Bring in boundary test from #28584

Will add further unit tests for the cert validity check routine

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28623)

diff --git a/test/certs/ee-expired2.pem b/test/certs/ee-expired2.pem
new file mode 100644 (file)
index 0000000..5cfffb7
--- /dev/null
+++ b/test/certs/ee-expired2.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDAzCCAeugAwIBAgIBAjANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDDAJDQTAe
+Fw0yNTA5MTgxNDM3NTdaFw0zNTA5MTYxNDM3NTdaMBkxFzAVBgNVBAMMDnNlcnZl
+ci5leGFtcGxlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqP+JWGGF
+rt7bLA/Vc/vit6gbenVgK9R9PHN2ta7eky9/JJBtyRz0ijjNn6KAFlbLtCy7k+UX
+H/8NxkP+MTT4KNh16aO7iILvo3LiU2IFRU3gMZfvqp0Q0lgNngaeMrsbCFZdZQ8/
+Zo7CNqAR/8BZNf1JHN0cQjMGeK4EOCPl53Vn05StWqlAH6xZEPUMwWStSsTGNVOz
+lmqCGxWL0Zmr5J5vlKrSluVX+4yRZIo8JBbG0hm+gmATO2Kw7T4ds8r5a98xuXqe
+S0dopynHP0riIie075Bj1+/Qckk+W625G9Qrb4Zo3dVzErhDydxBD6KjRk+LZ4iE
+D2H+eTQfSokftwIDAQABo2IwYDAdBgNVHQ4EFgQU55viKq2KbDrLdlHljgeYIpfh
+c6IwHwYDVR0jBBgwFoAUtBEz8dfiXvdTniAiEE+GBr8fyV4wCQYDVR0TBAIwADAT
+BgNVHSUEDDAKBggrBgEFBQcDATANBgkqhkiG9w0BAQsFAAOCAQEAJjmrmJHqZDbl
+us5nJ2q9WezBUsOTrzN8lC311cqA6qbAbKoTB0vSFlRtKRJXAdHQsO3QUdeGhjRY
+6PR9d5zSmo6zpBkm4Ee5JXg892rs/8/iWJDYto0CTJ5N+rR9h9xH4yrkcZofYpnK
+8hKJn9xutgBEprwtCNj1TgoNMXXaSECeXwbplzrpejgM6RbDzMxbZ6pKVjtL7XKZ
+fuqOKvgYJue0QwlvXZ9L9fDg+iX6J/1ihj1/5j4wtZxrNF1eINqLdqH7EDdcMoRI
+VdiOz7WszFXO+GZWkO6u/MPap7ruoN8uLdlAX85YGQPt7GIyEfi5ciVT6xhzfKbB
+8r1A6UCdKA==
+-----END CERTIFICATE-----

diff --git a/test/certs/setup.sh b/test/certs/setup.sh
index 9619e26a5da6d865eb8356ac6ac7846dda8ea551..3bee78ec3261e9cea1ac8a82f660bd6efd640d25 100755 (executable)
--- a/test/certs/setup.sh
+++ b/test/certs/setup.sh
@@ -158,6 +158,7 @@ openssl x509 -in sca-cert.pem -trustout \
 ./mkcert.sh genee server.example ee-key ee-cert ca-key ca-cert
 # ee variants: expired, issuer-key2, issuer-name2, bad-pathlen
 ./mkcert.sh genee server.example ee-key ee-expired ca-key ca-cert -days -1
+./mkcert.sh genee server.example ee-key ee-expired2 ca-key ca-cert -days 3650
 ./mkcert.sh genee server.example ee-key ee-cert2 ca-key2 ca-cert2
 ./mkcert.sh genee server.example ee-key ee-name2 ca-key ca-name2
 ./mkcert.sh genee server.example ee-key ee-pathlen ca-key ca-cert \

diff --git a/test/recipes/25-test_verify.t b/test/recipes/25-test_verify.t
index c61bb59e8594efe2cb5b16cabaa718c9c7e953ee..a95e47f552720d61ffcb905c1a3762d463e32d7e 100644 (file)
--- a/test/recipes/25-test_verify.t
+++ b/test/recipes/25-test_verify.t
@@ -30,7 +30,7 @@ sub verify {
     run(app([@args]));
 }
 
-plan tests => 206;
+plan tests => 212;
 
 # Canonical success
 ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]),
@@ -596,6 +596,23 @@ ok(!verify("ee-cert-policies-bad", "", ["root-cert"], ["ca-pol-cert"],
            "-explicit_policy"),
    "Bad certificate policy");
 
+# Verify Validity Period Boundaries with -attime
+# ee-expired2 Not Before: Sep 18 14:37:57 2025 GMT -- 1758206277
+#              Not After: Sep 16 14:37:57 2035 GMT -- 2073566277
+ok(!verify("ee-expired2", "", ["root-cert"], ["ca-cert"], "-attime",
+           "1758206276"), "Certificate invalid at time 1758206276");
+ok(verify("ee-expired2", "", ["root-cert"], ["ca-cert"], "-attime",
+          "1758206277"), "Certificate valid at time 1758206277");
+ok(verify("ee-expired2", "", ["root-cert"], ["ca-cert"], "-attime",
+          "1758206278"), "Certificate valid at time 1758206278");
+ok(verify("ee-expired2", "", ["root-cert"], ["ca-cert"], "-attime",
+          "2073566276"), "Certificate valid at time 2073566276");
+ok(verify("ee-expired2", "", ["root-cert"], ["ca-cert"], "-attime",
+          "2073566277"), "Certificate valid at time 2073566277");
+ok(!verify("ee-expired2", "", ["root-cert"], ["ca-cert"], "-attime",
+           "2073566278"), "Certificate invalid at time 2073566278");
+
+
 # CAstore option
 my $rootcertname = "root-cert";
 my $rootcert = srctop_file(@certspath, "${rootcertname}.pem");