tests: use a fixed SystemTime for certificate validation

Fixing the `SystemTime` that we pass to the certificate verifier for the real world and mock verification tests will ensure that the tests don't start to fail just because the vendored certificates have expired.
rustls · Jan 3, 2024 · 06f8735 · 06f8735
1 parent 3bf8828
commit 06f8735
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 4 deletions.
diff --git a/rustls-platform-verifier/src/lib.rs b/rustls-platform-verifier/src/lib.rs
@@ -4,6 +4,7 @@
 
 use rustls::ClientConfig;
 use std::sync::Arc;
+use std::time::{Duration, SystemTime};
 
 mod verification;
 pub use verification::Verifier;
@@ -71,3 +72,12 @@ pub fn tls_config() -> ClientConfig {
 pub fn verifier_for_dbg(root: &[u8]) -> Arc<dyn rustls::client::ServerCertVerifier> {
     Arc::new(Verifier::new_with_fake_root(root))
 }
+
+/// Return a fixed [SystemTime] for certificate validation purposes.
+///
+/// We fix the "now" value used for certificate validation to a fixed point in time at which
+/// we know the test certificates are valid. This must be updated if the test certificates
+/// are regenerated.
+pub fn verification_time() -> SystemTime {
+    SystemTime::UNIX_EPOCH + Duration::from_secs(1_704_304_988)
+}
diff --git a/rustls-platform-verifier/src/tests/verification_mock/mod.rs b/rustls-platform-verifier/src/tests/verification_mock/mod.rs
@@ -23,6 +23,7 @@
 use super::TestCase;
 use crate::tests::assert_cert_error_eq;
 use crate::verification::{EkuError, Verifier};
+use crate::verification_time;
 use rustls::{client::ServerCertVerifier, CertificateError, Error as TlsError};
 use std::convert::TryFrom;
 use std::net::IpAddr;
@@ -95,7 +96,7 @@ pub(super) fn verification_without_mock_root() {
         &server_name,
         &mut std::iter::empty(),
         &[],
-        std::time::SystemTime::now(),
+        verification_time(),
     );
 
     assert_eq!(
@@ -289,7 +290,7 @@ fn test_with_mock_root<E: std::error::Error + PartialEq + 'static>(test_case: &T
         &server_name,
         &mut std::iter::empty(),
         test_case.stapled_ocsp.unwrap_or(&[]),
-        std::time::SystemTime::now(),
+        verification_time(),
     );
 
     assert_cert_error_eq(

diff --git a/rustls-platform-verifier/src/tests/verification_real_world/mod.rs b/rustls-platform-verifier/src/tests/verification_real_world/mod.rs
@@ -42,7 +42,7 @@
 //! Thus we don't expect these tests to be flaky w.r.t. that, except for
 //! potentially poor performance.     
 use super::TestCase;
-use crate::{tests::assert_cert_error_eq, Verifier};
+use crate::{tests::assert_cert_error_eq, verification_time, Verifier};
 use rustls::{client::ServerCertVerifier, CertificateError, Error as TlsError};
 use std::convert::TryFrom;
 
@@ -145,7 +145,7 @@ fn real_world_test<E: std::error::Error>(test_case: &TestCase<E>) {
             &server_name,
             &mut std::iter::empty(),
             stapled_ocsp,
-            std::time::SystemTime::now(),
+            verification_time(),
         )
         .map(|_| ());