From a277acf8d4536d212baf8820dc22eeb229bbf71d Mon Sep 17 00:00:00 2001
From: Kazuki Yamaguchi <k@rhe.jp>
Date: Tue, 29 Nov 2016 16:58:06 +0900
Subject: test: fix fragile test cases

Fix the fragile test cases that are sensitive to the difference between
Time.now.to_i and time(2).

When issuing test certificates, we are typically setting the current
time fetched by Time.now to the notBefore field. Time.now uses
clock_gettime(2) with CLOCK_REALTIME. On the other hand, OpenSSL uses
time(2) in its certificate verification code. On Linux/x86-64, time(2)
is implemented not to return the adjusted 'current time' like Time.now,
but to return the wall clock seconds at the last tick. This results in
that time(2) called later may return an earlier time, causing the
certificate verification to fail with 'certificate is not yet valid'
error.

So, create test certificates with notBefore<Time.now to avoid this.
Since it's awful to do "Time.now - 1" everywhere, make the notBefore and
notAfter fields optional with defaults with margin.
---
 test/test_asn1.rb      |  2 +-
 test/test_ocsp.rb      | 11 +++----
 test/test_pkcs12.rb    | 13 ++------
 test/test_pkcs7.rb     | 10 ++----
 test/test_ssl.rb       | 12 ++------
 test/test_x509cert.rb  | 83 +++++++++++++++-----------------------------------
 test/test_x509crl.rb   | 18 ++++-------
 test/test_x509store.rb | 28 ++++++++---------
 test/utils.rb          | 17 ++++++-----
 9 files changed, 66 insertions(+), 128 deletions(-)

diff --git a/test/test_asn1.rb b/test/test_asn1.rb
index ed0013c4..3a435414 100644
--- a/test/test_asn1.rb
+++ b/test/test_asn1.rb
@@ -14,7 +14,7 @@ class  OpenSSL::TestASN1 < OpenSSL::TestCase
     ]
     dgst = OpenSSL::Digest::SHA1.new
     cert = OpenSSL::TestUtils.issue_cert(
-      subj, key, s, now, now+3600, exts, nil, nil, dgst)
+      subj, key, s, exts, nil, nil, digest: dgst, not_before: now, not_after: now+3600)
 
 
     asn1 = OpenSSL::ASN1.decode(cert)
diff --git a/test/test_ocsp.rb b/test/test_ocsp.rb
index a69fd60f..82d83d56 100644
--- a/test/test_ocsp.rb
+++ b/test/test_ocsp.rb
@@ -5,9 +5,6 @@ if defined?(OpenSSL::TestUtils)
 
 class OpenSSL::TestOCSP < OpenSSL::TestCase
   def setup
-    now = Time.at(Time.now.to_i) # suppress usec
-    dgst = OpenSSL::Digest::SHA1.new
-
     # @ca_cert
     #   |
     # @cert
@@ -21,7 +18,7 @@ class OpenSSL::TestOCSP < OpenSSL::TestCase
       ["keyUsage", "cRLSign,keyCertSign", true],
     ]
     @ca_cert = OpenSSL::TestUtils.issue_cert(
-       ca_subj, @ca_key, 1, now, now+3600, ca_exts, nil, nil, dgst)
+      ca_subj, @ca_key, 1, ca_exts, nil, nil)
 
     cert_subj = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=TestCA2")
     @cert_key = OpenSSL::TestUtils::TEST_KEY_RSA1024
@@ -30,14 +27,14 @@ class OpenSSL::TestOCSP < OpenSSL::TestCase
       ["keyUsage", "cRLSign,keyCertSign", true],
     ]
     @cert = OpenSSL::TestUtils.issue_cert(
-       cert_subj, @cert_key, 5, now, now+3600, cert_exts, @ca_cert, @ca_key, dgst)
+      cert_subj, @cert_key, 5, cert_exts, @ca_cert, @ca_key)
 
     cert2_subj = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=TestCert")
     @cert2_key = OpenSSL::TestUtils::TEST_KEY_RSA1024
     cert2_exts = [
     ]
     @cert2 = OpenSSL::TestUtils.issue_cert(
-       cert2_subj, @cert2_key, 10, now, now+3600, cert2_exts, @cert, @cert_key, dgst)
+      cert2_subj, @cert2_key, 10, cert2_exts, @cert, @cert_key)
 
