* ext/openssl/ossl_x509store.c

(ossl_x509stctx_initialize): setup OpenSSL::X509::StoreContext with
  ossl_x509stctx_* functions instead of X509_STORE_CTX_*.
  (ossl_x509store_set_time): add OpenSSL::X509::Store#time=.
  (ossl_x509stctx_set_time): add OpenSSL::X509::StoreContext#time=.

* test/openssl/ossl_x509store.rb: test certificate validity times.


git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@7040 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

ChangeLog

@@ -1,3 +1,13 @@
+Fri Oct 15 18:07:08 2004  GOTOU Yuuzou  <gotoyuzo@notwork.org>
+
+	* ext/openssl/ossl_x509store.c
+	  (ossl_x509stctx_initialize): setup OpenSSL::X509::StoreContext with
+	  ossl_x509stctx_* functions instead of X509_STORE_CTX_*.
+	  (ossl_x509store_set_time): add OpenSSL::X509::Store#time=.
+	  (ossl_x509stctx_set_time): add OpenSSL::X509::StoreContext#time=.
+
+	* test/openssl/ossl_x509store.rb: test certificate validity times.
+
 Fri Oct 15 18:04:35 2004  Hidetoshi NAGAI  <nagai@ai.kyutech.ac.jp>
 
 	* ext/tk/lib/tk/timer.rb: TkTimer.new(interval, loop){ ... } is

ext/openssl/ossl_x509store.c

@@ -186,6 +186,13 @@ ossl_x509store_set_trust(VALUE self, VALUE trust)
     return trust;
 }
 
+static VALUE 
+ossl_x509store_set_time(VALUE self, VALUE time)
+{
+    rb_iv_set(self, "@time", time);
+    return time;
+}
+
 static VALUE 
 ossl_x509store_add_file(VALUE self, VALUE file)
 {
@@ -329,6 +336,11 @@ ossl_x509stctx_alloc(VALUE klass)
     return obj;
 }
 
+static VALUE ossl_x509stctx_set_flags(VALUE, VALUE);
+static VALUE ossl_x509stctx_set_purpose(VALUE, VALUE);
+static VALUE ossl_x509stctx_set_trust(VALUE, VALUE);
+static VALUE ossl_x509stctx_set_time(VALUE, VALUE);
+
 static VALUE
 ossl_x509stctx_initialize(int argc, VALUE *argv, VALUE self)
 {
@@ -350,10 +362,11 @@ ossl_x509stctx_initialize(int argc, VALUE *argv, VALUE self)
     }
 #else
     X509_STORE_CTX_init(ctx, x509st, x509, x509s);
-    X509_STORE_CTX_set_flags(ctx, NUM2INT(rb_iv_get(store, "@flags")));
-    X509_STORE_CTX_set_purpose(ctx, NUM2INT(rb_iv_get(store, "@purpose")));
-    X509_STORE_CTX_set_trust(ctx, NUM2INT(rb_iv_get(store, "@trust")));
+    ossl_x509stctx_set_flags(self, rb_iv_get(store, "@flags"));
+    ossl_x509stctx_set_purpose(self, rb_iv_get(store, "@purpose"));
+    ossl_x509stctx_set_trust(self, rb_iv_get(store, "@trust"));
 #endif
+    ossl_x509stctx_set_time(self, rb_iv_get(store, "@time"));
     rb_iv_set(self, "@verify_callback", rb_iv_get(store, "@verify_callback"));
     rb_iv_set(self, "@cert", cert);
 
@@ -512,6 +525,18 @@ ossl_x509stctx_set_trust(VALUE self, VALUE trust)
     return trust;
 }
 
