summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorgotoyuzo <gotoyuzo@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>2004-10-15 09:16:19 +0000
committergotoyuzo <gotoyuzo@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>2004-10-15 09:16:19 +0000
commit8c1b803ed4435edda2c47cc1a559af4bdb88b7d9 (patch)
tree147dcb1c1aaa33deb12363a25ebf7d01aa90ac10
parentbb4e34110bcd2b50a256877c3c26d1765baf74e6 (diff)
* ext/openssl/ossl_x509store.c
(ossl_x509stctx_initialize): setup OpenSSL::X509::StoreContext with ossl_x509stctx_* functions instead of X509_STORE_CTX_*. (ossl_x509store_set_time): add OpenSSL::X509::Store#time=. (ossl_x509stctx_set_time): add OpenSSL::X509::StoreContext#time=. * test/openssl/ossl_x509store.rb: test certificate validity times. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@7040 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
-rw-r--r--ChangeLog10
-rw-r--r--ext/openssl/ossl_x509store.c33
-rw-r--r--test/openssl/test_x509store.rb32
3 files changed, 72 insertions, 3 deletions
diff --git a/ChangeLog b/ChangeLog
index 6a49098cbe..6ed15257b5 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,13 @@
+Fri Oct 15 18:07:08 2004 GOTOU Yuuzou <gotoyuzo@notwork.org>
+
+ * ext/openssl/ossl_x509store.c
+ (ossl_x509stctx_initialize): setup OpenSSL::X509::StoreContext with
+ ossl_x509stctx_* functions instead of X509_STORE_CTX_*.
+ (ossl_x509store_set_time): add OpenSSL::X509::Store#time=.
+ (ossl_x509stctx_set_time): add OpenSSL::X509::StoreContext#time=.
+
+ * test/openssl/ossl_x509store.rb: test certificate validity times.
+
Fri Oct 15 18:04:35 2004 Hidetoshi NAGAI <nagai@ai.kyutech.ac.jp>
* ext/tk/lib/tk/timer.rb: TkTimer.new(interval, loop){ ... } is
diff --git a/ext/openssl/ossl_x509store.c b/ext/openssl/ossl_x509store.c
index 4c5f0624a9..debaef09bd 100644
--- a/ext/openssl/ossl_x509store.c
+++ b/ext/openssl/ossl_x509store.c
@@ -187,6 +187,13 @@ ossl_x509store_set_trust(VALUE self, VALUE trust)
}
static VALUE
+ossl_x509store_set_time(VALUE self, VALUE time)
+{
+ rb_iv_set(self, "@time", time);
+ return time;
+}
+
+static VALUE
ossl_x509store_add_file(VALUE self, VALUE file)
{
X509_STORE *store;
@@ -329,6 +336,11 @@ ossl_x509stctx_alloc(VALUE klass)
return obj;
}
+static VALUE ossl_x509stctx_set_flags(VALUE, VALUE);
+static VALUE ossl_x509stctx_set_purpose(VALUE, VALUE);
+static VALUE ossl_x509stctx_set_trust(VALUE, VALUE);
+static VALUE ossl_x509stctx_set_time(VALUE, VALUE);
+
static VALUE
ossl_x509stctx_initialize(int argc, VALUE *argv, VALUE self)
{
@@ -350,10 +362,11 @@ ossl_x509stctx_initialize(int argc, VALUE *argv, VALUE self)
}
#else
X509_STORE_CTX_init(ctx, x509st, x509, x509s);
- X509_STORE_CTX_set_flags(ctx, NUM2INT(rb_iv_get(store, "@flags")));
- X509_STORE_CTX_set_purpose(ctx, NUM2INT(rb_iv_get(store, "@purpose")));
- X509_STORE_CTX_set_trust(ctx, NUM2INT(rb_iv_get(store, "@trust")));
+ ossl_x509stctx_set_flags(self, rb_iv_get(store, "@flags"));
+ ossl_x509stctx_set_purpose(self, rb_iv_get(store, "@purpose"));
+ ossl_x509stctx_set_trust(self, rb_iv_get(store, "@trust"));
#endif
+ ossl_x509stctx_set_time(self, rb_iv_get(store, "@time"));
rb_iv_set(self, "@verify_callback", rb_iv_get(store, "@verify_callback"));
rb_iv_set(self, "@cert", cert);
@@ -512,6 +525,18 @@ ossl_x509stctx_set_trust(VALUE self, VALUE trust)