     ocsp_subj = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=TestCAOCSP")
     @ocsp_key = OpenSSL::TestUtils::TEST_KEY_RSA2048
@@ -45,7 +42,7 @@ class OpenSSL::TestOCSP < OpenSSL::TestCase
       ["extendedKeyUsage", "OCSPSigning", true],
     ]
     @ocsp_cert = OpenSSL::TestUtils.issue_cert(
-       ocsp_subj, @ocsp_key, 100, now, now+3600, ocsp_exts, @cert, @cert_key, "SHA256")
+       ocsp_subj, @ocsp_key, 100, ocsp_exts, @cert, @cert_key)
   end
 
   def test_new_certificate_id
diff --git a/test/test_pkcs12.rb b/test/test_pkcs12.rb
index 4f2544df..8c9147a9 100644
--- a/test/test_pkcs12.rb
+++ b/test/test_pkcs12.rb
@@ -9,17 +9,13 @@ module OpenSSL
 
     def setup
       ca = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=CA")
-
-      now = Time.now
       ca_exts = [
         ["basicConstraints","CA:TRUE",true],
         ["keyUsage","keyCertSign, cRLSign",true],
         ["subjectKeyIdentifier","hash",false],
         ["authorityKeyIdentifier","keyid:always",false],
       ]
-
-      @cacert = issue_cert(ca, TEST_KEY_RSA2048, 1, now, now+3600, ca_exts,
-                            nil, nil, OpenSSL::Digest::SHA1.new)
+      @cacert = issue_cert(ca, TEST_KEY_RSA2048, 1, ca_exts, nil, nil)
 
       inter_ca = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=Intermediate CA")
       inter_ca_key = OpenSSL::PKey.read <<-_EOS_
@@ -39,17 +35,14 @@ FJx7d3f29gkzynCLJDkCQGQZlEZJC4vWmWJGRKJ24P6MyQn3VsPfErSKOg4lvyM3
 Li8JsX5yIiuVYaBg/6ha3tOg4TCa5K/3r3tVliRZ2Es=
 -----END RSA PRIVATE KEY-----
       _EOS_
-
-      @inter_cacert = issue_cert(inter_ca, inter_ca_key, 2, now, now+3600, ca_exts,
-                                 @cacert, TEST_KEY_RSA2048, OpenSSL::Digest::SHA1.new)
+      @inter_cacert = issue_cert(inter_ca, inter_ca_key, 2, ca_exts, @cacert, TEST_KEY_RSA2048)
 
       exts = [
         ["keyUsage","digitalSignature",true],
         ["subjectKeyIdentifier","hash",false],
       ]
       ee = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=Ruby PKCS12 Test Certificate")
-      @mycert = issue_cert(ee, TEST_KEY_RSA1024, 3, now, now+3600, exts,
-                           @inter_cacert, inter_ca_key, OpenSSL::Digest::SHA1.new)
+      @mycert = issue_cert(ee, TEST_KEY_RSA1024, 3, exts, @inter_cacert, inter_ca_key)
     end
 
     def test_create
diff --git a/test/test_pkcs7.rb b/test/test_pkcs7.rb
index def4910c..b7b75202 100644
--- a/test/test_pkcs7.rb
+++ b/test/test_pkcs7.rb
@@ -11,24 +11,20 @@ class OpenSSL::TestPKCS7 < OpenSSL::TestCase
     ee1 = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=EE1")
     ee2 = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=EE2")
 
