From 049c3927ff0692282187507e3d4914bb8112ff0a Mon Sep 17 00:00:00 2001 From: gotoyuzo Date: Sun, 19 Dec 2004 08:28:33 +0000 Subject: * ext/openssl/ossl_x509store.c (ossl_x509store_set_time): add OpenSSL::X509::Store#time=. (ossl_x509stctx_set_time): add OpenSSL::X509::StoreContext#time=. * test/openssl/ossl_x509store.rb: test certificate validity times. * ext/openssl/ossl_x509name.c (ossl_x509name_to_s): add optional second argument to specify the output format (see also X509_NAME_print_ex). * ext/openssl/ossl_x509name.c (ossl_x509name_init): new constants: OpenSSL::X509::Name::COMPAT, OpenSSL::X509::Name::RFC2253, OpenSSL::X509::ONELINE, OpenSSL::X509::MULTILINE. * ext/openssl/lib/openssl/x509.rb (OpenSSL::X509::Name::RFC2253DN): new module to provide the parse for RFC2253 DN format. * ext/openssl/lib/openssl/x509.rb (OpenSSL::X509::Name.parse_rfc2253): new method to parse RFC2253 DN format. * test/openssl/ossl_x509name.rb: add tests about RFC2253 DN. * text/openssl/ssl_server.rb: try to listen ports from 20443 to 20542 while EADDRINUSE is raised. * all changes in this entry are backport from 1.9. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_1_8@7599 b2dd03c8-39d4-4d8f-98ff-823fe69b080e --- ChangeLog | 29 +++++++++ ext/openssl/lib/openssl/x509.rb | 89 +++++++++++++++++++++++++- ext/openssl/ossl_x509name.c | 33 +++++++++- ext/openssl/ossl_x509store.c | 40 +++++++++++- test/openssl/ssl_server.rb | 12 +++- test/openssl/test_ssl.rb | 32 +++++----- test/openssl/test_x509name.rb | 134 +++++++++++++++++++++++++++++++++------- test/openssl/test_x509store.rb | 32 ++++++++++ 8 files changed, 354 insertions(+), 47 deletions(-) diff --git a/ChangeLog b/ChangeLog index 3192fb1c8f..42ed70456a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,32 @@ +Sun Dec 19 17:19:48 2004 GOTOU Yuuzou + + * ext/openssl/ossl_x509store.c + (ossl_x509store_set_time): add OpenSSL::X509::Store#time=. + (ossl_x509stctx_set_time): add OpenSSL::X509::StoreContext#time=. + + * test/openssl/ossl_x509store.rb: test certificate validity times. + + * ext/openssl/ossl_x509name.c (ossl_x509name_to_s): add optional + second argument to specify the output format (see also + X509_NAME_print_ex). + + * ext/openssl/ossl_x509name.c (ossl_x509name_init): new constants: + OpenSSL::X509::Name::COMPAT, OpenSSL::X509::Name::RFC2253, + OpenSSL::X509::ONELINE, OpenSSL::X509::MULTILINE. + + * ext/openssl/lib/openssl/x509.rb (OpenSSL::X509::Name::RFC2253DN): + new module to provide the parse for RFC2253 DN format. + + * ext/openssl/lib/openssl/x509.rb (OpenSSL::X509::Name.parse_rfc2253): + new method to parse RFC2253 DN format. + + * test/openssl/ossl_x509name.rb: add tests about RFC2253 DN. + + * text/openssl/ssl_server.rb: try to listen ports from 20443 to 20542 + while EADDRINUSE is raised. + + * all changes in this entry are backport from 1.9. + Sun Dec 19 17:24:59 2004 