]> git.ipfire.org Git - thirdparty/gnutls.git/commitdiff
tests: allow running specific chainverify tests on fixed dates
authorNikos Mavrogiannopoulos <nmav@redhat.com>
Thu, 9 Oct 2014 10:34:46 +0000 (12:34 +0200)
committerNikos Mavrogiannopoulos <nmav@redhat.com>
Thu, 9 Oct 2014 10:39:24 +0000 (12:39 +0200)
tests/chainverify.c
tests/suite/pkcs11-chainverify.c
tests/test-chains.h

index 85cf6907305ce60ae03c3fdd1201948d38dca232..1630d32d2fbc57d18e01b595d43f822507e4cace 100644 (file)
 #include "utils.h"
 #include "test-chains.h"
 
+#define DEFAULT_THEN 1256803113
+static time_t then = DEFAULT_THEN;
+
 /* GnuTLS internally calls time() to find out the current time when
    verifying certificates.  To avoid a time bomb, we hard code the
    current time.  This should work fine on systems where the library
    call to time is resolved at run-time.  */
 static time_t mytime(time_t * t)
 {
-       time_t then = 1256803113;
-
        if (t)
                *t = then;
 
@@ -156,6 +157,11 @@ void doit(void)
                if (debug)
                        printf("\tVerifying...");
 
+               if (chains[i].expected_time != 0)
+                       then = chains[i].expected_time;
+               else
+                       then = DEFAULT_THEN;
+
                if (chains[i].purpose == NULL) {
                        ret = gnutls_x509_crt_list_verify(certs, j,
                                                          &ca, 1, NULL, 0,
index 50c7de6cfe3b80095087ee587e5cc6c0e315b1f2..43493b8efc6f42c5437defd44cc36ad49266c952 100644 (file)
 #define URL "pkcs11:model=SoftHSM;manufacturer=SoftHSM;serial=1;token=test"
 #define CONFIG "softhsm.config"
 
+#define DEFAULT_THEN 1256803113
+static time_t then = DEFAULT_THEN;
+
 /* GnuTLS internally calls time() to find out the current time when
    verifying certificates.  To avoid a time bomb, we hard code the
    current time.  This should work fine on systems where the library
    call to time is resolved at run-time.  */
 static time_t mytime(time_t * t)
 {
-       time_t then = 1256803113;
-
        if (t)
                *t = then;
 
@@ -282,6 +283,11 @@ void doit(void)
                vdata[0].type = GNUTLS_DT_KEY_PURPOSE_OID;
                vdata[0].data = (void *)chains[i].purpose;
 