-    now = Time.now
     ca_exts = [
       ["basicConstraints","CA:TRUE",true],
       ["keyUsage","keyCertSign, cRLSign",true],
       ["subjectKeyIdentifier","hash",false],
       ["authorityKeyIdentifier","keyid:always",false],
     ]
-    @ca_cert = issue_cert(ca, @rsa2048, 1, now, now+3600, ca_exts,
-                           nil, nil, OpenSSL::Digest::SHA1.new)
+    @ca_cert = issue_cert(ca, @rsa2048, 1, ca_exts, nil, nil)
     ee_exts = [
       ["keyUsage","Non Repudiation, Digital Signature, Key Encipherment",true],
       ["authorityKeyIdentifier","keyid:always",false],
       ["extendedKeyUsage","clientAuth, emailProtection, codeSigning",false],
     ]
-    @ee1_cert = issue_cert(ee1, @rsa1024, 2, now, now+1800, ee_exts,
-                           @ca_cert, @rsa2048, OpenSSL::Digest::SHA1.new)
-    @ee2_cert = issue_cert(ee2, @rsa1024, 3, now, now+1800, ee_exts,
-                           @ca_cert, @rsa2048, OpenSSL::Digest::SHA1.new)
+    @ee1_cert = issue_cert(ee1, @rsa1024, 2, ee_exts, @ca_cert, @rsa2048)
+    @ee2_cert = issue_cert(ee2, @rsa1024, 3, ee_exts, @ca_cert, @rsa2048)
   end
 
   def issue_cert(*args)
diff --git a/test/test_ssl.rb b/test/test_ssl.rb
index ccdbf8e1..8d74f25f 100644
--- a/test/test_ssl.rb
+++ b/test/test_ssl.rb
@@ -394,14 +394,12 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
       }
     }
 
-    now = Time.now
     exts = [
       ["keyUsage","keyEncipherment,digitalSignature",true],
       ["subjectAltName","DNS:localhost.localdomain",false],
       ["subjectAltName","IP:127.0.0.1",false],
     ]
-    @svr_cert = issue_cert(@svr, @svr_key, 4, now, now+1800, exts,
-                           @ca_cert, @ca_key, OpenSSL::Digest::SHA1.new)
+    @svr_cert = issue_cert(@svr, @svr_key, 4, exts, @ca_cert, @ca_key)
     start_server { |server, port|
       server_connect(port) { |ssl|
         assert(ssl.post_connection_check("localhost.localdomain"))
@@ -417,13 +415,11 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
       }
     }
 
-    now = Time.now
     exts = [
       ["keyUsage","keyEncipherment,digitalSignature",true],
       ["subjectAltName","DNS:*.localdomain",false],
     ]
-    @svr_cert = issue_cert(@svr, @svr_key, 5, now, now+1800, exts,
-                           @ca_cert, @ca_key, OpenSSL::Digest::SHA1.new)
+    @svr_cert = issue_cert(@svr, @svr_key, 5, exts, @ca_cert, @ca_key)
     start_server { |server, port|
       server_connect(port) { |ssl|
         assert(ssl.post_connection_check("localhost.localdomain"))
@@ -711,14 +707,12 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
 
   def test_verify_hostname_on_connect
     ctx_proc = proc { |ctx|
-      now = Time.now
       exts = [
         ["keyUsage", "keyEncipherment,digitalSignature", true],
         ["subjectAltName", "DNS:a.example.com,DNS:*.b.example.com," \
                            "DNS:c*.example.com,DNS:d.*.example.com"],
       ]
-      ctx.cert = issue_cert(@svr, @svr_key, 4, now, now+1800, exts,
-                            @ca_cert, @ca_key, OpenSSL::Digest::SHA1.new)
+      ctx.cert = issue_cert(@svr, @svr_key, 4, exts, @ca_cert, @ca_key)
       ctx.key = @svr_key
     }
 
diff --git a/test/test_x509cert.rb b/test/test_x509cert.rb
index 269d0172..fb757c44 100644
--- a/test/test_x509cert.rb
+++ b/test/test_x509cert.rb
@@ -11,7 +11,6 @@ class OpenSSL::TestX509Certificate < OpenSSL::TestCase
     @dsa512  = OpenSSL::TestUtils::TEST_KEY_DSA512
     @ca = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=CA")
     @ee1 = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=EE1")
-    @ee2 = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=EE2")
   end
 
   def issue_cert(*args)
@@ -20,8 +19,7 @@ class OpenSSL::TestX509Certificate < OpenSSL::TestCase
 
