dbac5470ca23d2ff6fd (diff)