diff options
-rw-r--r-- | test/test_asn1.rb | 2 | ||||
-rw-r--r-- | test/test_ocsp.rb | 11 | ||||
-rw-r--r-- | test/test_pkcs12.rb | 13 | ||||
-rw-r--r-- | test/test_pkcs7.rb | 10 | ||||
-rw-r--r-- | test/test_ssl.rb | 12 | ||||
-rw-r--r-- | test/test_x509cert.rb | 83 | ||||
-rw-r--r-- | test/test_x509crl.rb | 18 | ||||
-rw-r--r-- | test/test_x509store.rb | 28 | ||||
-rw-r--r-- | test/utils.rb | 17 |
9 files changed, 66 insertions, 128 deletions
diff --git a/test/test_asn1.rb b/test/test_asn1.rb index ed0013c4..3a435414 100644 --- a/test/test_asn1.rb +++ b/test/test_asn1.rb @@ -14,7 +14,7 @@ class OpenSSL::TestASN1 < OpenSSL::TestCase ] dgst = OpenSSL::Digest::SHA1.new cert = OpenSSL::TestUtils.issue_cert( - subj, key, s, now, now+3600, exts, nil, nil, dgst) + subj, key, s, exts, nil, nil, digest: dgst, not_before: now, not_after: now+3600) asn1 = OpenSSL::ASN1.decode(cert) diff --git a/test/test_ocsp.rb b/test/test_ocsp.rb index a69fd60f..82d83d56 100644 --- a/test/test_ocsp.rb +++ b/test/test_ocsp.rb @@ -5,9 +5,6 @@ if defined?(OpenSSL::TestUtils) class OpenSSL::TestOCSP < OpenSSL::TestCase def setup - now = Time.at(Time.now.to_i) # suppress usec - dgst = OpenSSL::Digest::SHA1.new - # @ca_cert # | # @cert @@ -21,7 +18,7 @@ class OpenSSL::TestOCSP < OpenSSL::TestCase ["keyUsage", "cRLSign,keyCertSign", true], ] @ca_cert = OpenSSL::TestUtils.issue_cert( - ca_subj, @ca_key, 1, now, now+3600, ca_exts, nil, nil, dgst) + ca_subj, @ca_key, 1, ca_exts, nil, nil) cert_subj = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=TestCA2") @cert_key = OpenSSL::TestUtils::TEST_KEY_RSA1024 @@ -30,14 +27,14 @@ class OpenSSL::TestOCSP < OpenSSL::TestCase ["keyUsage", "cRLSign,keyCertSign", true], ] @cert = OpenSSL::TestUtils.issue_cert( - cert_subj, @cert_key, 5, now, now+3600, cert_exts, @ca_cert, @ca_key, dgst) + cert_subj, @cert_key, 5, cert_exts, @ca_cert, @ca_key) cert2_subj = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=TestCert") @cert2_key = OpenSSL::TestUtils::TEST_KEY_RSA1024 cert2_exts = [ ] @cert2 = OpenSSL::TestUtils.issue_cert( - cert2_subj, @cert2_key, 10, now, now+3600, cert2_exts, @cert, @cert_key, dgst) + cert2_subj, @cert2_key, 10, cert2_exts, @cert, @cert_key) ocsp_subj = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=TestCAOCSP") @ocsp_key = OpenSSL::TestUtils::TEST_KEY_RSA2048 @@ -45,7 +42,7 @@ class OpenSSL::TestOCSP < OpenSSL::TestCase ["extendedKeyUsage", "OCSPSigning", true], ] @ocsp_cert = OpenSSL::TestUtils.issue_cert( - ocsp_subj, @ocsp_key, 100, now, now+3600, ocsp_exts, @cert, @cert_key, "SHA256") + ocsp_subj, @ocsp_key, 100, ocsp_exts, @cert, @cert_key) end def test_new_certificate_id diff --git a/test/test_pkcs12.rb b/test/test_pkcs12.rb index 4f2544df..8c9147a9 100644 --- a/test/test_pkcs12.rb +++ b/test/test_pkcs12.rb @@ -9,17 +9,13 @@ module OpenSSL def setup ca = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=CA") - - now = Time.now ca_exts = [ ["basicConstraints","CA:TRUE",true], ["keyUsage","keyCertSign, cRLSign",true], ["subjectKeyIdentifier","hash",false], ["authorityKeyIdentifier","keyid:always",false], ] - - @cacert = issue_cert(ca, TEST_KEY_RSA2048, 