   def test_serial
     [1, 2**32, 2**100].each{|s|
-      cert = issue_cert(@ca, @rsa2048, s, Time.now, Time.now+3600, [],
-                        nil, nil, OpenSSL::Digest::SHA1.new)
+      cert = issue_cert(@ca, @rsa2048, s, [], nil, nil)
       assert_equal(s, cert.serial)
       cert = OpenSSL::X509::Certificate.new(cert.to_der)
       assert_equal(s, cert.serial)
@@ -41,8 +39,7 @@ class OpenSSL::TestX509Certificate < OpenSSL::TestCase
     [
       [@rsa1024, sha1], [@rsa2048, sha1], [@dsa256, dsa_digest], [@dsa512, dsa_digest]
     ].each{|pk, digest|
-      cert = issue_cert(@ca, pk, 1, Time.now, Time.now+3600, exts,
-                        nil, nil, digest)
+      cert = issue_cert(@ca, pk, 1, exts, nil, nil, digest: digest)
       assert_equal(cert.extensions.sort_by(&:to_s)[2].value,
                    OpenSSL::TestUtils.get_subject_key_id(cert))
       cert = OpenSSL::X509::Certificate.new(cert.to_der)
@@ -52,27 +49,27 @@ class OpenSSL::TestX509Certificate < OpenSSL::TestCase
   end
 
   def test_validity
-    now = Time.now until now && now.usec != 0
-    cert = issue_cert(@ca, @rsa2048, 1, now, now+3600, [],
-                      nil, nil, OpenSSL::Digest::SHA1.new)
-    assert_not_equal(now, cert.not_before)
-    assert_not_equal(now+3600, cert.not_after)
+    now = Time.at(Time.now.to_i + 0.9)
+    cert = issue_cert(@ca, @rsa2048, 1, [], nil, nil,
+                      not_before: now, not_after: now+3600)
+    assert_equal(Time.at(now.to_i), cert.not_before)
+    assert_equal(Time.at(now.to_i+3600), cert.not_after)
 
     now = Time.at(now.to_i)
-    cert = issue_cert(@ca, @rsa2048, 1, now, now+3600, [],
-                      nil, nil, OpenSSL::Digest::SHA1.new)
+    cert = issue_cert(@ca, @rsa2048, 1, [], nil, nil,
+                      not_before: now, not_after: now+3600)
     assert_equal(now.getutc, cert.not_before)
     assert_equal((now+3600).getutc, cert.not_after)
 
     now = Time.at(0)
-    cert = issue_cert(@ca, @rsa2048, 1, now, now, [],
-                      nil, nil, OpenSSL::Digest::SHA1.new)
+    cert = issue_cert(@ca, @rsa2048, 1, [], nil, nil,
+                      not_before: now, not_after: now)
     assert_equal(now.getutc, cert.not_before)
     assert_equal(now.getutc, cert.not_after)
 
     now = Time.at(0x7fffffff)
-    cert = issue_cert(@ca, @rsa2048, 1, now, now, [],
-                      nil, nil, OpenSSL::Digest::SHA1.new)
+    cert = issue_cert(@ca, @rsa2048, 1, [], nil, nil,
+                      not_before: now, not_after: now)
     assert_equal(now.getutc, cert.not_before)
     assert_equal(now.getutc, cert.not_after)
   end
@@ -84,8 +81,7 @@ class OpenSSL::TestX509Certificate < OpenSSL::TestCase
       ["subjectKeyIdentifier","hash",false],
       ["authorityKeyIdentifier","keyid:always",false],
     ]
-    ca_cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, ca_exts,
-                         nil, nil, OpenSSL::Digest::SHA1.new)
+    ca_cert = issue_cert(@ca, @rsa2048, 1, ca_exts, nil, nil)
     ca_cert.extensions.each_with_index{|ext, i|
       assert_equal(ca_exts[i].first, ext.oid)
       assert_equal(ca_exts[i].last, ext.critical?)
@@ -98,34 +94,16 @@ class OpenSSL::TestX509Certificate < OpenSSL::TestCase
       ["extendedKeyUsage","clientAuth, emailProtection, codeSigning",false],
       ["subjectAltName","email:ee1@ruby-lang.org",false],
     ]
-    ee1_cert = issue_cert(@ee1, @rsa1024, 2, Time.now, Time.now+1800, ee1_exts,
-                          ca_cert, @rsa2048, OpenSSL::Digest::SHA1.new)
+    ee1_cert = issue_cert(@ee1, @rsa1024, 2, ee1_exts, ca_cert, @rsa2048)
     assert_equal(ca_cert.subject.to_der, ee1_cert.issuer.to_der)
     ee1_cert.extensions.each_with_index{|ext, i|
       assert_equal(ee1_exts[i].first, ext.oid)
       assert_equal(ee1_exts[i].last, ext.critical?)
     }
-
-    ee2_exts = [
-      ["keyUsage","Non Repudiation, Digital Signature, Key Encipherment",true],
-      ["subjectKeyIdentifier","hash",false],
-      ["authorityKeyIdentifier","issuer:always",false],
-      ["extendedKeyUsage","clientAuth, emailProtection, codeSigning",false],
-      ["subjectAltName","email:ee2@ruby-lang.org",false],
-    ]
-    ee2_cert = issue_cert(@ee2, @rsa1024, 3, Time.now, Time.now+1800, ee2_exts,
-                          ca_cert, @rsa2048, OpenSSL::Digest::MD5.new)
-    assert_equal(ca_cert.subject.to_der, ee2_cert.issuer.to_der)
-    ee2_cert.extensions.each_with_index{|ext, i|
-      assert_equal(ee2_exts[i].first, ext.oid)
-      assert_equal(ee2_exts[i].last, ext.critical?)
-    }
-
   end
 
