Reduce maximum allowed valid authorization lifetime (#8648)

Although our config loading code ensured that we could never configure
Boulder to violate the Baseline Requirements (currently 398 days), it
did not ensure that we could not configure Boulder to violate our own
CP/CPS (90 days). Reduce the maximum allowed ValidAuthzLifetime to
prevent accidental violation of our CP/CPS.

Author: aarongable

ra/ra.go

@@ -318,20 +318,28 @@ func NewValidationProfiles(defaultName string, configs map[string]*ValidationPro
 	profiles := make(map[string]*validationProfile, len(configs))
 
 	for name, config := range configs {
-		// The Baseline Requirements v1.8.1 state that validation tokens "MUST
-		// NOT be used for more than 30 days from its creation". If unconfigured
-		// or the configured value pendingAuthorizationLifetimeDays is greater
-		// than 29 days, bail out.
+		// The Baseline Requirements v2.2.5 state that a validation token (Random
+		// Value) "MUST NOT be used more than 30 days from its creation". If
+		// unconfigured or the configured value pendingAuthorizationLifetimeDays is
+		// greater than 29 days, bail out.
 		if config.PendingAuthzLifetime.Duration <= 0 || config.PendingAuthzLifetime.Duration > 29*(24*time.Hour) {
 			return nil, fmt.Errorf("PendingAuthzLifetime value must be greater than 0 and less than 30d, but got %q", config.PendingAuthzLifetime.Duration)
 		}
 
-		// Baseline Requirements v1.8.1 section 4.2.1: "any reused data, document,
-		// or completed validation MUST be obtained no more than 398 days prior
-		// to issuing the Certificate". If unconfigured or the configured value is
-		// greater than 397 days, bail out.
-		if config.ValidAuthzLifetime.Duration <= 0 || config.ValidAuthzLifetime.Duration > 397*(24*time.Hour) {
-			return nil, fmt.Errorf("ValidAuthzLifetime value must be greater than 0 and less than 398d, but got %q", config.ValidAuthzLifetime.Duration)
+		// Baseline Requirements v2.2.5, Section 4.2.1: "any data, document, or
+		// completed validation used MUST be obtained within the maximum number of
+		// days prior to issuing the Certificate, as defined in the following...:
+		// 2026-03-15: 200 days; 2027-03-15: 100 days; 2029-03-15: 10 days"
+		//
+		// Our CP/CPS, v6.0, Section 4.2.1: "Certificate information is verified
+		// using data and documents obtained no more than 90 days prior to issuance
+		// of the Certificate."
+		//
+		// If unconfigured or the configured value is greater than 89 days, bail
+		// out.
+		// TODO before 2029-03-15: Update this to 9 days.
+		if config.ValidAuthzLifetime.Duration <= 0 || config.ValidAuthzLifetime.Duration > 89*(24*time.Hour) {
+			return nil, fmt.Errorf("ValidAuthzLifetime value must be greater than 0 and less than 89d, but got %q", config.ValidAuthzLifetime.Duration)
 		}
 
 		if config.MaxNames <= 0 || config.MaxNames > 100 {

ra/ra_test.go

@@ -368,16 +368,16 @@ func initAuthorities(t *testing.T) (*DummyValidationAuthority, sapb.StorageAutho
 	testKeyPolicy, err := goodkey.NewPolicy(nil, nil)
 	test.AssertNotError(t, err, "making keypolicy")
 
-	profiles := &validationProfiles{
-		defaultName: "test",
-		byName: map[string]*validationProfile{"test": {
-			pendingAuthzLifetime: 7 * 24 * time.Hour,
-			validAuthzLifetime:   300 * 24 * time.Hour,
-			orderLifetime:        7 * 24 * time.Hour,
-			maxNames:             100,
-			identifierTypes:      []identifier.IdentifierType{identifier.TypeDNS},
-		}},
-	}
+	profiles, err := NewValidationProfiles("test", map[string]*ValidationProfileConfig{
+		"test": {
+			PendingAuthzLifetime: config.Duration{Duration: 7 * 24 * time.Hour},
+			ValidAuthzLifetime:   config.Duration{Duration: 30 * 24 * time.Hour},
+			OrderLifetime:        config.Duration{Duration: 7 * 24 * time.Hour},
+			MaxNames:             100,
+			IdentifierTypes:      []identifier.IdentifierType{identifier.TypeDNS},
+		},
+	})
+	test.AssertNotError(t, err, "making validation profiles")
 
 	ra := NewRegistrationAuthorityImpl(
 		fc, log, stats,