From 40203390a48b8fa01d72c6a9739d963cf24556b8 Mon Sep 17 00:00:00 2001

From: Daiki Ueno <ueno@gnu.org>

Date: Mon, 28 Dec 2020 16:16:53 +0100

Subject: [PATCH 2/2] testpkcs11: use datefudge to trick certificate expiry

The certificates stored in tests/testpkcs11-certs expired on

2020-12-13.  To avoid verification failure due to that, use datefudge

to set custom date when calling gnutls-cli, gnutls-serv, and certtool.

Based on the patch by Andreas Metzler:

https://gitlab.com/gnutls/gnutls/-/issues/1135#note_469682121

Signed-off-by: Daiki Ueno <ueno@gnu.org>

---

 tests/scripts/common.sh |  5 +++++

 tests/testpkcs11.sh     | 12 +++++++++++-

 2 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/tests/scripts/common.sh b/tests/scripts/common.sh

index 6ae19fa58..69b5fd612 100644

--- a/tests/scripts/common.sh

+++ b/tests/scripts/common.sh

@@ -187,6 +187,11 @@ launch_bare_server() {

 	${SERV} $* >${LOGFILE-/dev/null} &

 }

+launch_bare_server2() {

+	wait_for_free_port "$PORT"

+	"$@" >${LOGFILE-/dev/null} &

+}

+

 wait_server() {

 	local PID=$1

 	trap "test -n \"${PID}\" && kill ${PID};exit 1" 1 15 2

diff --git a/tests/testpkcs11.sh b/tests/testpkcs11.sh

index 9458af238..3d74bfea6 100755

--- a/tests/testpkcs11.sh

+++ b/tests/testpkcs11.sh

@@ -67,6 +67,8 @@ have_ed25519=0

 P11TOOL="${VALGRIND} ${P11TOOL} --batch"

 SERV="${SERV} -q"

+TESTDATE=2020-12-01

+

 . ${srcdir}/scripts/common.sh

 rm -f "${LOGFILE}"

@@ -79,6 +81,8 @@ exit_error () {

 	exit 1

 }

+skip_if_no_datefudge

+

 # $1: token

 # $2: PIN

 # $3: filename

@@ -523,6 +527,7 @@ write_certificate_test () {

 	pubkey="$5"

 	echo -n "* Generating client certificate... "

+	datefudge -s "$TESTDATE" \

 	"${CERTTOOL}" ${CERTTOOL_PARAM} ${ADDITIONAL_PARAM}  --generate-certificate --load-ca-privkey "${cakey}"  --load-ca-certificate "${cacert}"  \

 	--template ${srcdir}/testpkcs11-certs/client-tmpl --load-privkey "${token};object=gnutls-client;object-type=private" \

 	--load-pubkey "$pubkey" --outfile tmp-client.crt >>"${LOGFILE}" 2>&1

@@ -900,7 +905,9 @@ use_certificate_test () {

 	echo -n "* Using PKCS #11 with gnutls-cli (${txt})... "

 	# start server

 	eval "${GETPORT}"

-	launch_pkcs11_server $$ "${ADDITIONAL_PARAM}" --echo --priority NORMAL --x509certfile="${certfile}" \

+	launch_bare_server2 datefudge -s "$TESTDATE" \

+	        $VALGRIND $SERV $DEBUG -p "$PORT" \

+		${ADDITIONAL_PARAM} --debug 10 --echo --priority NORMAL --x509certfile="${certfile}" \

 		--x509keyfile="$keyfile" --x509cafile="${cafile}" \

 		--verify-client-cert --require-client-cert >>"${LOGFILE}" 2>&1

@@ -908,13 +915,16 @@ use_certificate_test () {

 	wait_server ${PID}

 	# connect to server using SC

+	datefudge -s "$TESTDATE" \

 	${VALGRIND} "${CLI}" ${ADDITIONAL_PARAM} -p "${PORT}" localhost --priority NORMAL --x509cafile="${cafile}" </dev/null >>"${LOGFILE}" 2>&1 && \

 		fail ${PID} "Connection should have failed!"

+	datefudge -s "$TESTDATE" \

 	${VALGRIND} "${CLI}" ${ADDITIONAL_PARAM} -p "${PORT}" localhost --priority NORMAL --x509certfile="${certfile}" \

 	--x509keyfile="$keyfile" --x509cafile="${cafile}" </dev/null >>"${LOGFILE}" 2>&1 || \

 		fail ${PID} "Connection (with files) should have succeeded!"

+	datefudge -s "$TESTDATE" \

 	${VALGRIND} "${CLI}" ${ADDITIONAL_PARAM} -p "${PORT}" localhost --priority NORMAL --x509certfile="${token};object=gnutls-client;object-type=cert" \

 		--x509keyfile="${token};object=gnutls-client;object-type=private" \

 		--x509cafile="${cafile}" </dev/null >>"${LOGFILE}" 2>&1 || \

-- 

2.29.2