return trust;
}
+static VALUE
+ossl_x509stctx_set_time(VALUE self, VALUE time)
+{
+ X509_STORE_CTX *store;
+
+ GetX509StCtx(self, store);
+ if(NIL_P(time)) store->flags &= ~X509_V_FLAG_USE_CHECK_TIME;
+ else X509_STORE_CTX_set_time(store, 0, NUM2LONG(rb_Integer(time)));
+
+ return time;
+}
+
/*
* INIT
*/
@@ -533,6 +558,7 @@ Init_ossl_x509store()
rb_define_method(cX509Store, "flags=", ossl_x509store_set_flags, 1);
rb_define_method(cX509Store, "purpose=", ossl_x509store_set_purpose, 1);
rb_define_method(cX509Store, "trust=", ossl_x509store_set_trust, 1);
+ rb_define_method(cX509Store, "time=", ossl_x509store_set_time, 1);
rb_define_method(cX509Store, "add_path", ossl_x509store_add_path, 1);
rb_define_method(cX509Store, "add_file", ossl_x509store_add_file, 1);
rb_define_method(cX509Store, "add_cert", ossl_x509store_add_cert, 1);
@@ -555,5 +581,6 @@ Init_ossl_x509store()
rb_define_method(x509stctx,"flags=", ossl_x509stctx_set_flags, 1);
rb_define_method(x509stctx,"purpose=", ossl_x509stctx_set_purpose, 1);
rb_define_method(x509stctx,"trust=", ossl_x509stctx_set_trust, 1);
+ rb_define_method(x509stctx,"time=", ossl_x509stctx_set_time, 1);
}
diff --git a/test/openssl/test_x509store.rb b/test/openssl/test_x509store.rb
index 113e81fa52..8151e5fdb6 100644
--- a/test/openssl/test_x509store.rb
+++ b/test/openssl/test_x509store.rb
@@ -49,6 +49,8 @@ class OpenSSL::TestX509Store < Test::Unit::TestCase
ca2_cert, @rsa1024, OpenSSL::Digest::SHA1.new)
ee3_cert = issue_cert(@ee2, @dsa512, 30, now-100, now-1, ee_exts,
ca2_cert, @rsa1024, OpenSSL::Digest::SHA1.new)
+ ee4_cert = issue_cert(@ee2, @dsa512, 40, now+1000, now+2000, ee_exts,
+ ca2_cert, @rsa1024, OpenSSL::Digest::SHA1.new)
revoke_info = []
crl1 = issue_crl(revoke_info, 1, now, now+1800, [],
@@ -106,6 +108,36 @@ class OpenSSL::TestX509Store < Test::Unit::TestCase
assert_equal(@ca1.to_der, chain[2].subject.to_der)
assert_equal(false, store.verify(ee3_cert))
assert_match(/expire/i, store.error_string)
+ assert_equal(false, store.verify(ee4_cert))
+ assert_match(/not yet valid/i, store.error_string)
+
+ store = OpenSSL::X509::Store.new
+ store.add_cert(ca1_cert)
+ store.add_cert(ca2_cert)
+ store.time = now + 1500
+ assert_equal(true, store.verify(ca1_cert))
+ assert_equal(true, store.verify(ca2_cert))
+ assert_equal(true, store.verify(ee4_cert))
+ store.time = now + 1900
+ assert_equal(true, store.verify(ca1_cert))
+ assert_equal(false, store.verify(ca2_cert))
+ assert_match(/expire/i, store.error_string)
+ assert_equal(false, store.verify(ee4_cert))
+ assert_match(/expire/i, store.error_string)
+ store.time = now + 4000
+ assert_equal(false, store.verify(ee1_cert))
+ assert_match(/expire/i, store.error_string)
+ assert_equal(false, store.verify(ee4_cert))
+ assert_match(/expire/i, store.error_string)
+
+ # the underlying X509 struct caches the result of the last
+ # verification for signature and not-before. so the following code
+ # rebuilds new objects to avoid site effect.
+ store.time = Time.now - 4000
+ assert_equal(false, store.verify(OpenSSL::X509::Certificate.new(ca2_cert)))
+ assert_match(/not yet valid/i, store.error_string)
+ assert_equal(false, store.verify(OpenSSL::X509::Certificate.new(ee1_cert)))
+ assert_match(/not yet valid/i, store.error_string)
return unless defined?(OpenSSL::X509::V_FLAG_CRL_CHECK)