diff options
author | Stephan Wurm <atomisirsi@gsklan.de> | 2023-08-09 09:07:46 +0200 |
---|---|---|
committer | Tomas Mraz <tomas@openssl.org> | 2024-04-09 20:13:31 +0200 |
commit | 8120223773d4c707dd43d9cc42a7fcab19609813 (patch) | |
tree | d6ba640c8b11135d9c6f214a507bbcbad744804f /test | |
parent | 4514e02cdfc96589d5e8ab0a08942fafa8e418ae (diff) |
apps: ca,req,x509: Add explicit start and end dates options
- Added options `-not_before` (start date) and `-not-after` (end date)
for explicit setting of the validity period of a certificate in the
apps `ca`, `req` and `x509`
- The new options accept time strings or "today"
- In app `ca`, use the new options as aliases of the already existing
options `-startdate` and `-enddate`
- When used in apps `req` and `x509`, the end date must be >= the start
date, in app `ca` end date < start date is also accepted
- In any case, `-not-after` overrides the `-days` option
- Added helper function `check_cert_time_string` to validate given
certificate time strings
- Use the new helper function in apps `ca`, `req` and `x509`
- Moved redundant code for time string checking into `set_cert_times`
helper function.
- Added tests for explicit start and end dates in apps `req` and `x509`
- test: Added auxiliary functions for parsing fields from `-text`
formatted output to `tconversion.pl`
- CHANGES: Added to new section 3.4
Signed-off-by: Stephan Wurm <atomisirsi@gsklan.de>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21716)
Diffstat (limited to 'test')
-rw-r--r-- | test/recipes/25-test_req.t | 14 | ||||
-rw-r--r-- | test/recipes/25-test_x509.t | 63 | ||||
-rw-r--r-- | test/recipes/tconversion.pl | 42 |
3 files changed, 102 insertions, 17 deletions
diff --git a/test/recipes/25-test_req.t b/test/recipes/25-test_req.t index 8c168b50f3..f68f443fe4 100644 --- a/test/recipes/25-test_req.t +++ b/test/recipes/25-test_req.t @@ -15,7 +15,7 @@ use OpenSSL::Test qw/:DEFAULT srctop_file/; setup("test_req"); -plan tests => 108; +plan tests => 109; require_ok(srctop_file('test', 'recipes', 'tconversion.pl')); @@ -607,3 +607,15 @@ ok(run(app(["openssl", "req", "-x509", "-new", "-days", "365", # Verify cert ok(run(app(["openssl", "x509", "-in", "testreq-cert.pem", "-noout", "-text"])), "cert verification"); + +# Generate cert with explicit start and end dates +my $today = strftime("%Y-%m-%d", localtime); +my $cert = "self-signed_explicit_date.pem"; +ok(run(app(["openssl", "req", "-x509", "-new", "-text", + "-config", srctop_file('test', 'test.cnf'), + "-key", srctop_file("test", "testrsa.pem"), + "-not_before", "today", + "-not_after", "today", + "-out", $cert])) +&& get_not_before_date($cert) eq $today +&& get_not_after_date($cert) eq $today, "explicit start and end dates"); diff --git a/test/recipes/25-test_x509.t b/test/recipes/25-test_x509.t index 739ac746ba..f2b818b73c 100644 --- a/test/recipes/25-test_x509.t +++ b/test/recipes/25-test_x509.t @@ -16,7 +16,7 @@ use OpenSSL::Test qw/:DEFAULT srctop_file/; setup("test_x509"); -plan tests => 46; +plan tests => 51; # Prevent MSys2 filename munging for arguments that look like file paths but # aren't @@ -187,20 +187,6 @@ ok(!run(app(["openssl", "x509", "-noout", "-dates", "-dateopt", "invalid_format" "-in", srctop_file("test/certs", "ca-cert.pem")])), "Run with invalid -dateopt format"); -# extracts issuer from a -text formatted-output -sub get_issuer { - my $f = shift(@_); - my $issuer = ""; - open my $fh, $f or die; - while (my $line = <$fh>) { - if ($line =~ /Issuer:/) { - $issuer = $line; - } - } - close $fh; - return $issuer; -} - # Tests for signing certs (broken