1, now, now+3600, ca_exts, - nil, nil, OpenSSL::Digest::SHA1.new) + @cacert = issue_cert(ca, TEST_KEY_RSA2048, 1, ca_exts, nil, nil) inter_ca = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=Intermediate CA") inter_ca_key = OpenSSL::PKey.read <<-_EOS_ @@ -39,17 +35,14 @@ FJx7d3f29gkzynCLJDkCQGQZlEZJC4vWmWJGRKJ24P6MyQn3VsPfErSKOg4lvyM3 Li8JsX5yIiuVYaBg/6ha3tOg4TCa5K/3r3tVliRZ2Es= -----END RSA PRIVATE KEY----- _EOS_ - - @inter_cacert = issue_cert(inter_ca, inter_ca_key, 2, now, now+3600, ca_exts, - @cacert, TEST_KEY_RSA2048, OpenSSL::Digest::SHA1.new) + @inter_cacert = issue_cert(inter_ca, inter_ca_key, 2, ca_exts, @cacert, TEST_KEY_RSA2048) exts = [ ["keyUsage","digitalSignature",true], ["subjectKeyIdentifier","hash",false], ] ee = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=Ruby PKCS12 Test Certificate") - @mycert = issue_cert(ee, TEST_KEY_RSA1024, 3, now, now+3600, exts, - @inter_cacert, inter_ca_key, OpenSSL::Digest::SHA1.new) + @mycert = issue_cert(ee, TEST_KEY_RSA1024, 3, exts, @inter_cacert, inter_ca_key) end def test_create diff --git a/test/test_pkcs7.rb b/test/test_pkcs7.rb index def4910c..b7b75202 100644 --- a/test/test_pkcs7.rb +++ b/test/test_pkcs7.rb @@ -11,24 +11,20 @@ class OpenSSL::TestPKCS7 < OpenSSL::TestCase ee1 = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=EE1") ee2 = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=EE2") - now = Time.now ca_exts = [ ["basicConstraints","CA:TRUE",true], ["keyUsage","keyCertSign, cRLSign",true], ["subjectKeyIdentifier","hash",false], ["authorityKeyIdentifier","keyid:always",false], ] - @ca_cert = issue_cert(ca, @rsa2048, 1, now, now+3600, ca_exts, - nil, nil, OpenSSL::Digest::SHA1.new) + @ca_cert = issue_cert(ca, @rsa2048, 1, ca_exts, nil, nil) ee_exts = [ ["keyUsage","Non Repudiation, Digital Signature, Key Encipherment",true], ["authorityKeyIdentifier","keyid:always",false], ["extendedKeyUsage","clientAuth, emailProtection, codeSigning",false], ] - @ee1_cert = issue_cert(ee1, @rsa1024, 2, now, now+1800, ee_exts, - @ca_cert, @rsa2048, OpenSSL::Digest::SHA1.new) - @ee2_cert = issue_cert(ee2, @rsa1024, 3, now, now+1800, ee_exts, - @ca_cert, @rsa2048, OpenSSL::Digest::SHA1.new) + @ee1_cert = issue_cert(ee1, @rsa1024, 2, ee_exts, @ca_cert, @rsa2048) + @ee2_cert = issue_cert(ee2, @rsa1024, 3, ee_exts, @ca_cert, @rsa2048) end def issue_cert(*args) diff --git a/test/test_ssl.rb b/test/test_ssl.rb index ccdbf8e1..8d74f25f 100644 --- a/test/test_ssl.rb +++ b/test/test_ssl.rb @@ -394,14 +394,12 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase } } - now = Time.now exts = [ ["keyUsage","keyEncipherment,digitalSignature",true], ["subjectAltName","DNS:localhost.localdomain",false], ["subjectAltName","IP:127.0.0.1",false], ] - @svr_cert = issue_cert(@svr, @svr_key, 4, now, now+1800, exts, - @ca_cert, @ca_key, OpenSSL::Digest::SHA1.new) + @svr_cert = issue_cert(@svr, @svr_key, 4, exts, @ca_cert, @ca_key) start_server { |server, port| server_connect(port) { |ssl| assert(ssl.post_connection_check("localhost.localdomain")) @@ -417,13 +415,11 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase } } - now = Time.now exts = [ ["keyUsage","keyEncipherment,digitalSignature",true], ["subjectAltName","DNS:*.localdomain",false], ] - @svr_cert = issue_cert(@svr, @svr_key, 5, now, now+1800, exts, - @ca_cert, @ca_key, OpenSSL::Digest::SHA1.new) + @svr_cert = issue_cert(@svr, @svr_key, 5, exts, @ca_cert, @ca_key) start_server { |server, port| server_connect(port) { |ssl| assert(ssl.post_connection_check("localhost.localdomain")) @@ -711,14 +707,12 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase def test_verify_hostname_on_connect ctx_proc = proc { |ctx| - now = Time.now exts = [ ["keyUsage", "keyEncipherment,digitalSignature", true], ["subjectAltName", "DNS:a.example.com,DNS:*.b.example.com," \ "DNS:c*.example.com,DNS:d.*.example.com"], ] - ctx.cert = issue_cert(@svr, @svr_key, 4, now, now+1800, exts, - @ca_cert, @ca_key, OpenSSL::Digest::SHA1.new) + ctx.cert = issue_cert(@svr, @svr_key, 4, exts, @ca_cert, @ca_key) ctx.key = @svr_key } diff --git a/test/test_x509cert.rb b/test/test_x509cert.rb index 269d0172..fb757c44 100644 --- a/test/test_x509cert.rb +++ b/test/test_x509cert.rb @@ -11,7 +11,6 @@ class OpenSSL::TestX509Certificate < OpenSSL::TestCase @dsa512 = OpenSSL::TestUtils::TEST_KEY_DSA512 @ca = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=CA") @ee1 = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=EE1") - @ee2 = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=EE2") end def issue_cert(*args) @@ -20,8 +19,7 @@ class OpenSSL::TestX509Certificate < OpenSSL::TestCase def test_serial [1, 2**32, 2**100].each{|s| - cert = issue_cert(@ca, @rsa2048, s, Time.now, Time.now+3600, [], - nil, nil, OpenSSL::Digest::SHA1.new) + cert = issue_cert(@ca, @rsa2048, s, [], nil, nil) assert_equal(s, cert.serial) cert = OpenSSL::X509::Certificate.new(cert.to_der) assert_equal(s, cert.serial) @@ -41,8 +39,7 @@ class OpenSSL::TestX509Certificate < OpenSSL::TestCase [ [@rsa1024, sha1], [@rsa2048, sha1], [@dsa256, dsa_digest], [@dsa512, dsa_digest] ].each{|pk, digest| - cert = issue_cert(@ca, pk, 1, Time.now, Time.now+3600, exts, - nil, nil, digest) + cert = issue_cert(@ca, pk, 1, exts, nil, nil, digest: digest) assert_equal(cert.extensions.sort_by(&:to_s)[2].value, OpenSSL::TestUtils.get_subject_key_id(cert)) cert = OpenSSL::X509::Certificate.new(cert.to_der) @@ -52,27 +49,27 @@ class OpenSSL::TestX509Certificate < OpenSSL::TestCase end def test_validity - now = Time.now until now && now.usec != 0 - cert = issue_cert(@ca, @rsa2048, 1, now, now+3600, [], - nil, nil, OpenSSL::Digest::SHA1.new) - assert_not_equal(now, cert.not_before) - assert_not_equal(now+3600, cert.not_after) + now = Time.at(Time.now.to_i + 0.9) + cert = issue_cert(@ca, @rsa2048, 1, [], nil, nil, + not_before: now, not_after: now+3600) + assert_equal(Time.at(now.to_i), cert.not_before) + assert_equal(Time.at(now.to_i+3600), cert.not_after) now = Time.at(now.to_i) - cert = issue_cert(@ca, @rsa2048, 1, now, now+3600, [], - nil, nil, OpenSSL::Digest::SHA1.new) + cert = issue_cert(@ca, @rsa2048, 1, [], nil, nil, + not_before: now, not_after: now+3600) assert_equal(now.getutc, cert.not_before) assert_equal((now+3600).getutc, cert.not_after) now = Time.at(0) - cert = issue_cert(@ca, @rsa2048, 1, now, now, [], - nil, nil, OpenSSL::Digest::SHA1.new) + cert = issue_cert(@ca, @rsa2048, 1, [], nil, nil, + not_before: now, not_after: now) assert_equal(now.getutc, cert.not_before) assert_equal(now.getutc, cert.not_after) now = Time.at(0x7fffffff) - cert = issue_cert(@ca, @rsa2048, 1, now, now, [], - nil, nil, OpenSSL::Digest::SHA1.new) + cert = issue_cert(@ca, @rsa2048, 1, [], nil, nil, + not_before: now, not_after: now) assert_equal(now.getutc, cert.not_before) assert_equal(now.getutc, cert.not_after) end @@ -84,8 +81,7 @@ class OpenSSL::TestX509Certificate < OpenSSL::TestCase ["subjectKeyIdentifier","hash",false], ["authorityKeyIdentifier","keyid:always",false], ] - ca_cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, ca_exts, - nil, nil, OpenSSL::Digest::SHA1.new) + ca_cert = issue_cert(@ca, @rsa2048, 1, ca_exts, nil, nil) ca_cert.extensions.each_with_index{|ext, i| assert_equal(ca_exts[i].first, ext.oid) assert_equal(ca_exts[i].last, ext.critical?) @@ -98,34 +94,16 @@ class OpenSSL::TestX509Certificate < OpenSSL::TestCase ["extendedKeyUsage","clientAuth, emailProtection, codeSigning",false], ["subjectAltName","email:ee1@ruby-lang.org",false], ] - ee1_cert = issue_cert(@ee1, @rsa1024, 2, Time.now, Time.now+1800, ee1_exts, - ca_cert, @rsa2048, OpenSSL::Digest::SHA1.new) + ee1_cert = issue_cert(@ee1, @rsa1024, 2, ee1_exts, ca_cert, @rsa2048) assert_equal(ca_cert.subject.to_der, ee1_cert.issuer.to_der) ee1_cert.extensions.each_with_index{|ext, i| assert_equal(ee1_exts[i].first, ext.oid) assert_equal(ee1_exts[i].last, ext.critical?) } - - ee2_exts = [ - ["keyUsage","Non Repudiation, Digital Signature, Key Encipherment",true], - ["subjectKeyIdentifier","hash",false], - ["authorityKeyIdentifier","issuer:always",false], - ["extendedKeyUsage","clientAuth, emailProtection, codeSigning",false], - ["subjectAltName","email:ee2@ruby-lang.org",false], - ] - ee2_cert = issue_cert(@ee2, @rsa1024, 3, Time.now, Time.now+1800, ee2_exts, - ca_cert, @rsa2048, OpenSSL::Digest::MD5.new) - assert_equal(ca_cert.subject.to_der, ee2_cert.issuer.to_der) - ee2_cert.extensions.each_with_index{|ext, i| - assert_equal(ee2_exts[i].first, ext.oid) - assert_equal(ee2_exts[i].last, ext.critical?) - } - end def test_sign_and_verify_rsa_sha1 - cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [], - nil, nil, OpenSSL::Digest::SHA1.new) + cert = issue_cert(@ca, @rsa2048, 1, [], nil, nil, digest: "sha1") assert_equal(false, cert.verify(@rsa1024)) assert_equal(true, cert.verify(@rsa2048)) assert_equal(false, certificate_error_returns_false { cert.verify(@dsa256) }) @@ -135,8 +113,7 @@ class OpenSSL::TestX509Certificate < OpenSSL::TestCase end def test_sign_and_verify_rsa_md5 - cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [], - nil, nil, OpenSSL::Digest::MD5.new) + cert = issue_cert(@ca, @rsa2048, 1, [], nil, nil, digest: "md5") assert_equal(false, cert.verify(@rsa1024)) assert_equal(true, cert.verify(@rsa2048)) @@ -148,8 +125,7 @@ class OpenSSL::TestX509Certificate < OpenSSL::TestCase end def test_sign_and_verify_dsa - cert = issue_cert(@ca, @dsa512, 1, Time.now, Time.now+3600, [], - nil, nil, OpenSSL::TestUtils::DSA_SIGNATURE_DIGEST.new) + cert = issue_cert(@ca, @dsa512, 1, [], nil, nil) assert_equal(false, certificate_error_returns_false { cert.verify(@rsa1024) }) assert_equal(false, certificate_error_returns_false { cert.verify(@rsa2048) }) assert_equal(false, cert.verify(@dsa256)) @@ -159,8 +135,7 @@ class OpenSSL::TestX509Certificate < OpenSSL::TestCase end def test_sign_and_verify_rsa_dss1 - cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [], - nil, nil, OpenSSL::Digest::DSS1.new) + cert = issue_cert(@ca, @rsa2048, 1, [], nil, nil, digest: OpenSSL::Digest::DSS1.new) assert_equal(false, cert.verify(@rsa1024)) assert_equal(true, cert.verify(@rsa2048)) assert_equal(false, certificate_error_returns_false { cert.verify(@dsa256) }) @@ -172,27 +147,19 @@ class OpenSSL::TestX509Certificate < OpenSSL::TestCase def test_sign_and_verify_dsa_md5 assert_raise(OpenSSL::X509::CertificateError){ - issue_cert(@ca, @dsa512, 1, Time.now, Time.now+3600, [], - nil, nil, OpenSSL::Digest::MD5.new) + issue_cert(@ca, @dsa512, 1, [], nil, nil, digest: "md5") } end def test_dsig_algorithm_mismatch assert_raise(OpenSSL::X509::CertificateError) do - issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [], - nil, nil, OpenSSL::Digest::DSS1.new) + issue_cert(@ca, @rsa2048, 1, [], nil, nil, digest: OpenSSL::Digest::DSS1.new) end if OpenSSL::OPENSSL_VERSION_NUMBER < 0x10001000 # [ruby-core:42949] - - assert_raise(OpenSSL::X509::CertificateError) do - issue_cert(@ca, @dsa512, 1, Time.now, Time.now+3600, [], - nil, nil, OpenSSL::Digest::MD5.new) - end end def test_dsa_with_sha2 begin - cert = issue_cert(@ca, @dsa256, 1, Time.now, Time.now+3600, [], - nil, nil, OpenSSL::Digest::SHA256.new) + cert = issue_cert(@ca, @dsa256, 1, [], nil, nil, digest: "sha256") assert_equal("dsa_with_SHA256", cert.signature_algorithm) rescue OpenSSL::X509::CertificateError # dsa_with_sha2 not supported. skip following test. @@ -201,14 +168,12 @@ class OpenSSL::TestX509Certificate < OpenSSL::TestCase # TODO: need more tests for dsa + sha2 # SHA1 is allowed from OpenSSL 1.0.0 (0.9.8 requires DSS1) - cert = issue_cert(@ca, @dsa256, 1, Time.now, Time.now+3600, [], - nil, nil, OpenSSL::Digest::SHA1.new) + cert = issue_cert(@ca, @dsa256, 1, [], nil, nil, digest: "sha1") assert_equal("dsaWithSHA1", cert.signature_algorithm) end if defined?(OpenSSL::Digest::SHA256) def test_check_private_key - cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [], - nil, nil, OpenSSL::Digest::SHA1.new) + cert = issue_cert(@ca, @rsa2048, 1, [], nil, nil) assert_equal(true, cert.check_private_key(@rsa2048)) end diff --git a/test/test_x509crl.rb b/test/test_x509crl.rb index cd1ccc98..f61de971 100644 --- a/test/test_x509crl.rb +++ b/test/test_x509crl.rb @@ -25,8 +25,7 @@ class OpenSSL::TestX509CRL < OpenSSL::TestCase def test_basic now = Time.at(Time.now.to_i) - cert = issue_cert(@ca, @rsa2048, 1, now, now+3600, [], - nil, nil, OpenSSL::Digest::SHA1.new) + cert = issue_cert(@ca, @rsa2048, 1, [], nil, nil) crl = issue_crl([], 1, now, now+1600, [], cert, @rsa2048, OpenSSL::Digest::SHA1.new) assert_equal(1, crl.version) @@ -63,8 +62,7 @@ class OpenSSL::TestX509CRL < OpenSSL::TestCase [4, now, 4], [5, now, 5], ] - cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [], - nil, nil, OpenSSL::Digest::SHA1.new) + cert = issue_cert(@ca, @rsa2048, 1, [], nil, nil) crl = issue_crl(revoke_info, 1, Time.now, Time.now+1600, [], cert, @rsa2048, OpenSSL::Digest::SHA1.new) revoked = crl.revoked @@ -131,8 +129,7 @@ class OpenSSL::TestX509CRL < OpenSSL::TestCase ["issuerAltName", "issuer:copy", false], ] - cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, cert_exts, - nil, nil, OpenSSL::Digest::SHA1.new) + cert = issue_cert(@ca, @rsa2048, 1, cert_exts, nil, nil) crl = issue_crl([], 1, Time.now, Time.now+1600, crl_exts, cert, @rsa2048, OpenSSL::Digest::SHA1.new) exts = crl.extensions @@ -168,8 +165,7 @@ class OpenSSL::TestX509CRL < OpenSSL::TestCase end def test_crlnumber - cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [], - nil, nil, OpenSSL::Digest::SHA1.new) + cert = issue_cert(@ca, @rsa2048, 1, [], nil, nil) crl = issue_crl([], 1, Time.now, Time.now+1600, [], cert, @rsa2048, OpenSSL::Digest::SHA1.new) assert_match(1.to_s, crl.extensions[0].value) @@ -187,8 +183,7 @@ class OpenSSL::TestX509CRL < OpenSSL::TestCase end def test_sign_and_verify - cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [], - nil, nil, OpenSSL::Digest::SHA1.new) + cert = issue_cert(@ca, @rsa2048, 1, [], nil, nil) crl = issue_crl([], 1, Time.now, Time.now+1600, [], cert, @rsa2048, OpenSSL::Digest::SHA1.new) assert_equal(false, crl.verify(@rsa1024)) @@ -198,8 +193,7 @@ class OpenSSL::TestX509CRL < OpenSSL::TestCase crl.version = 0 assert_equal(false, crl.verify(@rsa2048)) - cert = issue_cert(@ca, @dsa512, 1, Time.now, Time.now+3600, [], - nil, nil, OpenSSL::TestUtils::DSA_SIGNATURE_DIGEST.new) + cert = issue_cert(@ca, @dsa512, 1, [], nil, nil) crl = issue_crl([], 1, Time.now, Time.now+1600, [], cert, @dsa512, OpenSSL::TestUtils::DSA_SIGNATURE_DIGEST.new) assert_equal(false, crl_error_returns_false { crl.verify(@rsa1024) }) diff --git a/test/test_x509store.rb b/test/test_x509store.rb index e0fa07ac..6ca80c86 100644 --- a/test/test_x509store.rb +++ b/test/test_x509store.rb @@ -34,7 +34,9 @@ class OpenSSL::TestX509Store < OpenSSL::TestCase end def test_verify - now = Time.at(Time.now.to_i) + # OpenSSL uses time(2) while Time.now uses clock_gettime(CLOCK_REALTIME), + # and there may be difference. + now = Time.now - 3 ca_exts = [ ["basicConstraints","CA:TRUE",true], ["keyUsage","cRLSign,keyCertSign",true], @@ -42,18 +44,15 @@ class OpenSSL::TestX509Store < OpenSSL::TestCase ee_exts = [ ["keyUsage","keyEncipherment,digitalSignature",true], ] - ca1_cert = issue_cert(@ca1, @rsa2048, 1, now, now+3600, ca_exts, - nil, nil, OpenSSL::Digest::SHA1.new) - ca2_cert = issue_cert(@ca2, @rsa1024, 2, now, now+1800, ca_exts, - ca1_cert, @rsa2048, OpenSSL::Digest::SHA1.new) - ee1_cert = issue_cert(@ee1, @dsa256, 10, now, now+1800, ee_exts, - ca2_cert, @rsa1024, OpenSSL::Digest::SHA1.new) - ee2_cert = issue_cert(@ee2, @dsa512, 20, now, now+1800, ee_exts, - ca2_cert, @rsa1024, OpenSSL::Digest::SHA1.new) - ee3_cert = issue_cert(@ee2, @dsa512, 30, now-100, now-1, ee_exts, - ca2_cert, @rsa1024, OpenSSL::Digest::SHA1.new) - ee4_cert = issue_cert(@ee2, @dsa512, 40, now+1000, now+2000, ee_exts, - ca2_cert, @rsa1024, OpenSSL::Digest::SHA1.new) + ca1_cert = issue_cert(@ca1, @rsa2048, 