diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2014-10-09 12:34:46 +0200 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2014-10-09 12:39:24 +0200 |
commit | f734509643ff3f2ec63b50efe62772002b216158 (patch) | |
tree | 2f812b350e9e8721f8bc3d57504bc5f64d5708b3 /tests | |
parent | ceb3dc6a4969fd7903460e89d57f0c93aa2d5071 (diff) | |
download | gnutls-f734509643ff3f2ec63b50efe62772002b216158.tar.gz |
tests: allow running specific chainverify tests on fixed dates
Diffstat (limited to 'tests')
-rw-r--r-- | tests/chainverify.c | 10 | ||||
-rw-r--r-- | tests/suite/pkcs11-chainverify.c | 10 | ||||
-rw-r--r-- | tests/test-chains.h | 21 |
3 files changed, 27 insertions, 14 deletions
diff --git a/tests/chainverify.c b/tests/chainverify.c index 85cf690730..1630d32d2f 100644 --- a/tests/chainverify.c +++ b/tests/chainverify.c @@ -34,14 +34,15 @@ #include "utils.h" #include "test-chains.h" +#define DEFAULT_THEN 1256803113 +static time_t then = DEFAULT_THEN; + /* GnuTLS internally calls time() to find out the current time when verifying certificates. To avoid a time bomb, we hard code the current time. This should work fine on systems where the library call to time is resolved at run-time. */ static time_t mytime(time_t * t) { - time_t then = 1256803113; - if (t) *t = then; @@ -156,6 +157,11 @@ void doit(void) if (debug) printf("\tVerifying..."); + if (chains[i].expected_time != 0) + then = chains[i].expected_time; + else + then = DEFAULT_THEN; + if (chains[i].purpose == NULL) { ret = gnutls_x509_crt_list_verify(certs, j, &ca, 1, NULL, 0, diff --git a/tests/suite/pkcs11-chainverify.c b/tests/suite/pkcs11-chainverify.c index 50c7de6cfe..43493b8efc 100644 --- a/tests/suite/pkcs11-chainverify.c +++ b/tests/suite/pkcs11-chainverify.c @@ -38,14 +38,15 @@ #define URL "pkcs11:model=SoftHSM;manufacturer=SoftHSM;serial=1;token=test" #define CONFIG "softhsm.config" +#define DEFAULT_THEN 1256803113 +static time_t then = DEFAULT_THEN; + /* GnuTLS internally calls time() to find out the current time when verifying certificates. To avoid a time bomb, we hard code the current time. This should work fine on systems where the library call to time is resolved at run-time. */ static time_t mytime(time_t * t) { - time_t then = 1256803113; - if (t) *t = then; @@ -282,6 +283,11 @@ void doit(void) vdata[0].type = GNUTLS_DT_KEY_PURPOSE_OID; vdata[0].data = (void *)chains[i].purpose; + if (chains[i].expected_time != 0) + then = chains[i].expected_time; + else + then = DEFAULT_THEN; + /* make sure that the two functions don't diverge */ ret = gnutls_x509_trust_list_verify_crt2(tl, certs, j, vdata, diff --git a/tests/test-chains.h b/tests/test-chains.h index fd6c565152..f6dc816864 100644 --- a/tests/test-chains.h +++ b/tests/test-chains.h @@ -1738,11 +1738,12 @@ static struct unsigned int verify_flags; unsigned int expected_verify_result; const char *purpose; + time_t expected_time; } chains[] = { { "CVE-2014-0092", cve_2014_0092_check, &cve_2014_0092_check[1], 0, - GNUTLS_CERT_SIGNER_NOT_CA | GNUTLS_CERT_NOT_ACTIVATED | GNUTLS_CERT_INVALID, NULL}, + GNUTLS_CERT_SIGNER_NOT_CA | GNUTLS_CERT_INVALID, NULL, 1412850586}, { "CVE-2008-4989", cve_2008_4989_chain, &cve_2008_4989_chain[2], 0, GNUTLS_CERT_SIGNER_NOT_FOUND | GNUTLS_CERT_EXPIRED | GNUTLS_CERT_INVALID, NULL}, @@ -1836,15 +1837,15 @@ static struct GNUTLS_CERT_INSECURE_ALGORITHM | GNUTLS_CERT_INVALID, NULL}, { "ecc cert not ok (due to profile)", ecc_cert, &ecc_cert[1], GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_SUITEB192), GNUTLS_CERT_INSECURE_ALGORITHM | GNUTLS_CERT_INVALID, NULL}, - { "name constraints chain ok1", nc_good1, &nc_good1[4], GNUTLS_VERIFY_DISABLE_TIME_CHECKS, 0, NULL}, - { "name constraints chain bad1", nc_bad1, &nc_bad1[2], GNUTLS_VERIFY_DISABLE_TIME_CHECKS, GNUTLS_CERT_INVALID | GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE, NULL}, - { "name constraints chain bad2", nc_bad2, &nc_bad2[4], GNUTLS_VERIFY_DISABLE_TIME_CHECKS, GNUTLS_CERT_INVALID | GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE, NULL}, - { "name constraints chain bad3", nc_bad3, &nc_bad3[2], GNUTLS_VERIFY_DISABLE_TIME_CHECKS, GNUTLS_CERT_INVALID | GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE, NULL}, - { "modified", modified1, &modified1[3], GNUTLS_VERIFY_DISABLE_TIME_CHECKS, GNUTLS_CERT_INVALID | GNUTLS_CERT_SIGNATURE_FAILURE, NULL}, - { "not-modified", modified2, &modified2[3], GNUTLS_VERIFY_DISABLE_TIME_CHECKS, 0, NULL}, - { "kp-interm", kp_fail1, &kp_fail1[3], GNUTLS_VERIFY_KEY_PURPOSE_ON_INTERMEDIATE|GNUTLS_VERIFY_DISABLE_TIME_CHECKS, GNUTLS_CERT_INVALID | GNUTLS_CERT_PURPOSE_MISMATCH, GNUTLS_KP_TLS_WWW_SERVER}, - { "kp-fin", kp_fail2, &kp_fail2[3], GNUTLS_VERIFY_KEY_PURPOSE_ON_INTERMEDIATE|GNUTLS_VERIFY_DISABLE_TIME_CHECKS, GNUTLS_CERT_INVALID | GNUTLS_CERT_PURPOSE_MISMATCH, GNUTLS_KP_TLS_WWW_SERVER}, - { "kp-ok", kp_ok, &kp_ok[3], GNUTLS_VERIFY_KEY_PURPOSE_ON_INTERMEDIATE|GNUTLS_VERIFY_DISABLE_TIME_CHECKS, 0, GNUTLS_KP_OCSP_SIGNING}, + { "name constraints chain ok1", nc_good1, &nc_good1[4], 0, 0, NULL, 1412850586}, + { "name constraints chain bad1", nc_bad1, &nc_bad1[2], 0, GNUTLS_CERT_INVALID | GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE, NULL, 1412850586}, + { "name constraints chain bad2", nc_bad2, &nc_bad2[4], 0, GNUTLS_CERT_INVALID | GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE, NULL, 1412850586}, + { "name constraints chain bad3", nc_bad3, &nc_bad3[2], 0, GNUTLS_CERT_INVALID | GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE, NULL, 1412850586}, + { "modified", modified1, &modified1[3], 0, GNUTLS_CERT_INVALID | GNUTLS_CERT_SIGNATURE_FAILURE, NULL, 1412850586}, + { "not-modified", modified2, &modified2[3], 0, 0, NULL, 1412850586}, + { "kp-interm", kp_fail1, &kp_fail1[3], GNUTLS_VERIFY_KEY_PURPOSE_ON_INTERMEDIATE, GNUTLS_CERT_INVALID | GNUTLS_CERT_PURPOSE_MISMATCH, GNUTLS_KP_TLS_WWW_SERVER, 1412850586}, + { "kp-fin", kp_fail2, &kp_fail2[3], GNUTLS_VERIFY_KEY_PURPOSE_ON_INTERMEDIATE, GNUTLS_CERT_INVALID | GNUTLS_CERT_PURPOSE_MISMATCH, GNUTLS_KP_TLS_WWW_SERVER, 1412850586}, + { "kp-ok", kp_ok, &kp_ok[3], GNUTLS_VERIFY_KEY_PURPOSE_ON_INTERMEDIATE, 0, GNUTLS_KP_OCSP_SIGNING, 1412850586}, { NULL, NULL, NULL, 0, 0} }; /* *INDENT-ON* */ |