diff options
author | Daiki Ueno <ueno@gnu.org> | 2020-12-28 16:16:53 +0100 |
---|---|---|
committer | Daiki Ueno <ueno@gnu.org> | 2021-01-26 11:01:09 +0100 |
commit | 40203390a48b8fa01d72c6a9739d963cf24556b8 (patch) | |
tree | e2b5234a263dc7066c7fc8df3a7914fca2b5c35f | |
parent | c2e39386e5df376620264b820fde2994b12d035d (diff) | |
download | gnutls-40203390a48b8fa01d72c6a9739d963cf24556b8.tar.gz |
testpkcs11: use datefudge to trick certificate expiry
The certificates stored in tests/testpkcs11-certs expired on
2020-12-13. To avoid verification failure due to that, use datefudge
to set custom date when calling gnutls-cli, gnutls-serv, and certtool.
Based on the patch by Andreas Metzler:
https://gitlab.com/gnutls/gnutls/-/issues/1135#note_469682121
Signed-off-by: Daiki Ueno <ueno@gnu.org>
-rw-r--r-- | tests/scripts/common.sh | 5 | ||||
-rwxr-xr-x | tests/testpkcs11.sh | 12 |
2 files changed, 16 insertions, 1 deletions
diff --git a/tests/scripts/common.sh b/tests/scripts/common.sh index 6ae19fa586..69b5fd612a 100644 --- a/tests/scripts/common.sh +++ b/tests/scripts/common.sh @@ -187,6 +187,11 @@ launch_bare_server() { ${SERV} $* >${LOGFILE-/dev/null} & } +launch_bare_server2() { + wait_for_free_port "$PORT" + "$@" >${LOGFILE-/dev/null} & +} + wait_server() { local PID=$1 trap "test -n \"${PID}\" && kill ${PID};exit 1" 1 15 2 diff --git a/tests/testpkcs11.sh b/tests/testpkcs11.sh index 9458af2381..3d74bfea66 100755 --- a/tests/testpkcs11.sh +++ b/tests/testpkcs11.sh @@ -67,6 +67,8 @@ have_ed25519=0 P11TOOL="${VALGRIND} ${P11TOOL} --batch" SERV="${SERV} -q" +TESTDATE=2020-12-01 + . ${srcdir}/scripts/common.sh rm -f "${LOGFILE}" @@ -79,6 +81,8 @@ exit_error () { exit 1 } +skip_if_no_datefudge + # $1: token # $2: PIN # $3: filename @@ -523,6 +527,7 @@ write_certificate_test () { pubkey="$5" echo -n "* Generating client certificate... " + datefudge -s "$TESTDATE" \ "${CERTTOOL}" ${CERTTOOL_PARAM} ${ADDITIONAL_PARAM} --generate-certificate --load-ca-privkey "${cakey}" --load-ca-certificate "${cacert}" \ --template ${srcdir}/testpkcs11-certs/client-tmpl --load-privkey "${token};object=gnutls-client;object-type=private" \ --load-pubkey "$pubkey" --outfile tmp-client.crt >>"${LOGFILE}" 2>&1 @@ -900,7 +905,9 @@ use_certificate_test () { echo -n "* Using PKCS #11 with gnutls-cli (${txt})... " # start server eval "${GETPORT}" - launch_pkcs11_server $$ "${ADDITIONAL_PARAM}" --echo --priority NORMAL --x509certfile="${certfile}" \ + launch_bare_server2 datefudge -s "$TESTDATE" \ + $VALGRIND $SERV $DEBUG -p "$PORT" \ + ${ADDITIONAL_PARAM} --debug 10 --echo --priority NORMAL --x509certfile="${certfile}" \ --x509keyfile="$keyfile" --x509cafile="${cafile}" \ --verify-client-cert --require-client-cert >>"${LOGFILE}" 2>&1 @@ -908,13 +915,16 @@ use_certificate_test () { wait_server ${PID} # connect to server using SC + datefudge -s "$TESTDATE" \ ${VALGRIND} "${CLI}" ${ADDITIONAL_PARAM} -p "${PORT}" localhost --priority NORMAL --x509cafile="${cafile}" </dev/null >>"${LOGFILE}" 2>&1 && \ fail ${PID} "Connection should have failed!" + datefudge -s "$TESTDATE" \ ${VALGRIND} "${CLI}" ${ADDITIONAL_PARAM} -p "${PORT}" localhost --priority NORMAL --x509certfile="${certfile}" \ --x509keyfile="$keyfile" --x509cafile="${cafile}" </dev/null >>"${LOGFILE}" 2>&1 || \ fail ${PID} "Connection (with files) should have succeeded!" + datefudge -s "$TESTDATE" \ ${VALGRIND} "${CLI}" ${ADDITIONAL_PARAM} -p "${PORT}" localhost --priority NORMAL --x509certfile="${token};object=gnutls-client;object-type=cert" \ --x509keyfile="${token};object=gnutls-client;object-type=private" \ --x509cafile="${cafile}" </dev/null >>"${LOGFILE}" 2>&1 || \ |