1, ca_exts, nil, nil) + ca2_cert = issue_cert(@ca2, @rsa1024, 2, ca_exts, ca1_cert, @rsa2048, + not_after: now+1800) + ee1_cert = issue_cert(@ee1, @dsa256, 10, ee_exts, ca2_cert, @rsa1024) + ee2_cert = issue_cert(@ee2, @dsa512, 20, ee_exts, ca2_cert, @rsa1024) + ee3_cert = issue_cert(@ee2, @dsa512, 30, ee_exts, ca2_cert, @rsa1024, + not_before: now-100, not_after: now-1) + ee4_cert = issue_cert(@ee2, @dsa512, 40, ee_exts, ca2_cert, @rsa1024, + not_before: now+1000, not_after: now+2000,) revoke_info = [] crl1 = issue_crl(revoke_info, 1, now, now+1800, [], @@ -195,8 +194,7 @@ class OpenSSL::TestX509Store < OpenSSL::TestCase def test_set_errors now = Time.now - ca1_cert = issue_cert(@ca1, @rsa2048, 1, now, now+3600, [], - nil, nil, OpenSSL::Digest::SHA1.new) + ca1_cert = issue_cert(@ca1, @rsa2048, 1, [], nil, nil) store = OpenSSL::X509::Store.new store.add_cert(ca1_cert) assert_raise(OpenSSL::X509::StoreError){ diff --git a/test/utils.rb b/test/utils.rb index 0016f5c7..43ecd79e 100644 --- a/test/utils.rb +++ b/test/utils.rb @@ -130,8 +130,8 @@ AQjjxMXhwULlmuR/K+WwlaZPiLIBYalLAZQ7ZbOPeVkJ8ePao0eLAgEC module_function - def issue_cert(dn, key, serial, not_before, not_after, extensions, - issuer, issuer_key, digest) + def issue_cert(dn, key, serial, extensions, issuer, issuer_key, + not_before: nil, not_after: nil, digest: nil) cert = OpenSSL::X509::Certificate.new issuer = cert unless issuer issuer_key = key unless issuer_key @@ -140,14 +140,16 @@ AQjjxMXhwULlmuR/K+WwlaZPiLIBYalLAZQ7ZbOPeVkJ8ePao0eLAgEC cert.subject = dn cert.issuer = issuer.subject cert.public_key = key.public_key - cert.not_before = not_before - cert.not_after = not_after + now = Time.now + cert.not_before = not_before || now - 3600 + cert.not_after = not_after || now + 3600 ef = OpenSSL::X509::ExtensionFactory.new ef.subject_certificate = cert ef.issuer_certificate = issuer extensions.each{|oid, value, critical| cert.add_extension(ef.create_extension(oid, value, critical)) } + digest ||= OpenSSL::PKey::DSA === issuer_key ? DSA_SIGNATURE_DIGEST.new : "sha256" cert.sign(issuer_key, digest) cert end @@ -216,7 +218,6 @@ AQjjxMXhwULlmuR/K+WwlaZPiLIBYalLAZQ7ZbOPeVkJ8ePao0eLAgEC @ca = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=CA") @svr = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=localhost") @cli = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=localhost") - now = Time.at(Time.now.to_i) ca_exts = [ ["basicConstraints","CA:TRUE",true], ["keyUsage","cRLSign,keyCertSign",true], @@ -224,9 +225,9 @@ AQjjxMXhwULlmuR/K+WwlaZPiLIBYalLAZQ7ZbOPeVkJ8ePao0eLAgEC ee_exts = [ ["keyUsage","keyEncipherment,digitalSignature",true], ] - @ca_cert = issue_cert(@ca, @ca_key, 1, now, now+3600, ca_exts, nil, nil, OpenSSL::Digest::SHA1.new) - @svr_cert = issue_cert(@svr, @svr_key, 2, now, now+1800, ee_exts, @ca_cert, @ca_key, OpenSSL::Digest::SHA1.new) - @cli_cert = issue_cert(@cli, @cli_key, 3, now, now+1800, ee_exts, @ca_cert, @ca_key, OpenSSL::Digest::SHA1.new) + @ca_cert = issue_cert(@ca, @ca_key, 1, ca_exts, nil, nil) + @svr_cert = issue_cert(@svr, @svr_key, 2, ee_exts, @ca_cert, @ca_key) + @cli_cert = issue_cert(@cli, @cli_key, 3, ee_exts, @ca_cert, @ca_key) @server = nil end |