`time.AddDate()` returns a negative value on 32-bit arches in the '2147483647
days' TestParseInvalidExpiry test case. `parseExpiry()` already checks for
large positive year values, but has no lower bound. For checks, years should
not be negative values — set a minimum value to return the correct error
message.
--- a/cmd/expiry.go
+++ b/cmd/expiry.go
@@ -51,8 +51,10 @@
 
 	// ASN.1 (encoding format used by SSL) only supports up to year 9999
 	// https://www.openssl.org/docs/man1.1.0/crypto/ASN1_TIME_check.html
-	if result.Year() > 9999 {
-		return now, fmt.Errorf("proposed date too far in to the future: %s. Expiry year must be less than or equal to 9999", result)
+	// Additionally set a minimum value to avoid integer overflow on AddDate
+	// https://github.com/golang/go/issues/20678
+	if result.Year() >= 9999 || result.Year() <= 0 {
+		return now, fmt.Errorf("proposed date too far in to the future: %s. Expiry year must be greater than or equal to 0 and less than or equal to 9999", result)
 	}
 
 	return result, nil