   def test_sign_and_verify_rsa_sha1
-    cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [],
-                      nil, nil, OpenSSL::Digest::SHA1.new)
+    cert = issue_cert(@ca, @rsa2048, 1, [], nil, nil, digest: "sha1")
     assert_equal(false, cert.verify(@rsa1024))
     assert_equal(true,  cert.verify(@rsa2048))
     assert_equal(false, certificate_error_returns_false { cert.verify(@dsa256) })
@@ -135,8 +113,7 @@ class OpenSSL::TestX509Certificate < OpenSSL::TestCase
   end
 
   def test_sign_and_verify_rsa_md5
-    cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [],
-                      nil, nil, OpenSSL::Digest::MD5.new)
+    cert = issue_cert(@ca, @rsa2048, 1, [], nil, nil, digest: "md5")
     assert_equal(false, cert.verify(@rsa1024))
     assert_equal(true, cert.verify(@rsa2048))
 
@@ -148,8 +125,7 @@ class OpenSSL::TestX509Certificate < OpenSSL::TestCase
   end
 
   def test_sign_and_verify_dsa
-    cert = issue_cert(@ca, @dsa512, 1, Time.now, Time.now+3600, [],
-                      nil, nil, OpenSSL::TestUtils::DSA_SIGNATURE_DIGEST.new)
+    cert = issue_cert(@ca, @dsa512, 1, [], nil, nil)
     assert_equal(false, certificate_error_returns_false { cert.verify(@rsa1024) })
     assert_equal(false, certificate_error_returns_false { cert.verify(@rsa2048) })
     assert_equal(false, cert.verify(@dsa256))
@@ -159,8 +135,7 @@ class OpenSSL::TestX509Certificate < OpenSSL::TestCase
   end
 
   def test_sign_and_verify_rsa_dss1
-    cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [],
-                      nil, nil, OpenSSL::Digest::DSS1.new)
+    cert = issue_cert(@ca, @rsa2048, 1, [], nil, nil, digest: OpenSSL::Digest::DSS1.new)
     assert_equal(false, cert.verify(@rsa1024))
     assert_equal(true, cert.verify(@rsa2048))
     assert_equal(false, certificate_error_returns_false { cert.verify(@dsa256) })
@@ -172,27 +147,19 @@ class OpenSSL::TestX509Certificate < OpenSSL::TestCase
 
   def test_sign_and_verify_dsa_md5
     assert_raise(OpenSSL::X509::CertificateError){
-      issue_cert(@ca, @dsa512, 1, Time.now, Time.now+3600, [],
-                 nil, nil, OpenSSL::Digest::MD5.new)
+      issue_cert(@ca, @dsa512, 1, [], nil, nil, digest: "md5")
     }
   end
 
