[Ejbca-develop] Undefined Validity Causing IllegalValidityException

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hi-

I am having an issue using the method described in https://www.ejbca.org/docs/userguide.html#Certificate Profile Fields to set a CA's expiry date to 9999-12-31 23:59:59+00:00 (undefined validity).

I have set the cesecore.properties setting for ca.toolateexpiredate=9999-12-31 23:59:59+00:00, but if I try to create a CA with the same date, the following exception is thrown:

org.cesecore.certificates.ca.IllegalValidityException: Requested expire date is not before the configured 'ca.toolateexpiredate'. Certificate expire date 'Fri Dec 31 23:59:59 UTC 9999'. ca.toolateexpiredate 'Fri Dec 31 23:59:59 UTC 9999'.

In looking at CertificateValidity.java, it seems to require the expiry date to be before (... !lastDate.before(CertificateValidity.tooLateExpireDate) ...) but does not consider the case where the dates may be equal.  Is there another method to specify an undefined validity as per RFC5280, or would it be appropriate to change the condition to something like:

if ( !lastDate.before(CertificateValidity.tooLateExpireDate) && !lastDate.equals(CertificateValidity.tooLateExpireDate) ) {
    String msg = intres.getLocalizedMessage("createcert.errorbeyondtoolateexpiredate", lastDate.toString(), CertificateValidity.tooLateExpireDate.toString());
    log.info(msg);
    throw new IllegalValidityException(msg);
}

Thank you!

Mark Nelson