diff options
| author | Kazuki Yamaguchi <k@rhe.jp> | 2016-11-29 16:58:06 +0900 |
|---|---|---|
| committer | Kazuki Yamaguchi <k@rhe.jp> | 2016-11-30 16:41:06 +0900 |
| commit | a277acf8d4536d212baf8820dc22eeb229bbf71d (patch) | |
| tree | b0a178ad2097898af25bd6a546183445ac196175 /test/test_ocsp.rb | |
| parent | 27254de96db0c49bf11d8905f1d5bbc51e727093 (diff) | |
| download | ruby-openssl-a277acf8d4536d212baf8820dc22eeb229bbf71d.tar.gz | |
test: fix fragile test cases
Fix the fragile test cases that are sensitive to the difference between
Time.now.to_i and time(2).
When issuing test certificates, we are typically setting the current
time fetched by Time.now to the notBefore field. Time.now uses
clock_gettime(2) with CLOCK_REALTIME. On the other hand, OpenSSL uses
time(2) in its certificate verification code. On Linux/x86-64, time(2)
is implemented not to return the adjusted 'current time' like Time.now,
but to return the wall clock seconds at the last tick. This results in
that time(2) called later may return an earlier time, causing the
certificate verification to fail with 'certificate is not yet valid'
error.
So, create test certificates with notBefore<Time.now to avoid this.
Since it's awful to do "Time.now - 1" everywhere, make the notBefore and
notAfter fields optional with defaults with margin.
Diffstat (limited to 'test/test_ocsp.rb')
| -rw-r--r-- | test/test_ocsp.rb | 11 |
1 files changed, 4 insertions, 7 deletions
diff --git a/test/test_ocsp.rb b/test/test_ocsp.rb index a69fd60f..82d83d56 100644 --- a/test/test_ocsp.rb +++ b/test/test_ocsp.rb @@ -5,9 +5,6 @@ if defined?(OpenSSL::TestUtils) class OpenSSL::TestOCSP < OpenSSL::TestCase def setup - now = Time.at(Time.now.to_i) # suppress usec - dgst = OpenSSL::Digest::SHA1.new - # @ca_cert # | # @cert @@ -21,7 +18,7 @@ class OpenSSL::TestOCSP < OpenSSL::TestCase ["keyUsage", "cRLSign,keyCertSign", true], ] @ca_cert = OpenSSL::TestUtils.issue_cert( - ca_subj, @ca_key, 1, now, now+3600, ca_exts, nil, nil, dgst) + ca_subj, @ca_key, 1, ca_exts, nil, nil) cert_subj = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=TestCA2") @cert_key = OpenSSL::TestUtils::TEST_KEY_RSA1024 @@ -30,14 +27,14 @@ class OpenSSL::TestOCSP < OpenSSL::TestCase ["keyUsage", "cRLSign,keyCertSign", true], ] @cert = OpenSSL::TestUtils.issue_cert( - cert_subj, @cert_key, 5, now, now+3600, cert_exts, @ca_cert, @ca_key, dgst) + cert_subj, @cert_key, 5, cert_exts, @ca_cert, @ca_key) cert2_subj = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=TestCert") @cert2_key = OpenSSL::TestUtils::TEST_KEY_RSA1024 cert2_exts = [ ] @cert2 = OpenSSL::TestUtils.issue_cert( - cert2_subj, @cert2_key, 10, now, now+3600, cert2_exts, @cert, @cert_key, dgst) + cert2_subj, @cert2_key, 10, cert2_exts, @cert, @cert_key) ocsp_subj = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=TestCAOCSP") @ocsp_key = OpenSSL::TestUtils::TEST_KEY_RSA2048 @@ -45,7 +42,7 @@ class OpenSSL::TestOCSP < OpenSSL::TestCase ["extendedKeyUsage", "OCSPSigning", true], ] @ocsp_cert = OpenSSL::TestUtils.issue_cert( - ocsp_subj, @ocsp_key, 100, now, now+3600, ocsp_exts, @cert, @cert_key, "SHA256") + ocsp_subj, @ocsp_key, 100, ocsp_exts, @cert, @cert_key) end def test_new_certificate_id |