test long validity period

Author: cstkingkey

rustls-platform-verifier/src/tests/verification_mock/ca.go

@@ -69,7 +69,7 @@ func doIt() error {
 
 	var err error = nil
 
-	root1_key, err := generateRoot("root1", now, "", true)
+	root1_key, err := generateRoot("root1", now, "", true, 365)
 	if err != nil {
 		return err
 	}
@@ -96,12 +96,17 @@ func doIt() error {
 		}
 	}
 
-	_, err = generateRoot("root2", now, "example.com", true)
+	_, err = generateRoot("root2", now, "example.com", true, 365)
 	if err != nil {
 		return err
 	}
 
-	_, err = generateRoot("root3", now, "example.com", false)
+	_, err = generateRoot("root3", now, "example.com", false, 365)
+	if err != nil {
+		return err
+	}
+
+	_, err = generateRoot("root4", now, "example.com", false, 400)
 	if err != nil {
 		return err
 	}
@@ -220,7 +225,7 @@ func generateInt(intName string, serial int64, now time.Time, caKey crypto.Signe
 	return intKey, nil
 }
 
-func generateRoot(name string, now time.Time, commonName string, IsCA bool) (crypto.Signer, error) {
+func generateRoot(name string, now time.Time, commonName string, IsCA bool, validDays int64) (crypto.Signer, error) {
 	caKey, err := generateKey()
 	if err != nil {
 		return nil, err
@@ -232,7 +237,7 @@ func generateRoot(name string, now time.Time, commonName string, IsCA bool) (cry
 			Organization: []string{name},
 		},
 		NotBefore:             now.Add(-OneDay),
-		NotAfter:              now.Add(OneYear),
+		NotAfter:              now.Add(time.Duration(validDays) * 24 * time.Hour),
 		IsCA:                  IsCA,
 		KeyUsage:              x509.KeyUsageCertSign,
 		BasicConstraintsValid: true,

rustls-platform-verifier/src/tests/verification_mock/mod.rs

@@ -95,6 +95,10 @@ const ROOT2: CertificateDer = CertificateDer::from_slice(include_bytes!("root2.c
 #[cfg(not(target_os = "android"))]
 const ROOT3: CertificateDer = CertificateDer::from_slice(include_bytes!("root3.crt"));
 
+#[cfg_attr(feature = "ffi-testing", allow(unused))]
+#[cfg(not(target_os = "android"))]
+const ROOT4: CertificateDer = CertificateDer::from_slice(include_bytes!("root4.crt"));
+
 const EXAMPLE_COM: &str = "example.com";
 const LOCALHOST_IPV4: &str = "127.0.0.1";
 const LOCALHOST_IPV6: &str = "::1";
@@ -154,7 +158,12 @@ fn test_selfsigned_cert_with_extra_roots() {
 
     let selfsigned = ROOT2;
     let selfsigned_as_leaf = ROOT3;
-    let roots = vec![selfsigned.clone(), selfsigned_as_leaf.clone()];
+    let selfsigned_as_leaf_long_validity = ROOT4;
+    let roots = vec![
+        selfsigned.clone(),
+        selfsigned_as_leaf.clone(),
+        selfsigned_as_leaf_long_validity.clone(),
+    ];
     let server_name = pki_types::ServerName::try_from(EXAMPLE_COM).unwrap();
 
     let verifier = Verifier::new_with_extra_roots(roots, crypto_provider).unwrap();
@@ -193,6 +202,26 @@ fn test_selfsigned_cert_with_extra_roots() {
         result.is_err(),
         "self-signed leaf certificate is accepted unexpectly"
     );
+
+    let result = verifier.verify_server_cert(
+        &selfsigned_as_leaf_long_validity,
+        &[],
+        &server_name,
+        &[],
+        verification_time(),
+    );
+
+    #[cfg(target_vendor = "apple")]
+    assert!(
+        result.is_err(),
+        "self-signed leaf certificate with long validity period is accepted unexpectly"
+    );
+
+    #[cfg(not(target_vendor = "apple"))]
+    assert!(
+        result.is_ok(),
+        "failed to validate self-signed leaf certificate with long validity period"
+    );
 }
 
 #[cfg(not(target_os = "android"))]