Nobuyoshi Nakada * configure.in (enable_rpath): use rpath flag to embed the library diff --git a/ext/openssl/lib/openssl/x509.rb b/ext/openssl/lib/openssl/x509.rb index 6dd469827a..e711bda39c 100644 --- a/ext/openssl/lib/openssl/x509.rb +++ b/ext/openssl/lib/openssl/x509.rb @@ -62,9 +62,92 @@ module OpenSSL end class Name - def self.parse(str, template=OBJECT_TYPE_TEMPLATE) - ary = str.scan(/\s*([^\/,]+)\s*/).collect{|i| i[0].split("=", 2) } - self.new(ary, template) + module RFC2253DN + Special = ',=+<>#;' + HexChar = /[0-9a-fA-F]/ + HexPair = /#{HexChar}#{HexChar}/ + HexString = /#{HexPair}+/ + Pair = /\\(?:[#{Special}]|\\|"|#{HexPair})/ + StringChar = /[^#{Special}\\"]/ + QuoteChar = /[^\\"]/ + AttributeType = /[a-zA-Z][0-9a-zA-Z]*|[0-9]+(?:\.[0-9]+)*/ + AttributeValue = / + (?!["#])((?:#{StringChar}|#{Pair})*)| + \#(#{HexString})| + "((?:#{QuoteChar}|#{Pair})*)" + /x + TypeAndValue = /\A(#{AttributeType})=#{AttributeValue}/ + + module_function + + def expand_pair(str) + return nil unless str + return str.gsub(Pair){|pair| + case pair.size + when 2 then pair[1,1] + when 3 then Integer("0x#{pair[1,2]}").chr + else raise OpenSSL::X509::NameError, "invalid pair: #{str}" + end + } + end + + def expand_hexstring(str) + return nil unless str + der = str.gsub(HexPair){|hex| Integer("0x#{hex}").chr } + a1 = OpenSSL::ASN1.decode(der) + return a1.value, a1.tag + end + + def expand_value(str1, str2, str3) + value = expand_pair(str1) + value, tag = expand_hexstring(str2) unless value + value = expand_pair(str3) unless value + return value, tag + end + + def scan(dn) + str = dn + ary = [] + while true + if md = TypeAndValue.match(str) + matched = md.to_s + remain = md.post_match + type = md[1] + value, tag = expand_value(md[2], md[3], md[4]) rescue nil + if value + type_and_value = [type, value] + type_and_value.push(tag) if tag + ary.unshift(type_and_value) + if remain.length > 2 && remain[0] == ?, + str = remain[1..-1] + next + elsif remain.length > 2 && remain[0] == ?+ + raise OpenSSL::X509::NameError, + "multi-valued RDN is not supported: #{dn}" + elsif remain.empty? + break + end + end + end + msg_dn = dn[0, dn.length - str.length] + " =>" + str + raise OpenSSL::X509::NameError, "malformed RDN: #{msg_dn}" + end + return ary + end + end + + class <", "cmp"); @@ -311,4 +335,9 @@ Init_ossl_x509name() rb_hash_aset(hash, rb_str_new2("domainComponent"), ia5str); rb_hash_aset(hash, rb_str_new2("emailAddress"), ia5str); rb_define_const(cX509Name, "OBJECT_TYPE_TEMPLATE", hash); + + rb_define_const(cX509Name, "COMPAT", ULONG2NUM(XN_FLAG_COMPAT)); + rb_define_const(cX509Name, "RFC2253", ULONG2NUM(XN_FLAG_RFC2253)); + rb_define_const(cX509Name, "ONELINE", ULONG2NUM(XN_FLAG_ONELINE)); + rb_define_const(cX509Name, "MULTILINE", ULONG2NUM(XN_FLAG_MULTILINE)); } diff --git a/ext/openssl/ossl_x509store.c b/ext/openssl/ossl_x509store.c index 45d4aee6c9..cf1a2cdac4 