Make 1-hour validity period configurable via cflag

namecoin · Aug 25, 2021 · 06cc20d · 06cc20d
1 parent 5dea8e0
commit 06cc20d
Show file tree

Hide file tree

Showing 5 changed files with 41 additions and 5 deletions.
diff --git a/config.go b/config.go
@@ -0,0 +1,36 @@
+// Copyright 2021 Jeremy Rand.
+
+// This file is part of safetlsa.
+//
+// safetlsa is free software: you can redistribute it and/or
+// modify it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// safetlsa is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with safetlsa.  If not, see
+// <https://www.gnu.org/licenses/>.
+
+package safetlsa
+
+import (
+	"time"
+
+	"gopkg.in/hlandau/easyconfig.v1/cflag"
+)
+
+var (
+	flagGroup    = cflag.NewGroup(nil, "safetlsa")
+	validityFlag = cflag.Int(flagGroup, "validity-short-term-seconds", 1*60*60,
+		"Use the time of signing +/- this duration as the validity period "+
+		"for short-term certificates.")
+)
+
+func ValidityShortTerm() time.Duration {
+	return validityFlag.Value() * time.Second
+}
diff --git a/generate_domain_ca.go b/generate_domain_ca.go
@@ -81,8 +81,8 @@ func GenerateDomainCA(domain string, publicKeyBytes []byte, parentDERBytes []byt
 			CommonName: domain + " Domain AIA Parent CA",
 			SerialNumber: "Namecoin TLS Certificate",
 		},
-		NotBefore: time.Now().Add(-1 * time.Hour),
-		NotAfter:  time.Now().Add(1 * time.Hour),
+		NotBefore: time.Now().Add(-1 * ValidityShortTerm()),
+		NotAfter:  time.Now().Add(1 * ValidityShortTerm()),
 
 		IsCA: true,
 		//KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,

diff --git a/generate_root_ca.go b/generate_root_ca.go
@@ -101,7 +101,7 @@ func GenerateRootCA(commonNamePrefix string) ([]byte, interface{}, error) {
 			CommonName: commonNamePrefix + " Root CA",
 			SerialNumber: "Namecoin TLS Certificate",
 		},
-		NotBefore: time.Now().Add(-1 * time.Hour),
+		NotBefore: time.Now().Add(-1 * ValidityShortTerm()),
 		NotAfter:  time.Now().Add(43800 * time.Hour),
 
 		IsCA: true,

diff --git a/generate_tld_ca.go b/generate_tld_ca.go
@@ -94,7 +94,7 @@ func GenerateTLDCA(domain string, parentDERBytes []byte, parentPrivateKey interf
 			CommonName: "." + domain + " TLD CA",
 			SerialNumber: "Namecoin TLS Certificate",
 		},
-		NotBefore: time.Now().Add(-1 * time.Hour),
+		NotBefore: time.Now().Add(-1 * ValidityShortTerm()),
 		NotAfter:  time.Now().Add(43800 * time.Hour),
 
 		IsCA: true,

diff --git a/generate_tld_exclusion_ca.go b/generate_tld_exclusion_ca.go
@@ -94,7 +94,7 @@ func GenerateTLDExclusionCA(domain string, parentDERBytes []byte, parentPrivateK
 			CommonName: "." + domain + " TLD Exclusion CA",
 			SerialNumber: "Namecoin TLS Certificate",
 		},
-		NotBefore: time.Now().Add(-1 * time.Hour),
+		NotBefore: time.Now().Add(-1 * ValidityShortTerm()),
 		NotAfter:  time.Now().Add(43800 * time.Hour),
 
 		IsCA: true,