   def test_dsig_algorithm_mismatch
     assert_raise(OpenSSL::X509::CertificateError) do
-      issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [],
-                 nil, nil, OpenSSL::Digest::DSS1.new)
+      issue_cert(@ca, @rsa2048, 1, [], nil, nil, digest: OpenSSL::Digest::DSS1.new)
     end if OpenSSL::OPENSSL_VERSION_NUMBER < 0x10001000 # [ruby-core:42949]
-
-    assert_raise(OpenSSL::X509::CertificateError) do
-      issue_cert(@ca, @dsa512, 1, Time.now, Time.now+3600, [],
-                 nil, nil, OpenSSL::Digest::MD5.new)
-    end
   end
 
   def test_dsa_with_sha2
     begin
-      cert = issue_cert(@ca, @dsa256, 1, Time.now, Time.now+3600, [],
-                        nil, nil, OpenSSL::Digest::SHA256.new)
+      cert = issue_cert(@ca, @dsa256, 1, [], nil, nil, digest: "sha256")
       assert_equal("dsa_with_SHA256", cert.signature_algorithm)
     rescue OpenSSL::X509::CertificateError
       # dsa_with_sha2 not supported. skip following test.
@@ -201,14 +168,12 @@ class OpenSSL::TestX509Certificate < OpenSSL::TestCase
     # TODO: need more tests for dsa + sha2
 
     # SHA1 is allowed from OpenSSL 1.0.0 (0.9.8 requires DSS1)
-    cert = issue_cert(@ca, @dsa256, 1, Time.now, Time.now+3600, [],
-                      nil, nil, OpenSSL::Digest::SHA1.new)
+    cert = issue_cert(@ca, @dsa256, 1, [], nil, nil, digest: "sha1")
     assert_equal("dsaWithSHA1", cert.signature_algorithm)
   end if defined?(OpenSSL::Digest::SHA256)
 
   def test_check_private_key
-    cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [],
-                      nil, nil, OpenSSL::Digest::SHA1.new)
+    cert = issue_cert(@ca, @rsa2048, 1, [], nil, nil)
     assert_equal(true, cert.check_private_key(@rsa2048))
   end
 
diff --git a/test/test_x509crl.rb b/test/test_x509crl.rb
index cd1ccc98..f61de971 100644
--- a/test/test_x509crl.rb
+++ b/test/test_x509crl.rb
@@ -25,8 +25,7 @@ class OpenSSL::TestX509CRL < OpenSSL::TestCase
   def test_basic
     now = Time.at(Time.now.to_i)
 
-    cert = issue_cert(@ca, @rsa2048, 1, now, now+3600, [],
-                      nil, nil, OpenSSL::Digest::SHA1.new)
+    cert = issue_cert(@ca, @rsa2048, 1, [], nil, nil)
     crl = issue_crl([], 1, now, now+1600, [],
                     cert, @rsa2048, OpenSSL::Digest::SHA1.new)
     assert_equal(1, crl.version)
@@ -63,8 +62,7 @@ class OpenSSL::TestX509CRL < OpenSSL::TestCase
       [4, now,                 4],
       [5, now,                 5],
     ]
-    cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [],
-                      nil, nil, OpenSSL::Digest::SHA1.new)
+    cert = issue_cert(@ca, @rsa2048, 1, [], nil, nil)
     crl = issue_crl(revoke_info, 1, Time.now, Time.now+1600, [],
                     cert, @rsa2048, OpenSSL::Digest::SHA1.new)
     revoked = crl.revoked
@@ -131,8 +129,7 @@ class OpenSSL::TestX509CRL < OpenSSL::TestCase
       ["issuerAltName", "issuer:copy", false],
     ]
 
-    cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, cert_exts,
-                      nil, nil, OpenSSL::Digest::SHA1.new)
+    cert = issue_cert(@ca, @rsa2048, 1, cert_exts, nil, nil)
     crl = issue_crl([], 1, Time.now, Time.now+1600, crl_exts,
                     cert, @rsa2048, OpenSSL::Digest::SHA1.new)
     exts = crl.extensions
@@ -168,8 +165,7 @@ class OpenSSL::TestX509CRL < OpenSSL::TestCase
   end
 
   def test_crlnumber
-    cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [],
-                      nil, nil, OpenSSL::Digest::SHA1.new)
+    cert = issue_cert(@ca, @rsa2048, 1, [], nil, nil)
     crl = issue_crl([], 1, Time.now, Time.now+1600, [],
                     cert, @rsa2048, OpenSSL::Digest::SHA1.new)
     assert_match(1.to_s, crl.extensions[0].value)
@@ -187,8 +183,7 @@ class OpenSSL::TestX509CRL < OpenSSL::TestCase
   end
 