+               if (chains[i].expected_time != 0)
+                       then = chains[i].expected_time;
+               else
+                       then = DEFAULT_THEN;
+
                /* make sure that the two functions don't diverge */
                ret = gnutls_x509_trust_list_verify_crt2(tl, certs, j,
                                                vdata,
index fd6c5651523cbd585acd8ab109455eb6d7180ea4..f6dc8168649fcb2707bd92186188f3fb1449f588 100644 (file)
@@ -1738,11 +1738,12 @@ static struct
   unsigned int verify_flags;
   unsigned int expected_verify_result;
   const char *purpose;
+  time_t expected_time;
 } chains[] =
 {
   { "CVE-2014-0092", cve_2014_0092_check, &cve_2014_0092_check[1],
     0,
-    GNUTLS_CERT_SIGNER_NOT_CA | GNUTLS_CERT_NOT_ACTIVATED | GNUTLS_CERT_INVALID, NULL},
+    GNUTLS_CERT_SIGNER_NOT_CA | GNUTLS_CERT_INVALID, NULL, 1412850586},
   { "CVE-2008-4989", cve_2008_4989_chain, &cve_2008_4989_chain[2],
     0,
     GNUTLS_CERT_SIGNER_NOT_FOUND | GNUTLS_CERT_EXPIRED | GNUTLS_CERT_INVALID, NULL},
@@ -1836,15 +1837,15 @@ static struct
        GNUTLS_CERT_INSECURE_ALGORITHM | GNUTLS_CERT_INVALID, NULL},
   { "ecc cert not ok (due to profile)", ecc_cert, &ecc_cert[1], GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_SUITEB192), 
        GNUTLS_CERT_INSECURE_ALGORITHM | GNUTLS_CERT_INVALID, NULL},
-  { "name constraints chain ok1", nc_good1, &nc_good1[4], GNUTLS_VERIFY_DISABLE_TIME_CHECKS, 0, NULL},
-  { "name constraints chain bad1", nc_bad1, &nc_bad1[2], GNUTLS_VERIFY_DISABLE_TIME_CHECKS, GNUTLS_CERT_INVALID | GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE, NULL},
-  { "name constraints chain bad2", nc_bad2, &nc_bad2[4], GNUTLS_VERIFY_DISABLE_TIME_CHECKS, GNUTLS_CERT_INVALID | GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE, NULL},
-  { "name constraints chain bad3", nc_bad3, &nc_bad3[2], GNUTLS_VERIFY_DISABLE_TIME_CHECKS, GNUTLS_CERT_INVALID | GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE, NULL},
-  { "modified", modified1, &modified1[3], GNUTLS_VERIFY_DISABLE_TIME_CHECKS, GNUTLS_CERT_INVALID | GNUTLS_CERT_SIGNATURE_FAILURE, NULL},
-  { "not-modified", modified2, &modified2[3], GNUTLS_VERIFY_DISABLE_TIME_CHECKS, 0, NULL},
-  { "kp-interm", kp_fail1, &kp_fail1[3], GNUTLS_VERIFY_KEY_PURPOSE_ON_INTERMEDIATE|GNUTLS_VERIFY_DISABLE_TIME_CHECKS, GNUTLS_CERT_INVALID | GNUTLS_CERT_PURPOSE_MISMATCH, GNUTLS_KP_TLS_WWW_SERVER},
-  { "kp-fin", kp_fail2, &kp_fail2[3], GNUTLS_VERIFY_KEY_PURPOSE_ON_INTERMEDIATE|GNUTLS_VERIFY_DISABLE_TIME_CHECKS, GNUTLS_CERT_INVALID | GNUTLS_CERT_PURPOSE_MISMATCH, GNUTLS_KP_TLS_WWW_SERVER},
-  { "kp-ok", kp_ok, &kp_ok[3], GNUTLS_VERIFY_KEY_PURPOSE_ON_INTERMEDIATE|GNUTLS_VERIFY_DISABLE_TIME_CHECKS, 0, GNUTLS_KP_OCSP_SIGNING},
+  { "name constraints chain ok1", nc_good1, &nc_good1[4], 0, 0, NULL, 1412850586},
+  { "name constraints chain bad1", nc_bad1, &nc_bad1[2], 0, GNUTLS_CERT_INVALID | GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE, NULL, 1412850586},
+  { "name constraints chain bad2", nc_bad2, &nc_bad2[4], 0, GNUTLS_CERT_INVALID | GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE, NULL, 1412850586},
+  { "name constraints chain bad3", nc_bad3, &nc_bad3[2], 0, GNUTLS_CERT_INVALID | GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE, NULL, 1412850586},
+  { "modified", modified1, &modified1[3], 0, GNUTLS_CERT_INVALID | GNUTLS_CERT_SIGNATURE_FAILURE, NULL, 1412850586},
+  { "not-modified", modified2, &modified2[3], 0, 0, NULL, 1412850586},
+  { "kp-interm", kp_fail1, &kp_fail1[3], GNUTLS_VERIFY_KEY_PURPOSE_ON_INTERMEDIATE, GNUTLS_CERT_INVALID | GNUTLS_CERT_PURPOSE_MISMATCH, GNUTLS_KP_TLS_WWW_SERVER, 1412850586},
+  { "kp-fin", kp_fail2, &kp_fail2[3], GNUTLS_VERIFY_KEY_PURPOSE_ON_INTERMEDIATE, GNUTLS_CERT_INVALID | GNUTLS_CERT_PURPOSE_MISMATCH, GNUTLS_KP_TLS_WWW_SERVER, 1412850586},
+  { "kp-ok", kp_ok, &kp_ok[3], GNUTLS_VERIFY_KEY_PURPOSE_ON_INTERMEDIATE, 0, GNUTLS_KP_OCSP_SIGNING, 1412850586},
   { NULL, NULL, NULL, 0, 0}
 };
 /* *INDENT-ON* */