From 40783f122b033ae56fcf787ff86a7cbc461a9dc9 Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date: Sat, 30 Jun 2018 16:49:53 +0200
Subject: tests: verify that certtool operates as expected with dates after
 2038

That is, whether it works with a time_t of 64-bit size, and fails
with a time_t of 32-bit size.

Resolves #370

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
---
 tests/cert-tests/Makefile.am                       |  1 +
 tests/cert-tests/data/template-dates-after2038.pem | 23 +++++
 tests/cert-tests/template-test                     | 35 +++++++-
 .../templates/template-dates-after2038.tmpl        | 97 ++++++++++++++++++++++
 4 files changed, 155 insertions(+), 1 deletion(-)
 create mode 100644 tests/cert-tests/data/template-dates-after2038.pem
 create mode 100644 tests/cert-tests/templates/template-dates-after2038.tmpl

diff --git a/tests/cert-tests/Makefile.am b/tests/cert-tests/Makefile.am
index 4b14d4174b..52090d427c 100644
--- a/tests/cert-tests/Makefile.am
+++ b/tests/cert-tests/Makefile.am
@@ -44,6 +44,7 @@ EXTRA_DIST = data/ca-no-pathlen.pem data/no-ca-or-pathlen.pem data/aki-cert.pem
 	data/template-rsa-sha3-256.pem data/template-rsa-sha3-512.pem data/template-rsa-sha3-224.pem \
 	data/template-rsa-sha3-384.pem data/long-oids.pem \
 	data/name-constraints-ip2.pem data/chain-md5.pem \
+	templates/template-dates-after2038.tmpl data/template-dates-after2038.pem \
 	data/gost-cert.pem data/gost-cert-nogost.pem data/gost94-cert.pem \
 	templates/template-tlsfeature.tmpl data/userid.pem data/cert-with-crl.p12 \
 	data/template-tlsfeature.pem data/template-tlsfeature.csr \
diff --git a/tests/cert-tests/data/template-dates-after2038.pem b/tests/cert-tests/data/template-dates-after2038.pem
new file mode 100644
index 0000000000..865ddc901a
--- /dev/null
+++ b/tests/cert-tests/data/template-dates-after2038.pem
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIID3jCCA0egAwIBAgIBBzANBgkqhkiG9w0BAQsFADCBuDEVMBMGA1UEAxMMQ2lu
+ZHkgTGF1cGVyMRcwFQYKCZImiZPyLGQBARMHY2xhdXBlcjEXMBUGA1UECxMOc2xl
+ZXBpbmcgZGVwdC4xEjAQBgNVBAoTCUtva28gaW5jLjEPMA0GA1UECBMGQXR0aWtp
+MQswCQYDVQQGEwJHUjEMMAoGA1UEDBMDRHIuMQ8wDQYDVQRBEwZqYWNrYWwxHDAa
+BgkqhkiG9w0BCQEWDW5vbmVAbm9uZS5vcmcwHhcNMzkwMTEyMTEzNjExWhcNNDMw
+NTI0MTQyOTEyWjCBuDEVMBMGA1UEAxMMQ2luZHkgTGF1cGVyMRcwFQYKCZImiZPy
+LGQBARMHY2xhdXBlcjEXMBUGA1UECxMOc2xlZXBpbmcgZGVwdC4xEjAQBgNVBAoT
+CUtva28gaW5jLjEPMA0GA1UECBMGQXR0aWtpMQswCQYDVQQGEwJHUjEMMAoGA1UE
+DBMDRHIuMQ8wDQYDVQRBEwZqYWNrYWwxHDAaBgkqhkiG9w0BCQEWDW5vbmVAbm9u
+ZS5vcmcwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKXGznVDhL9kngInE/ED
+Wfd5LZLtfC9QpAPxLXm5hosFfjq7RKqvhM8TmB4cSjj3My16n3LUa20msDE3cBD7
+QunYnRhlfhlJ/AWWBGiDHneGv+315RI7E/4zGJwaeh1pr0cCYHofuejP28g0MFGW
+PYyWXAC8Yd4ID7E2IX+pAOMFAgMBAAGjgfUwgfIwDwYDVR0TAQH/BAUwAwEB/zBq
+BgNVHREEYzBhggx3d3cubm9uZS5vcmeCE3d3dy5tb3JldGhhbm9uZS5vcmeCF3d3
+dy5ldmVubW9yZXRoYW5vbmUub3JnhwTAqAEBgQ1ub25lQG5vbmUub3JngQ53aGVy
+ZUBub25lLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDCTAPBgNVHQ8BAf8EBQMDBwQA
+MB0GA1UdDgQWBBRdQK3wzpRAlYt+mZQdklQiynI2XzAuBgNVHR8EJzAlMCOgIaAf
+hh1odHRwOi8vd3d3LmdldGNybC5jcmwvZ2V0Y3JsLzANBgkqhkiG9w0BAQsFAAOB
+gQCTELknONiixbQdjpBVaelZZfymC4ixUfw/IqeWMK7bYoPWi3JQyY8McQOtijna
+RZwSVga9nthtBhHYjxuW3w8kPYQCoyK3ugw7aI8WYmlGeEAT+BiVualE3ZMm7Lf0
+CwmtHA8I0CHKEzfsMCN3wu9EJ3C+9nq5qRtm2lfQSbSsvw==
+-----END CERTIFICATE-----
diff --git a/tests/cert-tests/template-test b/tests/cert-tests/template-test
index 2007acab3b..fe954e528a 100755
--- a/tests/cert-tests/template-test
+++ b/tests/cert-tests/template-test
@@ -133,7 +133,12 @@ datefudge -s "2007-04-22" \
 		--outfile ${TMPFILE} 2>/dev/null
 
