From: Bob Beck Date: Mon, 6 Oct 2025 11:03:41 +0000 (-0600) Subject: Bring in boundary test from #28584 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=e996ebabd71acf658b946583c05fff5a0ae89e34;p=thirdparty%2Fopenssl.git Bring in boundary test from #28584 Will add further unit tests for the cert validity check routine Reviewed-by: Neil Horman Reviewed-by: Saša Nedvědický (Merged from https://github.com/openssl/openssl/pull/28623) --- diff --git a/test/certs/ee-expired2.pem b/test/certs/ee-expired2.pem new file mode 100644 index 00000000000..5cfffb7b216 --- /dev/null +++ b/test/certs/ee-expired2.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDAzCCAeugAwIBAgIBAjANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDDAJDQTAe +Fw0yNTA5MTgxNDM3NTdaFw0zNTA5MTYxNDM3NTdaMBkxFzAVBgNVBAMMDnNlcnZl +ci5leGFtcGxlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqP+JWGGF +rt7bLA/Vc/vit6gbenVgK9R9PHN2ta7eky9/JJBtyRz0ijjNn6KAFlbLtCy7k+UX +H/8NxkP+MTT4KNh16aO7iILvo3LiU2IFRU3gMZfvqp0Q0lgNngaeMrsbCFZdZQ8/ +Zo7CNqAR/8BZNf1JHN0cQjMGeK4EOCPl53Vn05StWqlAH6xZEPUMwWStSsTGNVOz +lmqCGxWL0Zmr5J5vlKrSluVX+4yRZIo8JBbG0hm+gmATO2Kw7T4ds8r5a98xuXqe +S0dopynHP0riIie075Bj1+/Qckk+W625G9Qrb4Zo3dVzErhDydxBD6KjRk+LZ4iE +D2H+eTQfSokftwIDAQABo2IwYDAdBgNVHQ4EFgQU55viKq2KbDrLdlHljgeYIpfh +c6IwHwYDVR0jBBgwFoAUtBEz8dfiXvdTniAiEE+GBr8fyV4wCQYDVR0TBAIwADAT +BgNVHSUEDDAKBggrBgEFBQcDATANBgkqhkiG9w0BAQsFAAOCAQEAJjmrmJHqZDbl +us5nJ2q9WezBUsOTrzN8lC311cqA6qbAbKoTB0vSFlRtKRJXAdHQsO3QUdeGhjRY +6PR9d5zSmo6zpBkm4Ee5JXg892rs/8/iWJDYto0CTJ5N+rR9h9xH4yrkcZofYpnK +8hKJn9xutgBEprwtCNj1TgoNMXXaSECeXwbplzrpejgM6RbDzMxbZ6pKVjtL7XKZ +fuqOKvgYJue0QwlvXZ9L9fDg+iX6J/1ihj1/5j4wtZxrNF1eINqLdqH7EDdcMoRI +VdiOz7WszFXO+GZWkO6u/MPap7ruoN8uLdlAX85YGQPt7GIyEfi5ciVT6xhzfKbB +8r1A6UCdKA== +-----END CERTIFICATE----- diff --git a/test/certs/setup.sh b/test/certs/setup.sh index 9619e26a5da..3bee78ec326 100755 --- a/test/certs/setup.sh +++ b/test/certs/setup.sh @@ -158,6 +158,7 @@ openssl x509 -in sca-cert.pem -trustout \ ./mkcert.sh genee server.example ee-key ee-cert ca-key ca-cert # ee variants: expired, issuer-key2, issuer-name2, bad-pathlen ./mkcert.sh genee server.example ee-key ee-expired ca-key ca-cert -days -1 +./mkcert.sh genee server.example ee-key ee-expired2 ca-key ca-cert -days 3650 ./mkcert.sh genee server.example ee-key ee-cert2 ca-key2 ca-cert2 ./mkcert.sh genee server.example ee-key ee-name2 ca-key ca-name2 ./mkcert.sh genee server.example ee-key ee-pathlen ca-key ca-cert \ diff --git a/test/recipes/25-test_verify.t b/test/recipes/25-test_verify.t index c61bb59e859..a95e47f5527 100644 --- a/test/recipes/25-test_verify.t +++ b/test/recipes/25-test_verify.t @@ -30,7 +30,7 @@ sub verify { run(app([@args])); } -plan tests => 206; +plan tests => 212; # Canonical success ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]), @@ -596,6 +596,23 @@ ok(!verify("ee-cert-policies-bad", "", ["root-cert"], ["ca-pol-cert"], "-explicit_policy"), "Bad certificate policy"); +# Verify Validity Period Boundaries with -attime +# ee-expired2 Not Before: Sep 18 14:37:57 2025 GMT -- 1758206277 +# Not After: Sep 16 14:37:57 2035 GMT -- 2073566277 +ok(!verify("ee-expired2", "", ["root-cert"], ["ca-cert"], "-attime", + "1758206276"), "Certificate invalid at time 1758206276"); +ok(verify("ee-expired2", "", ["root-cert"], ["ca-cert"], "-attime", + "1758206277"), "Certificate valid at time 1758206277"); +ok(verify("ee-expired2", "", ["root-cert"], ["ca-cert"], "-attime", + "1758206278"), "Certificate valid at time 1758206278"); +ok(verify("ee-expired2", "", ["root-cert"], ["ca-cert"], "-attime", + "2073566276"), "Certificate valid at time 2073566276"); +ok(verify("ee-expired2", "", ["root-cert"], ["ca-cert"], "-attime", + "2073566277"), "Certificate valid at time 2073566277"); +ok(!verify("ee-expired2", "", ["root-cert"], ["ca-cert"], "-attime", + "2073566278"), "Certificate invalid at time 2073566278"); + + # CAstore option my $rootcertname = "root-cert"; my $rootcert = srctop_file(@certspath, "${rootcertname}.pem");