100644 --- a/ext/openssl/ossl_x509store.c +++ b/ext/openssl/ossl_x509store.c @@ -189,6 +189,13 @@ ossl_x509store_set_trust(VALUE self, VALUE trust) return trust; } +static VALUE +ossl_x509store_set_time(VALUE self, VALUE time) +{ + rb_iv_set(self, "@time", time); + return time; +} + static VALUE ossl_x509store_add_file(VALUE self, VALUE file) { @@ -332,6 +339,11 @@ ossl_x509stctx_alloc(VALUE klass) return obj; } +static VALUE ossl_x509stctx_set_flags(VALUE, VALUE); +static VALUE ossl_x509stctx_set_purpose(VALUE, VALUE); +static VALUE ossl_x509stctx_set_trust(VALUE, VALUE); +static VALUE ossl_x509stctx_set_time(VALUE, VALUE); + static VALUE ossl_x509stctx_initialize(int argc, VALUE *argv, VALUE self) { @@ -353,10 +365,11 @@ ossl_x509stctx_initialize(int argc, VALUE *argv, VALUE self) } #else X509_STORE_CTX_init(ctx, x509st, x509, x509s); - X509_STORE_CTX_set_flags(ctx, NUM2INT(rb_iv_get(store, "@flags"))); - X509_STORE_CTX_set_purpose(ctx, NUM2INT(rb_iv_get(store, "@purpose"))); - X509_STORE_CTX_set_trust(ctx, NUM2INT(rb_iv_get(store, "@trust"))); + ossl_x509stctx_set_flags(self, rb_iv_get(store, "@flags")); + ossl_x509stctx_set_purpose(self, rb_iv_get(store, "@purpose")); + ossl_x509stctx_set_trust(self, rb_iv_get(store, "@trust")); #endif + ossl_x509stctx_set_time(self, rb_iv_get(store, "@time")); rb_iv_set(self, "@verify_callback", rb_iv_get(store, "@verify_callback")); rb_iv_set(self, "@cert", cert); @@ -518,6 +531,25 @@ ossl_x509stctx_set_trust(VALUE self, VALUE trust) return trust; } +static VALUE +ossl_x509stctx_set_time(VALUE self, VALUE time) +{ + X509_STORE_CTX *store; + + if(NIL_P(time)) { + GetX509StCtx(self, store); + store->flags &= ~X509_V_FLAG_USE_CHECK_TIME; + } + else { + long t = NUM2LONG(rb_Integer(time)); + + GetX509StCtx(self, store); + X509_STORE_CTX_set_time(store, 0, t); + } + + return time; +} + /* * INIT */ @@ -539,6 +571,7 @@ Init_ossl_x509store() rb_define_method(cX509Store, "flags=", ossl_x509store_set_flags, 1); rb_define_method(cX509Store, "purpose=", ossl_x509store_set_purpose, 1); rb_define_method(cX509Store, "trust=", ossl_x509store_set_trust, 1); + rb_define_method(cX509Store, "time=", ossl_x509store_set_time, 1); rb_define_method(cX509Store, "add_path", ossl_x509store_add_path, 1); rb_define_method(cX509Store, "add_file", ossl_x509store_add_file, 1); rb_define_method(cX509Store, "add_cert", ossl_x509store_add_cert, 1); @@ -561,5 +594,6 @@ Init_ossl_x509store() rb_define_method(x509stctx,"flags=", ossl_x509stctx_set_flags, 1); rb_define_method(x509stctx,"purpose=", ossl_x509stctx_set_purpose, 1); rb_define_method(x509stctx,"trust=", ossl_x509stctx_set_trust, 1); + rb_define_method(x509stctx,"time=", ossl_x509stctx_set_time, 1); } diff --git a/test/openssl/ssl_server.rb b/test/openssl/ssl_server.rb index 699a181256..5e1303379f 100644 --- a/test/openssl/ssl_server.rb +++ b/test/openssl/ssl_server.rb @@ -46,12 +46,22 @@ ctx.key = ssl_key ctx.verify_mode = verify_mode Socket.do_not_reverse_lookup = true -tcps = TCPServer.new("0.0.0.0", port) +tcps = nil +100.times{|i| + begin + tcps = TCPServer.new("0.0.0.0", port+i) + port = port + i + break + rescue Errno::EADDRINUSE + next + end +} ssls = OpenSSL::SSL::SSLServer.new(tcps, ctx) ssls.start_immediately = start_immediately $stdout.sync = true $stdout.puts Process.pid +$stdout.puts port loop do ssl = ssls.accept diff --git a/test/openssl/test_ssl.rb b/test/openssl/test_ssl.rb index 5ca981798c..699563691e 100644 --- a/test/openssl/test_ssl.rb +++ b/test/openssl/test_ssl.rb @@ -54,23 +54,27 @@ class OpenSSL::TestSSL < Test::Unit::TestCase OpenSSL::TestUtils.issue_crl(*arg) end - def start_server(port, verify_mode, start_immediately, &block) + def start_server(port0, verify_mode, start_immediately, &block) server = nil begin cmd = [RUBY] cmd << "-d" if $DEBUG - cmd << SSL_SERVER << port.to_s << verify_mode.to_s + cmd << SSL_SERVER << port0.to_s << verify_mode.to_s cmd << (start_immediately ? "yes" : "no") server = IO.popen(cmd.join(" "), "w+") server.write(@ca_cert.to_pem) server.write(@svr_cert.to_pem) server.write(@svr_key.to_pem) pid = Integer(server.gets) - $stderr.printf("%s started: pid=%d\n", SSL_SERVER, pid) if $DEBUG - block.call(server) + if port = server.gets + if $DEBUG + $stderr.printf("%s started: pid=%d port=%d\n", SSL_SERVER, pid, port) + end + block.call(server, port.to_i) + end ensure if server - Process.kill(:KILL, pid) if pid > 0 + Process.kill(:KILL, pid) server.close end end @@ -86,15 +90,15 @@ class OpenSSL::TestSSL < Test::Unit::TestCase end def test_connect_and_close - start_server(PORT, OpenSSL::SSL::VERIFY_NONE, true){ - sock = TCPSocket.new("127.0.0.1", PORT) + start_server(PORT, OpenSSL::SSL::VERIFY_NONE, true){|s, p| + sock = TCPSocket.new("127.0.0.1", p) ssl = OpenSSL::SSL::SSLSocket.new(sock) assert(ssl.connect) ssl.close assert(!sock.closed?) sock.close - sock = TCPSocket.new("127.0.0.1", PORT) + sock = TCPSocket.new("127.0.0.1", p) ssl = OpenSSL::SSL::SSLSocket.new(sock) ssl.sync_close = true # !! assert(ssl.connect) @@ -104,8 +108,8 @@ class OpenSSL::TestSSL < Test::Unit::TestCase end def test_read_and_write - start_server(PORT, OpenSSL::SSL::VERIFY_NONE, true){ - sock = TCPSocket.new("127.0.0.1", PORT) + start_server(PORT, OpenSSL::SSL::VERIFY_NONE, true){|s, p| + sock = TCPSocket.new("127.0.0.1", p) ssl = OpenSSL::SSL::SSLSocket.new(sock) ssl.sync_close = true ssl.connect @@ -148,8 +152,8 @@ class OpenSSL::TestSSL < Test::Unit::TestCase end def test_starttls - start_server(PORT, OpenSSL::SSL::VERIFY_NONE, false){|s| - sock = TCPSocket.new("127.0.0.1", PORT) + start_server(PORT, OpenSSL::SSL::VERIFY_NONE, false){|s, p| + sock = TCPSocket.new("127.0.0.1", p) ssl = OpenSSL::SSL::SSLSocket.new(sock) ssl.sync_close = true str = "x" * 1000 + "\n" @@ -171,10 +175,10 @@ class OpenSSL::TestSSL < Test::Unit::TestCase end def test_parallel - start_server(PORT, OpenSSL::SSL::VERIFY_NONE, true){ + start_server(PORT, OpenSSL::SSL::VERIFY_NONE, true){|s, p| ssls = [] 10.times{ - sock = TCPSocket.new("127.0.0.1", PORT) + sock = TCPSocket.new("127.0.0.1", p) ssl = OpenSSL::SSL::SSLSocket.new(sock) ssl.connect ssl.sync_close = true diff --git a/test/openssl/test_x509name.rb b/test/openssl/test_x509name.rb index 14004a4e20..fb5a1ae4ff 100644 --- a/test/openssl/test_x509name.rb +++ b/test/openssl/test_x509name.rb @@ -7,6 +7,11 @@ require "test/unit" if defined?(OpenSSL) class OpenSSL::TestX509Name < Test::Unit::TestCase + OpenSSL::ASN1::ObjectId.register( + "1.2.840.113549.1.9.1", "emailAddress", "emailAddress") + OpenSSL::ASN1::ObjectId.register( + "2.5.4.5", "serialNumber", "serialNumber") + def setup @obj_type_tmpl = Hash.new(OpenSSL::ASN1::PRINTABLESTRING) @obj_type_tmpl.update(OpenSSL::X509::Name::OBJECT_TYPE_TEMPLATE) @@ -76,21 +81,12 @@ class OpenSSL::TestX509Name < Test::Unit::TestCase ] name = OpenSSL::X509::Name.new(dn) ary = name.to_a - if OpenSSL::OPENSSL_VERSION_NUMBER < 0x00907000 - assert_equal("/DC=org/DC=ruby-lang/CN=GOTOU Yuuzou/Email=gotoyuzo@ruby-lang.org/SN=123", name.to_s) - else - assert_equal("/DC=org/DC=ruby-lang/CN=GOTOU Yuuzou/emailAddress=gotoyuzo@ruby-lang.org/serialNumber=123", name.to_s) - end + assert_equal("/DC=org/DC=ruby-lang/CN=GOTOU Yuuzou/emailAddress=gotoyuzo@ruby-lang.org/serialNumber=123", name.to_s) assert_equal("DC", ary[0][0]) assert_equal("DC", ary[1][0]) assert_equal("CN", ary[2][0]) - if OpenSSL::OPENSSL_VERSION_NUMBER < 0x00907000 - assert_equal("Email", ary[3][0]) - assert_equal("SN", ary[4][0]) - else - assert_equal("emailAddress", ary[3][0]) - assert_equal("serialNumber", ary[4][0]) - end + assert_equal("emailAddress", ary[3][0]) + assert_equal("serialNumber", ary[4][0]) assert_equal("org", ary[0][1]) assert_equal("ruby-lang", ary[1][1]) assert_equal("GOTOU Yuuzou", ary[2][1]) @@ -138,6 +134,105 @@ class OpenSSL::TestX509Name < Test::Unit::TestCase assert_equal(OpenSSL::ASN1::PRINTABLESTRING, ary[2][2]) end + def test_s_parse_rfc2253 + scanner = OpenSSL::X509::Name::RFC2253DN.method(:scan) + + assert_equal([["C", "JP"]], scanner.call("C=JP")) + assert_equal([ + ["DC", "org"], + ["DC", "ruby-lang"], + ["CN", "GOTOU Yuuzou"], + ["emailAddress", "gotoyuzo@ruby-lang.org"], + ], + scanner.call( + "emailAddress=gotoyuzo@ruby-lang.org,CN=GOTOU Yuuzou,"+ + "DC=ruby-lang,DC=org") + ) + + u8 = OpenSSL::ASN1::UTF8STRING + assert_equal([ + ["DC", "org"], + ["DC", "ruby-lang"], + ["O", ",=+<>#;"], + ["O", ",=+<>#;"], + ["OU", ""], + ["OU", ""], + ["L", "aaa=\"bbb, ccc\""], + ["L", "aaa=\"bbb, ccc\""], + ["CN", "\345\276\214\350\227\244\350\243\225\350\224\265"], + ["CN", "\345\276\214\350\227\244\350\243\225\350\224\265"], + ["CN", "\345\276\214\350\227\244\350\243\225\350\224\265"], + ["CN", "\345\276\214\350\227\244\350\243\225\350\224\265", u8], + ["2.5.4.3", "GOTOU, Yuuzou"], + ["2.5.4.3", "GOTOU, Yuuzou"], + ["2.5.4.3", "GOTOU, Yuuzou"], + ["2.5.4.3", "GOTOU, Yuuzou"], + ["CN", "GOTOU \"gotoyuzo\" Yuuzou"], + ["CN", "GOTOU \"gotoyuzo\" Yuuzou"], + ["1.2.840.113549.1.9.1", "gotoyuzo@ruby-lang.org"], + ["emailAddress", "gotoyuzo@ruby-lang.org"], + ], + scanner.call( + "emailAddress=gotoyuzo@ruby-lang.org," + + "1.2.840.113549.1.9.1=gotoyuzo@ruby-lang.org," + + 'CN=GOTOU \"gotoyuzo\" Yuuzou,' + + 'CN="GOTOU \"gotoyuzo\" Yuuzou",' + + '2.5.4.3=GOTOU\,\20Yuuzou,' + + '2.5.4.3=GOTOU\, Yuuzou,' + + '2.5.4.3="GOTOU, Yuuzou",' + + '2.5.4.3="GOTOU\, Yuuzou",' + + "CN=#0C0CE5BE8CE897A4E8A395E894B5," + + 'CN=\E5\BE\8C\E8\97\A4\E8\A3\95\E8\94\B5,' + + "CN=\"\xE5\xBE\x8C\xE8\x97\xA4\xE8\xA3\x95\xE8\x94\xB5\"," + + "CN=\xE5\xBE\x8C\xE8\x97\xA4\xE8\xA3\x95\xE8\x94\xB5," + + 'L=aaa\=\"bbb\, ccc\",' + + 'L="aaa=\"bbb, ccc\"",' + + 'OU=,' + + 'OU="",' + + 'O=\,\=\+\<\>\#\;,' + + 'O=",=+<>#;",' + + "DC=ruby-lang," + + "DC=org") + ) + + [ + "DC=org+DC=jp", + "DC=org,DC=ruby-lang+DC=rubyist,DC=www" + ].each{|dn| + ex = scanner.call(dn) rescue $! + dn_r = Regexp.escape(dn) + assert_match(/^multi-valued RDN is not supported: #{dn_r}/, ex.message) + } + + [ + ["DC=org,DC=exapmle,CN", "CN"], + ["DC=org,DC=example,", ""], + ["DC=org,DC=exapmle,CN=www.example.org;", "CN=www.example.org;"], + ["DC=org,DC=exapmle,CN=#www.example.org", "CN=#www.example.org"], + ["DC=org,DC=exapmle,CN=#777777.example.org", "CN=#777777.example.org"], + ["DC=org,DC=exapmle,CN=\"www.example\".org", "CN=\"www.example\".org"], + ["DC=org,DC=exapmle,CN=www.\"example.org\"", "CN=www.\"example.org\""], + ["DC=org,DC=exapmle,CN=www.\"example\".org", "CN=www.\"example\".org"], + ].each{|dn, msg| + ex = scanner.call(dn) rescue $! + assert_match(/^malformed RDN: .*=>#{Regexp.escape(msg)}/, ex.message) + } + + dn = "CN=www.ruby-lang.org,DC=ruby-lang,DC=org" + name = OpenSSL::X509::Name.parse_rfc2253(dn) + assert_equal(dn, name.to_s(OpenSSL::X509::Name::RFC2253)) + ary = name.to_a + assert_equal("DC", ary[0][0]) + assert_equal("DC", ary[1][0]) + assert_equal("CN", ary[2][0]) + assert_equal("org", ary[0][1]) + assert_equal("ruby-lang", ary[1][1]) + assert_equal("www.ruby-lang.org", ary[2][1]) + assert_equal(OpenSSL::ASN1::IA5STRING, ary[0][2]) + assert_equal(OpenSSL::ASN1::IA5STRING, ary[1][2]) + assert_equal(OpenSSL::ASN1::UTF8STRING, ary[2][2]) + end + def test_add_entry dn = [ ["DC", "org"], @@ -149,21 +244,12 @@ class OpenSSL::TestX509Name < Test::Unit::TestCase name = OpenSSL::X509::Name.new dn.each{|attr| name.add_entry(*attr) } ary = name.to_a - if OpenSSL::OPENSSL_VERSION_NUMBER < 0x00907000 - assert_equal("/DC=org/DC=ruby-lang/CN=GOTOU Yuuzou/Email=gotoyuzo@ruby-lang.org/SN=123", name.to_s) - else - assert_equal("/DC=org/DC=ruby-lang/CN=GOTOU