 rc=$?
-if test "${ac_cv_sizeof_time_t}" = 8;then
+if test "${ac_cv_sizeof_time_t}" -lt 8;then
+	if test "$rc" = "0"; then
+		echo "Test 5-1 (overflow2) succeeded unexpectedly with 32-bit time_t"
+		exit ${rc}
+	fi
+else
 	if test "$rc" != "0"; then
 		echo "Test 5-1 (overflow2) failed"
 		exit ${rc}
@@ -169,6 +174,34 @@ fi
 
 rm -f ${TMPFILE}
 
+datefudge -s "2007-04-22" \
+	"${CERTTOOL}" --generate-self-signed \
+		--load-privkey "${srcdir}/data/template-test.key" \
+		--template "${srcdir}/templates/template-dates-after2038.tmpl" \
+		--outfile ${TMPFILE} 2>/dev/null
+rc=$?
+if test "${ac_cv_sizeof_time_t}" -lt 8;then
+	if test "$rc" = "0"; then
+		echo "Test 6-2 (explicit dates) succeeded unexpectedly with 32-bit long"
+		exit ${rc}
+	fi
+else
+	if test "$rc" != "0"; then
+		echo "Test 6-2 (explicit dates) failed"
+		exit ${rc}
+	fi
+
+	${DIFF} "${srcdir}/data/template-dates-after2038.pem" ${TMPFILE} >/dev/null 2>&1
+	rc=$?
+
+	if test "${rc}" != "0"; then
+		echo "Test 6-3 (explicit dates) failed"
+		exit ${rc}
+	fi
+fi
+
+rm -f ${TMPFILE}
+
 # Test name constraints generation
 
 datefudge -s "2007-04-22" \
diff --git a/tests/cert-tests/templates/template-dates-after2038.tmpl b/tests/cert-tests/templates/template-dates-after2038.tmpl
new file mode 100644
index 0000000000..cb173875a3
--- /dev/null
+++ b/tests/cert-tests/templates/template-dates-after2038.tmpl
@@ -0,0 +1,97 @@
+# X.509 Certificate options
+#
+# DN options
+
+# The organization of the subject.
+organization = "Koko inc."
+
+# The organizational unit of the subject.
+unit = "sleeping dept."
+
+# The locality of the subject.
+# locality =
+
+# The state of the certificate owner.
+state = "Attiki"
+
+# The country of the subject. Two letter code.
+country = GR
+
+# The common name of the certificate owner.
+cn = "Cindy Lauper"
+
+# A user id of the certificate owner.
+uid = "clauper"
+
+# If the supported DN OIDs are not adequate you can set
+# any OID here.
+# For example set the X.520 Title and the X.520 Pseudonym
+# by using OID and string pairs.
+dn_oid = 2.5.4.12 Dr.
+dn_oid = 2.5.4.65 jackal
+
+# This is deprecated and should not be used in new
+# certificates.
+pkcs9_email = "none@none.org"
+
+# The serial number of the certificate
+serial = 7
+
+expiration_date = 2043-05-24 14:29:12
+activation_date = 2039-01-12 11:36:11
+
+# X.509 v3 extensions
+
+# A dnsname in case of a WWW server.
+dns_name = "www.none.org"
+dns_name = "www.morethanone.org"
+
+# An IP address in case of a server.
+ip_address = "192.168.1.1"
+
+dns_name = "www.evenmorethanone.org"
+
+# An email in case of a person
+email = "none@none.org"
+
+# An URL that has CRLs (certificate revocation lists)
+# available. Needed in CA certificates.
+crl_dist_points = "http://www.getcrl.crl/getcrl/"
+
+email = "where@none.org"
+
+# Whether this is a CA certificate or not
+ca
+
+# Whether this certificate will be used for a TLS client
+#tls_www_client
+
+# Whether this certificate will be used for a TLS server
+#tls_www_server
+
+# Whether this certificate will be used to sign data (needed
+# in TLS DHE ciphersuites).
+signing_key
+
+# Whether this certificate will be used to encrypt data (needed
+# in TLS RSA ciphersuites). Note that it is preferred to use different
+# keys for encryption and signing.
+#encryption_key
+
+# Whether this key will be used to sign other certificates.
+cert_signing_key
+
+# Whether this key will be used to sign CRLs.
+#crl_signing_key
+
+# Whether this key will be used to sign code.
+#code_signing_key
+
+# Whether this key will be used to sign OCSP data.
+ocsp_signing_key
+
+# Whether this key will be used for time stamping.
+#time_stamping_key
+
+# Whether this key will be used for IPsec IKE operations.
+#ipsec_ike_key
-- 
cgit v1.2.1