diff options
| -rw-r--r-- | ChangeLog | 10 | ||||
| -rw-r--r-- | ext/openssl/ossl_x509store.c | 33 | ||||
| -rw-r--r-- | test/openssl/test_x509store.rb | 32 |
3 files changed, 72 insertions, 3 deletions
@@ -1,3 +1,13 @@ +Fri Oct 15 18:07:08 2004 GOTOU Yuuzou <gotoyuzo@notwork.org> + + * ext/openssl/ossl_x509store.c + (ossl_x509stctx_initialize): setup OpenSSL::X509::StoreContext with + ossl_x509stctx_* functions instead of X509_STORE_CTX_*. + (ossl_x509store_set_time): add OpenSSL::X509::Store#time=. + (ossl_x509stctx_set_time): add OpenSSL::X509::StoreContext#time=. + + * test/openssl/ossl_x509store.rb: test certificate validity times. + Fri Oct 15 18:04:35 2004 Hidetoshi NAGAI <nagai@ai.kyutech.ac.jp> * ext/tk/lib/tk/timer.rb: TkTimer.new(interval, loop){ ... } is diff --git a/ext/openssl/ossl_x509store.c b/ext/openssl/ossl_x509store.c index 4c5f0624a9..debaef09bd 100644 --- a/ext/openssl/ossl_x509store.c +++ b/ext/openssl/ossl_x509store.c @@ -187,6 +187,13 @@ ossl_x509store_set_trust(VALUE self, VALUE trust) } static VALUE +ossl_x509store_set_time(VALUE self, VALUE time) +{ + rb_iv_set(self, "@time", time); + return time; +} + +static VALUE ossl_x509store_add_file(VALUE self, VALUE file) { X509_STORE *store; @@ -329,6 +336,11 @@ ossl_x509stctx_alloc(VALUE klass) return obj; } +static VALUE ossl_x509stctx_set_flags(VALUE, VALUE); +static VALUE ossl_x509stctx_set_purpose(VALUE, VALUE); +static VALUE ossl_x509stctx_set_trust(VALUE, VALUE); +static VALUE ossl_x509stctx_set_time(VALUE, VALUE); + static VALUE ossl_x509stctx_initialize(int argc, VALUE *argv, VALUE self) { @@ -350,10 +362,11 @@ ossl_x509stctx_initialize(int argc, VALUE *argv, VALUE self) } #else X509_STORE_CTX_init(ctx, x509st, x509, x509s); - X509_STORE_CTX_set_flags(ctx, NUM2INT(rb_iv_get(store, "@flags"))); - X509_STORE_CTX_set_purpose(ctx, NUM2INT(rb_iv_get(store, "@purpose"))); - X509_STORE_CTX_set_trust(ctx, NUM2INT(rb_iv_get(store, "@trust"))); + ossl_x509stctx_set_flags(self, rb_iv_get(store, "@flags")); + ossl_x509stctx_set_purpose(self, rb_iv_get(store, "@purpose")); + ossl_x509stctx_set_trust(self, rb_iv_get(store, "@trust")); #endif + ossl_x509stctx_set_time(self, rb_iv_get(store, "@time")); rb_iv_set(self, "@verify_callback", rb_iv_get(store, "@verify_callback")); rb_iv_set(self, "@cert", cert); @@ -512,6 +525,18 @@ ossl_x509stctx_set_trust(VALUE self, VALUE trust) return trust; } +static VALUE +ossl_x509stctx_set_time(VALUE self, VALUE time) +{ + X509_STORE_CTX *store; + + GetX509StCtx(self, store); + if(NIL_P(time)) store->flags &= ~X509_V_FLAG_USE_CHECK_TIME; + else X509_STORE_CTX_set_time(store, 0, NUM2LONG(rb_Integer(time))); + + return time; +} + /* * INIT */ @@ -533,6 +558,7 @@ Init_ossl_x509store() rb_define_method(cX509Store, "flags=", ossl_x509store_set_flags, 1); rb_define_method(cX509Store, "purpose=", ossl_x509store_set_purpose, 1); rb_define_method(cX509Store, "trust=", ossl_x509store_set_trust, 1); + rb_define_method(cX509Store, "time=", ossl_x509store_set_time, 1); rb_define_method(cX509Store, "add_path", ossl_x509store_add_path, 1); rb_define_method(cX509Store, "add_file", ossl_x509store_add_file, 1); rb_define_method(cX509Store, "add_cert", ossl_x509store_add_cert, 1); @@ -555,5 +581,6 @@ Init_ossl_x509store() rb_define_method(x509stctx,"flags=", ossl_x509stctx_set_flags, 1); rb_define_method(x509stctx,"purpose=", ossl_x509stctx_set_purpose, 1); rb_define_method(x509stctx,"trust=", ossl_x509stctx_set_trust, 1); + rb_define_method(x509stctx,"time=", ossl_x509stctx_set_time, 1); } diff --git a/test/openssl/test_x509store.rb b/test/openssl/test_x509store.rb index 113e81fa52..8151e5fdb6 100644 --- a/test/openssl/test_x509store.rb +++ b/test/openssl/test_x509store.rb @@ -49,6 +49,8 @@ class OpenSSL::TestX509Store < Test::Unit::TestCase ca2_cert, @rsa1024, OpenSSL::Digest::SHA1.new) ee3_cert = issue_cert(@ee2, @dsa512, 30, now-100, now-1, ee_exts, ca2_cert, @rsa1024, OpenSSL::Digest::SHA1.new) + ee4_cert = issue_cert(@ee2, @dsa512, 40, now+1000, now+2000, ee_exts, + ca2_cert, @rsa1024, OpenSSL::Digest::SHA1.new) revoke_info = [] crl1 = issue_crl(revoke_info, 1, now, now+1800, [], @@ -106,6 +108,36 @@ class OpenSSL::TestX509Store < Test::Unit::TestCase assert_equal(@ca1.to_der, chain[2].subject.to_der) assert_equal(false, store.verify(ee3_cert)) assert_match(/expire/i, store.error_string) + assert_equal(false, store.verify(ee4_cert)) + assert_match(/not yet valid/i, store.error_string) + + store = OpenSSL::X509::Store.new + store.add_cert(ca1_cert) + store.add_cert(ca2_cert) + store.time = now + 1500 + assert_equal(true, store.verify(ca1_cert)) + assert_equal(true, store.verify(ca2_cert)) + assert_equal(true, store.verify(ee4_cert)) + store.time = now + 1900 + assert_equal(true, store.verify(ca1_cert)) + assert_equal(false, store.verify(ca2_cert)) + assert_match(/expire/i, store.error_string) + assert_equal(false, store.verify(ee4_cert)) + assert_match(/expire/i, store.error_string) + store.time = now + 4000 + assert_equal(false, store.verify(ee1_cert)) + assert_match(/expire/i, store.error_string) + assert_equal(false, store.verify(ee4_cert)) + assert_match(/expire/i, store.error_string) + + # the underlying X509 struct caches the result of the last + # verification for signature and not-before. so the following code + # rebuilds new objects to avoid site effect. + store.time = Time.now - 4000 + assert_equal(false, store.verify(OpenSSL::X509::Certificate.new(ca2_cert))) + assert_match(/not yet valid/i, store.error_string) + assert_equal(false, store.verify(OpenSSL::X509::Certificate.new(ee1_cert))) + assert_match(/not yet valid/i, store.error_string) return unless defined?(OpenSSL::X509::V_FLAG_CRL_CHECK) |