diff options
author | Kazuki Yamaguchi <k@rhe.jp> | 2016-11-29 16:58:06 +0900 |
---|---|---|
committer | Kazuki Yamaguchi <k@rhe.jp> | 2016-11-30 16:41:06 +0900 |
commit | a277acf8d4536d212baf8820dc22eeb229bbf71d (patch) | |
tree | b0a178ad2097898af25bd6a546183445ac196175 /test/test_x509store.rb | |
parent | 27254de96db0c49bf11d8905f1d5bbc51e727093 (diff) | |
download | ruby-openssl-a277acf8d4536d212baf8820dc22eeb229bbf71d.tar.gz |
test: fix fragile test cases
Fix the fragile test cases that are sensitive to the difference between
Time.now.to_i and time(2).
When issuing test certificates, we are typically setting the current
time fetched by Time.now to the notBefore field. Time.now uses
clock_gettime(2) with CLOCK_REALTIME. On the other hand, OpenSSL uses
time(2) in its certificate verification code. On Linux/x86-64, time(2)
is implemented not to return the adjusted 'current time' like Time.now,
but to return the wall clock seconds at the last tick. This results in
that time(2) called later may return an earlier time, causing the
certificate verification to fail with 'certificate is not yet valid'
error.
So, create test certificates with notBefore<Time.now to avoid this.
Since it's awful to do "Time.now - 1" everywhere, make the notBefore and
notAfter fields optional with defaults with margin.
Diffstat (limited to 'test/test_x509store.rb')
-rw-r--r-- | test/test_x509store.rb | 28 |
1 files changed, 13 insertions, 15 deletions
diff --git a/test/test_x509store.rb b/test/test_x509store.rb index e0fa07ac..6ca80c86 100644 --- a/test/test_x509store.rb +++ b/test/test_x509store.rb @@ -34,7 +34,9 @@ class OpenSSL::TestX509Store < OpenSSL::TestCase end def test_verify - now = Time.at(Time.now.to_i) + # OpenSSL uses time(2) while Time.now uses clock_gettime(CLOCK_REALTIME), + # and there may be difference. + now = Time.now - 3 ca_exts = [ ["basicConstraints","CA:TRUE",true], ["keyUsage","cRLSign,keyCertSign",true], @@ -42,18 +44,15 @@ class OpenSSL::TestX509Store < OpenSSL::TestCase ee_exts = [ ["keyUsage","keyEncipherment,digitalSignature",true], ] - ca1_cert = issue_cert(@ca1, @rsa2048, 1, now, now+3600, ca_exts, - nil, nil, OpenSSL::Digest::SHA1.new) - ca2_cert = issue_cert(@ca2, @rsa1024, 2, now, now+1800, ca_exts, - ca1_cert, @rsa2048, OpenSSL::Digest::SHA1.new) - ee1_cert = issue_cert(@ee1, @dsa256, 10, now, now+1800, ee_exts, - ca2_cert, @rsa1024, OpenSSL::Digest::SHA1.new) - ee2_cert = issue_cert(@ee2, @dsa512, 20, now, now+1800, ee_exts, - ca2_cert, @rsa1024, OpenSSL::Digest::SHA1.new) - ee3_cert = issue_cert(@ee2, @dsa512, 30, now-100, now-1, ee_exts, - ca2_cert, @rsa1024, OpenSSL::Digest::SHA1.new) - ee4_cert = issue_cert(@ee2, @dsa512, 40, now+1000, now+2000, ee_exts, - ca2_cert, @rsa1024, OpenSSL::Digest::SHA1.new) + ca1_cert = issue_cert(@ca1, @rsa2048, 1, ca_exts, nil, nil) + ca2_cert = issue_cert(@ca2, @rsa1024, 2, ca_exts, ca1_cert, @rsa2048, + not_after: now+1800) + ee1_cert = issue_cert(@ee1, @dsa256, 10, ee_exts, ca2_cert, @rsa1024) + ee2_cert = issue_cert(@ee2, @dsa512, 20, ee_exts, ca2_cert, @rsa1024) + ee3_cert = issue_cert(@ee2, @dsa512, 30, ee_exts, ca2_cert, @rsa1024, + not_before: now-100, not_after: now-1) + ee4_cert = issue_cert(@ee2, @dsa512, 40, ee_exts, ca2_cert, @rsa1024, + not_before: now+1000, not_after: now+2000,) revoke_info = [] crl1 = issue_crl(revoke_info, 1, now, now+1800, [], @@ -195,8 +194,7 @@ class OpenSSL::TestX509Store < OpenSSL::TestCase def test_set_errors now = Time.now - ca1_cert = issue_cert(@ca1, @rsa2048, 1, now, now+3600, [], - nil, nil, OpenSSL::Digest::SHA1.new) + ca1_cert = issue_cert(@ca1, @rsa2048, 1, [], nil, nil) store = OpenSSL::X509::Store.new store.add_cert(ca1_cert) assert_raise(OpenSSL::X509::StoreError){ |