in 1.1.1o) my $a_key = "a-key.pem"; my $a_cert = "a-cert.pem"; @@ -224,7 +210,7 @@ ok(run(app(["openssl", "x509", "-in", $a_cert, "-CA", $ca_cert, "-CAkey", $ca_key, "-set_serial", "1234567890", "-preserve_dates", "-sha256", "-text", "-out", $a2_cert]))); # verify issuer is CA -ok (get_issuer($a2_cert) =~ /CN=ca.example.com/); +ok(get_issuer($a2_cert) =~ /CN=ca.example.com/); my $in_csr = srctop_file('test', 'certs', 'x509-check.csr'); my $in_key = srctop_file('test', 'certs', 'x509-check-key.pem'); @@ -268,6 +254,51 @@ ok(run(app(["openssl", "x509", "-req", "-text", "-CAcreateserial", "-in", $b_csr]))); ok(-e $ca_serial_dot_in_dir); +# Tests for explict start and end dates of certificates +my $today; +my $enddate; +$today = strftime("%Y-%m-%d", localtime); +ok(run(app(["openssl", "x509", "-req", "-text", + "-key", $b_key, + "-not_before", "20231031000000Z", + "-not_after", "today", + "-in", $b_csr, "-out", $b_cert])) +&& get_not_before($b_cert) =~ /Oct 31 00:00:00 2023 GMT/ +&& get_not_after_date($b_cert) eq $today); +# explicit start and end dates +ok(run(app(["openssl", "x509", "-req", "-text", + "-key", $b_key, + "-not_before", "20231031000000Z", + "-not_after", "20231231000000Z", + "-days", "99", + "-in", $b_csr, "-out", $b_cert])) +&& get_not_before($b_cert) =~ /Oct 31 00:00:00 2023 GMT/ +&& get_not_after($b_cert) =~ /Dec 31 00:00:00 2023 GMT/); +# start date today and days +$today = strftime("%Y-%m-%d", localtime); +$enddate = strftime("%Y-%m-%d", localtime(time + 99 * 24 * 60 * 60)); +ok(run(app(["openssl", "x509", "-req", "-text", + "-key", $b_key, + "-not_before", "today", + "-days", "99", + "-in", $b_csr, "-out", $b_cert])) +&& get_not_before_date($b_cert) eq $today +&& get_not_after_date($b_cert) eq $enddate); +# end date before start date +ok(!run(app(["openssl", "x509", "-req", "-text", + "-key", $b_key, + "-not_before", "today", + "-not_after", "20231031000000Z", + "-in", $b_csr, "-out", $b_cert]))); +# default days option +$today = strftime("%Y-%m-%d", localtime); +$enddate = strftime("%Y-%m-%d", localtime(time + 30 * 24 * 60 * 60)); +ok(run(app(["openssl", "x509", "-req", "-text", + "-key", $b_key, + "-in", $b_csr, "-out", $b_cert])) +&& get_not_before_date($b_cert) eq $today +&& get_not_after_date($b_cert) eq $enddate); + SKIP: { skip "EC is not supported by this OpenSSL build", 1 if disabled("ec"); diff --git a/test/recipes/tconversion.pl b/test/recipes/tconversion.pl index 6f10758f29..a2548eca7d 100644 --- a/test/recipes/tconversion.pl +++ b/test/recipes/tconversion.pl @@ -13,6 +13,8 @@ use warnings; use File::Compare qw/compare_text/; use File::Copy; use OpenSSL::Test qw/:DEFAULT/; +use Time::Piece; +use POSIX qw(strftime); my %conversionforms = ( # Default conversion forms. Other series may be added with @@ -176,4 +178,44 @@ sub cert_ext_has_n_different_lines { # not unlinking $out } +# extracts string value of certificate field from a -text formatted-output +sub get_field { + my ($f, $field) = @_; + my $string = ""; + open my $fh, $f or die; + while (my $line = <$fh>) { + if ($line =~ /$field:\s+(.*)/) { + $string = $1; + } + } + close $fh; + return $string; +} + +sub get_issuer { + return get_field(@_, "Issuer"); +} + +sub get_not_before { + return get_field(@_, "Not Before"); +} + +# Date as yyyy-mm-dd +sub get_not_before_date { + return Time::Piece->strptime( + get_not_before(@_), + "%b %d %T %Y %Z")->date; +} + +sub get_not_after { + return get_field(@_, "Not After "); +} + +# Date as yyyy-mm-dd +sub get_not_after_date { + return Time::Piece->strptime( + get_not_after(@_), + "%b %d %T %Y %Z")->date; +} + 1; |