From 8c1b803ed4435edda2c47cc1a559af4bdb88b7d9 Mon Sep 17 00:00:00 2001
From: gotoyuzo <gotoyuzo@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>
Date: Fri, 15 Oct 2004 09:16:19 +0000
Subject: * ext/openssl/ossl_x509store.c   (ossl_x509stctx_initialize): setup
 OpenSSL::X509::StoreContext with   ossl_x509stctx_* functions instead of
 X509_STORE_CTX_*.   (ossl_x509store_set_time): add
 OpenSSL::X509::Store#time=.   (ossl_x509stctx_set_time): add
 OpenSSL::X509::StoreContext#time=.

* test/openssl/ossl_x509store.rb: test certificate validity times.


git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@7040 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
---
 test/openssl/test_x509store.rb | 32 ++++++++++++++++++++++++++++++++
 1 file changed, 32 insertions(+)

(limited to 'test')

diff --git a/test/openssl/test_x509store.rb b/test/openssl/test_x509store.rb
index 113e81fa52..8151e5fdb6 100644
--- a/test/openssl/test_x509store.rb
+++ b/test/openssl/test_x509store.rb
@@ -49,6 +49,8 @@ class OpenSSL::TestX509Store < Test::Unit::TestCase
                           ca2_cert, @rsa1024, OpenSSL::Digest::SHA1.new)
     ee3_cert = issue_cert(@ee2, @dsa512, 30, now-100, now-1, ee_exts,
                           ca2_cert, @rsa1024, OpenSSL::Digest::SHA1.new)
+    ee4_cert = issue_cert(@ee2, @dsa512, 40, now+1000, now+2000, ee_exts,
+                          ca2_cert, @rsa1024, OpenSSL::Digest::SHA1.new)
 
     revoke_info = []
     crl1   = issue_crl(revoke_info, 1, now, now+1800, [],
@@ -106,6 +108,36 @@ class OpenSSL::TestX509Store < Test::Unit::TestCase
     assert_equal(@ca1.to_der, chain[2].subject.to_der)
     assert_equal(false, store.verify(ee3_cert))
     assert_match(/expire/i, store.error_string)
+    assert_equal(false, store.verify(ee4_cert))
+    assert_match(/not yet valid/i, store.error_string)
+
+    store = OpenSSL::X509::Store.new
+    store.add_cert(ca1_cert)
+    store.add_cert(ca2_cert)
+    store.time = now + 1500
+    assert_equal(true, store.verify(ca1_cert))
+    assert_equal(true, store.verify(ca2_cert))
+    assert_equal(true, store.verify(ee4_cert))
+    store.time = now + 1900
+    assert_equal(true, store.verify(ca1_cert))
+    assert_equal(false, store.verify(ca2_cert))
+    assert_match(/expire/i, store.error_string)
+    assert_equal(false, store.verify(ee4_cert))
+    assert_match(/expire/i, store.error_string)
+    store.time = now + 4000
+    assert_equal(false, store.verify(ee1_cert))
+    assert_match(/expire/i, store.error_string)
+    assert_equal(false, store.verify(ee4_cert))
+    assert_match(/expire/i, store.error_string)
+
+    # the underlying X509 struct caches the result of the last
+    # verification for signature and not-before. so the following code
+    # rebuilds new objects to avoid site effect.
+    store.time = Time.now - 4000
+    assert_equal(false, store.verify(OpenSSL::X509::Certificate.new(ca2_cert)))
+    assert_match(/not yet valid/i, store.error_string)
+    assert_equal(false, store.verify(OpenSSL::X509::Certificate.new(ee1_cert)))
+    assert_match(/not yet valid/i, store.error_string)
 
     return unless defined?(OpenSSL::X509::V_FLAG_CRL_CHECK)
 
-- 
cgit v1.2.3