   def test_sign_and_verify
-    cert = issue_cert(@ca, @rsa2048, 1, Time.now, Time.now+3600, [],
-                      nil, nil, OpenSSL::Digest::SHA1.new)
+    cert = issue_cert(@ca, @rsa2048, 1, [], nil, nil)
     crl = issue_crl([], 1, Time.now, Time.now+1600, [],
                     cert, @rsa2048, OpenSSL::Digest::SHA1.new)
     assert_equal(false, crl.verify(@rsa1024))
@@ -198,8 +193,7 @@ class OpenSSL::TestX509CRL < OpenSSL::TestCase
     crl.version = 0
     assert_equal(false, crl.verify(@rsa2048))
 
-    cert = issue_cert(@ca, @dsa512, 1, Time.now, Time.now+3600, [],
-                      nil, nil, OpenSSL::TestUtils::DSA_SIGNATURE_DIGEST.new)
+    cert = issue_cert(@ca, @dsa512, 1, [], nil, nil)
     crl = issue_crl([], 1, Time.now, Time.now+1600, [],
                     cert, @dsa512, OpenSSL::TestUtils::DSA_SIGNATURE_DIGEST.new)
     assert_equal(false, crl_error_returns_false { crl.verify(@rsa1024) })
diff --git a/test/test_x509store.rb b/test/test_x509store.rb
index e0fa07ac..6ca80c86 100644
--- a/test/test_x509store.rb
+++ b/test/test_x509store.rb
@@ -34,7 +34,9 @@ class OpenSSL::TestX509Store < OpenSSL::TestCase
   end
 
   def test_verify
-    now = Time.at(Time.now.to_i)
+    # OpenSSL uses time(2) while Time.now uses clock_gettime(CLOCK_REALTIME),
+    # and there may be difference.
+    now = Time.now - 3
     ca_exts = [
       ["basicConstraints","CA:TRUE",true],
       ["keyUsage","cRLSign,keyCertSign",true],
@@ -42,18 +44,15 @@ class OpenSSL::TestX509Store < OpenSSL::TestCase
     ee_exts = [
       ["keyUsage","keyEncipherment,digitalSignature",true],
     ]
-    ca1_cert = issue_cert(@ca1, @rsa2048, 1, now, now+3600, ca_exts,
-                          nil, nil, OpenSSL::Digest::SHA1.new)
-    ca2_cert = issue_cert(@ca2, @rsa1024, 2, now, now+1800, ca_exts,
-                          ca1_cert, @rsa2048, OpenSSL::Digest::SHA1.new)
-    ee1_cert = issue_cert(@ee1, @dsa256, 10, now, now+1800, ee_exts,
-                          ca2_cert, @rsa1024, OpenSSL::Digest::SHA1.new)
-    ee2_cert = issue_cert(@ee2, @dsa512, 20, now, now+1800, ee_exts,
-                          ca2_cert, @rsa1024, OpenSSL::Digest::SHA1.new)
-    ee3_cert = issue_cert(@ee2, @dsa512, 30, now-100, now-1, ee_exts,
-                          ca2_cert, @rsa1024, OpenSSL::Digest::SHA1.new)
-    ee4_cert = issue_cert(@ee2, @dsa512, 40, now+1000, now+2000, ee_exts,
-                          ca2_cert, @rsa1024, OpenSSL::Digest::SHA1.new)
+    ca1_cert = issue_cert(@ca1, @rsa2048, 1, ca_exts, nil, nil)
+    ca2_cert = issue_cert(@ca2, @rsa1024, 2, ca_exts, ca1_cert, @rsa2048,
+                          not_after: now+1800)
+    ee1_cert = issue_cert(@ee1, @dsa256, 10, ee_exts, ca2_cert, @rsa1024)
+    ee2_cert = issue_cert(@ee2, @dsa512, 20, ee_exts, ca2_cert, @rsa1024)
+    ee3_cert = issue_cert(@ee2, @dsa512, 30,  ee_exts, ca2_cert, @rsa1024,
+                          not_before: now-100, not_after: now-1)
+    ee4_cert = issue_cert(@ee2, @dsa512, 40, ee_exts, ca2_cert, @rsa1024,
+                          not_before: now+1000, not_after: now+2000,)
 