+static VALUE
+ossl_x509stctx_set_time(VALUE self, VALUE time)
+{
+    X509_STORE_CTX *store;
+
+    GetX509StCtx(self, store);
+    if(NIL_P(time)) store->flags &= ~X509_V_FLAG_USE_CHECK_TIME;
+    else X509_STORE_CTX_set_time(store, 0, NUM2LONG(rb_Integer(time)));
+
+    return time;
+}
+
 /*
  * INIT
  */
@@ -533,6 +558,7 @@ Init_ossl_x509store()
     rb_define_method(cX509Store, "flags=",       ossl_x509store_set_flags, 1);
     rb_define_method(cX509Store, "purpose=",     ossl_x509store_set_purpose, 1);
     rb_define_method(cX509Store, "trust=",       ossl_x509store_set_trust, 1);
+    rb_define_method(cX509Store, "time=",        ossl_x509store_set_time, 1);
     rb_define_method(cX509Store, "add_path",     ossl_x509store_add_path, 1);
     rb_define_method(cX509Store, "add_file",     ossl_x509store_add_file, 1);
     rb_define_method(cX509Store, "add_cert",     ossl_x509store_add_cert, 1);
@@ -555,5 +581,6 @@ Init_ossl_x509store()
     rb_define_method(x509stctx,"flags=",      ossl_x509stctx_set_flags, 1);
     rb_define_method(x509stctx,"purpose=",    ossl_x509stctx_set_purpose, 1);
     rb_define_method(x509stctx,"trust=",      ossl_x509stctx_set_trust, 1);
+    rb_define_method(x509stctx,"time=",       ossl_x509stctx_set_time, 1);
 
 }

test/openssl/test_x509store.rb

@@ -49,6 +49,8 @@ class OpenSSL::TestX509Store < Test::Unit::TestCase
                           ca2_cert, @rsa1024, OpenSSL::Digest::SHA1.new)
     ee3_cert = issue_cert(@ee2, @dsa512, 30, now-100, now-1, ee_exts,
                           ca2_cert, @rsa1024, OpenSSL::Digest::SHA1.new)
+    ee4_cert = issue_cert(@ee2, @dsa512, 40, now+1000, now+2000, ee_exts,
+                          ca2_cert, @rsa1024, OpenSSL::Digest::SHA1.new)
 
     revoke_info = []
     crl1   = issue_crl(revoke_info, 1, now, now+1800, [],
@@ -106,6 +108,36 @@ class OpenSSL::TestX509Store < Test::Unit::TestCase
     assert_equal(@ca1.to_der, chain[2].subject.to_der)
     assert_equal(false, store.verify(ee3_cert))
     assert_match(/expire/i, store.error_string)
+    assert_equal(false, store.verify(ee4_cert))
+    assert_match(/not yet valid/i, store.error_string)
+
+    store = OpenSSL::X509::Store.new
+    store.add_cert(ca1_cert)
+    store.add_cert(ca2_cert)
+    store.time = now + 1500
+    assert_equal(true, store.verify(ca1_cert))
+    assert_equal(true, store.verify(ca2_cert))
+    assert_equal(true, store.verify(ee4_cert))
+    store.time = now + 1900
+    assert_equal(true, store.verify(ca1_cert))
+    assert_equal(false, store.verify(ca2_cert))
+    assert_match(/expire/i, store.error_string)
+    assert_equal(false, store.verify(ee4_cert))
+    assert_match(/expire/i, store.error_string)
+    store.time = now + 4000
+    assert_equal(false, store.verify(ee1_cert))
+    assert_match(/expire/i, store.error_string)
+    assert_equal(false, store.verify(ee4_cert))
+    assert_match(/expire/i, store.error_string)
+
+    # the underlying X509 struct caches the result of the last
+    # verification for signature and not-before. so the following code
+    # rebuilds new objects to avoid site effect.
+    store.time = Time.now - 4000
+    assert_equal(false, store.verify(OpenSSL::X509::Certificate.new(ca2_cert)))
+    assert_match(/not yet valid/i, store.error_string)
+    assert_equal(false, store.verify(OpenSSL::X509::Certificate.new(ee1_cert)))
+    assert_match(/not yet valid/i, store.error_string)
 
     return unless defined?(OpenSSL::X509::V_FLAG_CRL_CHECK)