Yuuzou/emailAddress=gotoyuzo@ruby-lang.org/serialNumber=123", name.to_s) - end + assert_equal("/DC=org/DC=ruby-lang/CN=GOTOU Yuuzou/emailAddress=gotoyuzo@ruby-lang.org/serialNumber=123", name.to_s) assert_equal("DC", ary[0][0]) assert_equal("DC", ary[1][0]) assert_equal("CN", ary[2][0]) - if OpenSSL::OPENSSL_VERSION_NUMBER < 0x00907000 - assert_equal("Email", ary[3][0]) - assert_equal("SN", ary[4][0]) - else - assert_equal("emailAddress", ary[3][0]) - assert_equal("serialNumber", ary[4][0]) - end + assert_equal("emailAddress", ary[3][0]) + assert_equal("serialNumber", ary[4][0]) assert_equal("org", ary[0][1]) assert_equal("ruby-lang", ary[1][1]) assert_equal("GOTOU Yuuzou", ary[2][1]) diff --git a/test/openssl/test_x509store.rb b/test/openssl/test_x509store.rb index 113e81fa52..8151e5fdb6 100644 --- a/test/openssl/test_x509store.rb +++ b/test/openssl/test_x509store.rb @@ -49,6 +49,8 @@ class OpenSSL::TestX509Store < Test::Unit::TestCase ca2_cert, @rsa1024, OpenSSL::Digest::SHA1.new) ee3_cert = issue_cert(@ee2, @dsa512, 30, now-100, now-1, ee_exts, ca2_cert, @rsa1024, OpenSSL::Digest::SHA1.new) + ee4_cert = issue_cert(@ee2, @dsa512, 40, now+1000, now+2000, ee_exts, + ca2_cert, @rsa1024, OpenSSL::Digest::SHA1.new) revoke_info = [] crl1 = issue_crl(revoke_info, 1, now, now+1800, [], @@ -106,6 +108,36 @@ class OpenSSL::TestX509Store < Test::Unit::TestCase assert_equal(@ca1.to_der, chain[2].subject.to_der) assert_equal(false, store.verify(ee3_cert)) assert_match(/expire/i, store.error_string) + assert_equal(false, store.verify(ee4_cert)) + assert_match(/not yet valid/i, store.error_string) + + store = OpenSSL::X509::Store.new + store.add_cert(ca1_cert) + store.add_cert(ca2_cert) + store.time = now + 1500 + assert_equal(true, store.verify(ca1_cert)) + assert_equal(true, store.verify(ca2_cert)) + assert_equal(true, store.verify(ee4_cert)) + store.time = now + 1900 + assert_equal(true, store.verify(ca1_cert)) + assert_equal(false, store.verify(ca2_cert)) + assert_match(/expire/i, store.error_string) + assert_equal(false, store.verify(ee4_cert)) + assert_match(/expire/i, store.error_string) + store.time = now + 4000 + assert_equal(false, store.verify(ee1_cert)) + assert_match(/expire/i, store.error_string) + assert_equal(false, store.verify(ee4_cert)) + assert_match(/expire/i, store.error_string) + + # the underlying X509 struct caches the result of the last + # verification for signature and not-before. so the following code + # rebuilds new objects to avoid site effect. + store.time = Time.now - 4000 + assert_equal(false, store.verify(OpenSSL::X509::Certificate.new(ca2_cert))) + assert_match(/not yet valid/i, store.error_string) + assert_equal(false, store.verify(OpenSSL::X509::Certificate.new(ee1_cert))) + assert_match(/not yet valid/i, store.error_string) return unless defined?(OpenSSL::X509::V_FLAG_CRL_CHECK) -- cgit v1.2.3