     revoke_info = []
     crl1   = issue_crl(revoke_info, 1, now, now+1800, [],
@@ -195,8 +194,7 @@ class OpenSSL::TestX509Store < OpenSSL::TestCase
 
   def test_set_errors
     now = Time.now
-    ca1_cert = issue_cert(@ca1, @rsa2048, 1, now, now+3600, [],
-                          nil, nil, OpenSSL::Digest::SHA1.new)
+    ca1_cert = issue_cert(@ca1, @rsa2048, 1, [], nil, nil)
     store = OpenSSL::X509::Store.new
     store.add_cert(ca1_cert)
     assert_raise(OpenSSL::X509::StoreError){
diff --git a/test/utils.rb b/test/utils.rb
index 0016f5c7..43ecd79e 100644
--- a/test/utils.rb
+++ b/test/utils.rb
@@ -130,8 +130,8 @@ AQjjxMXhwULlmuR/K+WwlaZPiLIBYalLAZQ7ZbOPeVkJ8ePao0eLAgEC
 
   module_function
 
-  def issue_cert(dn, key, serial, not_before, not_after, extensions,
-                 issuer, issuer_key, digest)
+  def issue_cert(dn, key, serial, extensions, issuer, issuer_key,
+                 not_before: nil, not_after: nil, digest: nil)
     cert = OpenSSL::X509::Certificate.new
     issuer = cert unless issuer
     issuer_key = key unless issuer_key
@@ -140,14 +140,16 @@ AQjjxMXhwULlmuR/K+WwlaZPiLIBYalLAZQ7ZbOPeVkJ8ePao0eLAgEC
     cert.subject = dn
     cert.issuer = issuer.subject
     cert.public_key = key.public_key
-    cert.not_before = not_before
-    cert.not_after = not_after
+    now = Time.now
+    cert.not_before = not_before || now - 3600
+    cert.not_after = not_after || now + 3600
     ef = OpenSSL::X509::ExtensionFactory.new
     ef.subject_certificate = cert
     ef.issuer_certificate = issuer
     extensions.each{|oid, value, critical|
       cert.add_extension(ef.create_extension(oid, value, critical))
     }
+    digest ||= OpenSSL::PKey::DSA === issuer_key ? DSA_SIGNATURE_DIGEST.new : "sha256"
     cert.sign(issuer_key, digest)
     cert
   end
@@ -216,7 +218,6 @@ AQjjxMXhwULlmuR/K+WwlaZPiLIBYalLAZQ7ZbOPeVkJ8ePao0eLAgEC
       @ca  = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=CA")
       @svr = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=localhost")
       @cli = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=localhost")
-      now = Time.at(Time.now.to_i)
       ca_exts = [
         ["basicConstraints","CA:TRUE",true],
         ["keyUsage","cRLSign,keyCertSign",true],
@@ -224,9 +225,9 @@ AQjjxMXhwULlmuR/K+WwlaZPiLIBYalLAZQ7ZbOPeVkJ8ePao0eLAgEC
       ee_exts = [
         ["keyUsage","keyEncipherment,digitalSignature",true],
       ]
-      @ca_cert  = issue_cert(@ca, @ca_key, 1, now, now+3600, ca_exts, nil, nil, OpenSSL::Digest::SHA1.new)
-      @svr_cert = issue_cert(@svr, @svr_key, 2, now, now+1800, ee_exts, @ca_cert, @ca_key, OpenSSL::Digest::SHA1.new)
-      @cli_cert = issue_cert(@cli, @cli_key, 3, now, now+1800, ee_exts, @ca_cert, @ca_key, OpenSSL::Digest::SHA1.new)
+      @ca_cert  = issue_cert(@ca, @ca_key, 1, ca_exts, nil, nil)
+      @svr_cert = issue_cert(@svr, @svr_key, 2, ee_exts, @ca_cert, @ca_key)
+      @cli_cert = issue_cert(@cli, @cli_key, 3, ee_exts, @ca_cert, @ca_key)
       @server = nil
     end
 
-- 
cgit v1.2.3