Remove default authorization lifetime values (letsencrypt#5931)

andygabby · web-flow · commit f69f52459cc2 · 2022-02-07T21:35:12.000-07:00
Enforce that authorizationLifetimeDays and pendingAuthorizationLifetimeDays values are configured and set to a value compliant with the v1.8.1 of the CA/B Forum Baseline Requirements. Fixes letsencrypt#5923
diff --git a/cmd/boulder-ra/main.go b/cmd/boulder-ra/main.go
@@ -211,17 +211,23 @@ func main() {
 	}
 	ctp = ctpolicy.New(pubc, c.RA.CTLogGroups2, c.RA.InformationalCTLogs, logger, scope)
 
-	// TODO(patf): remove once RA.authorizationLifetimeDays is deployed
-	authorizationLifetime := 300 * 24 * time.Hour
-	if c.RA.AuthorizationLifetimeDays != 0 {
-		authorizationLifetime = time.Duration(c.RA.AuthorizationLifetimeDays) * 24 * time.Hour
+	// Baseline Requirements v1.8.1 section 4.2.1: "any reused data, document,
+	// or completed validation MUST be obtained no more than 398 days prior
+	// to issuing the Certificate". If unconfigured or the configured value is
+	// greater than 397 days, bail out.
+	if c.RA.AuthorizationLifetimeDays <= 0 || c.RA.AuthorizationLifetimeDays > 397 {
+		cmd.Fail("authorizationLifetimeDays value must be greater than 0 and less than 398")
 	}
-
-	// TODO(patf): remove once RA.pendingAuthorizationLifetimeDays is deployed
-	pendingAuthorizationLifetime := 7 * 24 * time.Hour
-	if c.RA.PendingAuthorizationLifetimeDays != 0 {
-		pendingAuthorizationLifetime = time.Duration(c.RA.PendingAuthorizationLifetimeDays) * 24 * time.Hour
+	authorizationLifetime := time.Duration(c.RA.AuthorizationLifetimeDays) * 24 * time.Hour
+
+	// The Baseline Requirements v1.8.1 state that validation tokens "MUST
+	// NOT be used for more than 30 days from its creation". If unconfigured
+	// or the configured value pendingAuthorizationLifetimeDays is greater
+	// than 29 days, bail out.
+	if c.RA.PendingAuthorizationLifetimeDays <= 0 || c.RA.PendingAuthorizationLifetimeDays > 29 {
+		cmd.Fail("pendingAuthorizationLifetimeDays value must be greater than 0 and less than 30")
 	}
+	pendingAuthorizationLifetime := time.Duration(c.RA.PendingAuthorizationLifetimeDays) * 24 * time.Hour
 
 	// TODO(#5851): Remove these fallbacks when the old config keys are gone.
 	if c.RA.GoodKey.WeakKeyFile == "" && c.RA.WeakKeyFile != "" {
diff --git a/cmd/boulder-wfe2/main.go b/cmd/boulder-wfe2/main.go
@@ -406,15 +406,23 @@ func main() {
 		c.WFE.StaleTimeout.Duration = time.Minute * 10
 	}
 
-	authorizationLifetime := 30 * (24 * time.Hour)
-	if c.WFE.AuthorizationLifetimeDays != 0 {
-		authorizationLifetime = time.Duration(c.WFE.AuthorizationLifetimeDays) * (24 * time.Hour)
+	// Baseline Requirements v1.8.1 section 4.2.1: "any reused data, document,
+	// or completed validation MUST be obtained no more than 398 days prior
+	// to issuing the Certificate". If unconfigured or the configured value is
+	// greater than 397 days, bail out.
+	if c.WFE.AuthorizationLifetimeDays <= 0 || c.WFE.AuthorizationLifetimeDays > 397 {
+		cmd.Fail("authorizationLifetimeDays value must be greater than 0 and less than 398")
 	}
-
-	pendingAuthorizationLifetime := 7 * (24 * time.Hour)
-	if c.WFE.PendingAuthorizationLifetimeDays != 0 {
-		pendingAuthorizationLifetime = time.Duration(c.WFE.PendingAuthorizationLifetimeDays) * (24 * time.Hour)
+	authorizationLifetime := time.Duration(c.WFE.AuthorizationLifetimeDays) * 24 * time.Hour
+
+	// The Baseline Requirements v1.8.1 state that validation tokens "MUST
+	// NOT be used for more than 30 days from its creation". If unconfigured
+	// or the configured value pendingAuthorizationLifetimeDays is greater
+	// than 29 days, bail out.
+	if c.WFE.PendingAuthorizationLifetimeDays <= 0 || c.WFE.PendingAuthorizationLifetimeDays > 29 {
+		cmd.Fail("pendingAuthorizationLifetimeDays value must be greater than 0 and less than 30")
 	}
+	pendingAuthorizationLifetime := time.Duration(c.WFE.PendingAuthorizationLifetimeDays) * 24 * time.Hour
 
 	var accountGetter wfe2.AccountGetter
 	if c.WFE.AccountCache != nil {
