From 06f8735fb9f6263f16bd2ca03efe4f296f2fb1c6 Mon Sep 17 00:00:00 2001 From: Daniel McCarney Date: Wed, 3 Jan 2024 13:06:34 -0500 Subject: [PATCH] tests: use a fixed SystemTime for certificate validation Fixing the `SystemTime` that we pass to the certificate verifier for the real world and mock verification tests will ensure that the tests don't start to fail just because the vendored certificates have expired. --- rustls-platform-verifier/src/lib.rs | 10 ++++++++++ .../src/tests/verification_mock/mod.rs | 5 +++-- .../src/tests/verification_real_world/mod.rs | 4 ++-- 3 files changed, 15 insertions(+), 4 deletions(-) diff --git a/rustls-platform-verifier/src/lib.rs b/rustls-platform-verifier/src/lib.rs index 42d890f5..06e12369 100644 --- a/rustls-platform-verifier/src/lib.rs +++ b/rustls-platform-verifier/src/lib.rs @@ -4,6 +4,7 @@ use rustls::ClientConfig; use std::sync::Arc; +use std::time::{Duration, SystemTime}; mod verification; pub use verification::Verifier; @@ -71,3 +72,12 @@ pub fn tls_config() -> ClientConfig { pub fn verifier_for_dbg(root: &[u8]) -> Arc { Arc::new(Verifier::new_with_fake_root(root)) } + +/// Return a fixed [SystemTime] for certificate validation purposes. +/// +/// We fix the "now" value used for certificate validation to a fixed point in time at which +/// we know the test certificates are valid. This must be updated if the test certificates +/// are regenerated. +pub fn verification_time() -> SystemTime { + SystemTime::UNIX_EPOCH + Duration::from_secs(1_704_304_988) +} diff --git a/rustls-platform-verifier/src/tests/verification_mock/mod.rs b/rustls-platform-verifier/src/tests/verification_mock/mod.rs index 9f0748eb..baeff659 100644 --- a/rustls-platform-verifier/src/tests/verification_mock/mod.rs +++ b/rustls-platform-verifier/src/tests/verification_mock/mod.rs @@ -23,6 +23,7 @@ use super::TestCase; use crate::tests::assert_cert_error_eq; use crate::verification::{EkuError, Verifier}; +use crate::verification_time; use rustls::{client::ServerCertVerifier, CertificateError, Error as TlsError}; use std::convert::TryFrom; use std::net::IpAddr; @@ -95,7 +96,7 @@ pub(super) fn verification_without_mock_root() { &server_name, &mut std::iter::empty(), &[], - std::time::SystemTime::now(), + verification_time(), ); assert_eq!( @@ -289,7 +290,7 @@ fn test_with_mock_root(test_case: &T &server_name, &mut std::iter::empty(), test_case.stapled_ocsp.unwrap_or(&[]), - std::time::SystemTime::now(), + verification_time(), ); assert_cert_error_eq( diff --git a/rustls-platform-verifier/src/tests/verification_real_world/mod.rs b/rustls-platform-verifier/src/tests/verification_real_world/mod.rs index 964d2242..4f0ec288 100644 --- a/rustls-platform-verifier/src/tests/verification_real_world/mod.rs +++ b/rustls-platform-verifier/src/tests/verification_real_world/mod.rs @@ -42,7 +42,7 @@ //! Thus we don't expect these tests to be flaky w.r.t. that, except for //! potentially poor performance. use super::TestCase; -use crate::{tests::assert_cert_error_eq, Verifier}; +use crate::{tests::assert_cert_error_eq, verification_time, Verifier}; use rustls::{client::ServerCertVerifier, CertificateError, Error as TlsError}; use std::convert::TryFrom; @@ -145,7 +145,7 @@ fn real_world_test(test_case: &TestCase) { &server_name, &mut std::iter::empty(), stapled_ocsp, - std::time::SystemTime::now(), + verification_time(), ) .map(|_| ());