diff options
author | Kazuki Yamaguchi <k@rhe.jp> | 2016-11-29 16:58:06 +0900 |
---|---|---|
committer | Kazuki Yamaguchi <k@rhe.jp> | 2016-11-30 16:41:06 +0900 |
commit | a277acf8d4536d212baf8820dc22eeb229bbf71d (patch) | |
tree | b0a178ad2097898af25bd6a546183445ac196175 /test/test_pkcs12.rb | |
parent | 27254de96db0c49bf11d8905f1d5bbc51e727093 (diff) | |
download | ruby-openssl-a277acf8d4536d212baf8820dc22eeb229bbf71d.tar.gz |
test: fix fragile test cases
Fix the fragile test cases that are sensitive to the difference between
Time.now.to_i and time(2).
When issuing test certificates, we are typically setting the current
time fetched by Time.now to the notBefore field. Time.now uses
clock_gettime(2) with CLOCK_REALTIME. On the other hand, OpenSSL uses
time(2) in its certificate verification code. On Linux/x86-64, time(2)
is implemented not to return the adjusted 'current time' like Time.now,
but to return the wall clock seconds at the last tick. This results in
that time(2) called later may return an earlier time, causing the
certificate verification to fail with 'certificate is not yet valid'
error.
So, create test certificates with notBefore<Time.now to avoid this.
Since it's awful to do "Time.now - 1" everywhere, make the notBefore and
notAfter fields optional with defaults with margin.
Diffstat (limited to 'test/test_pkcs12.rb')
-rw-r--r-- | test/test_pkcs12.rb | 13 |
1 files changed, 3 insertions, 10 deletions
diff --git a/test/test_pkcs12.rb b/test/test_pkcs12.rb index 4f2544df..8c9147a9 100644 --- a/test/test_pkcs12.rb +++ b/test/test_pkcs12.rb @@ -9,17 +9,13 @@ module OpenSSL def setup ca = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=CA") - - now = Time.now ca_exts = [ ["basicConstraints","CA:TRUE",true], ["keyUsage","keyCertSign, cRLSign",true], ["subjectKeyIdentifier","hash",false], ["authorityKeyIdentifier","keyid:always",false], ] - - @cacert = issue_cert(ca, TEST_KEY_RSA2048, 1, now, now+3600, ca_exts, - nil, nil, OpenSSL::Digest::SHA1.new) + @cacert = issue_cert(ca, TEST_KEY_RSA2048, 1, ca_exts, nil, nil) inter_ca = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=Intermediate CA") inter_ca_key = OpenSSL::PKey.read <<-_EOS_ @@ -39,17 +35,14 @@ FJx7d3f29gkzynCLJDkCQGQZlEZJC4vWmWJGRKJ24P6MyQn3VsPfErSKOg4lvyM3 Li8JsX5yIiuVYaBg/6ha3tOg4TCa5K/3r3tVliRZ2Es= -----END RSA PRIVATE KEY----- _EOS_ - - @inter_cacert = issue_cert(inter_ca, inter_ca_key, 2, now, now+3600, ca_exts, - @cacert, TEST_KEY_RSA2048, OpenSSL::Digest::SHA1.new) + @inter_cacert = issue_cert(inter_ca, inter_ca_key, 2, ca_exts, @cacert, TEST_KEY_RSA2048) exts = [ ["keyUsage","digitalSignature",true], ["subjectKeyIdentifier","hash",false], ] ee = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=Ruby PKCS12 Test Certificate") - @mycert = issue_cert(ee, TEST_KEY_RSA1024, 3, now, now+3600, exts, - @inter_cacert, inter_ca_key, OpenSSL::Digest::SHA1.new) + @mycert = issue_cert(ee, TEST_KEY_RSA1024, 3, exts, @inter_cacert, inter_ca_key) end def test_create |