Skip to content

Commit

Permalink
test(generate_test_certs): update validity period
Browse files Browse the repository at this point in the history 
Update the validity period of the test certificates generated by
`generate_test_certs`:

  - Root CA certs are valid for 10 years.
  - CA certs that are subordinate to the Root CA are valid for 5 years.
  - CA certs that are 2nd-level subordiante to the Root CA are valid
    for 2 years.
  - End-entity certs (e.g. the one used for TLS connections)
    are valid for 13 months.
  • Loading branch information
@aloisklink
aloisklink committed Jun 16, 2023
1 parent 582fb6f commit a7598b9
Showing 1 changed file with 46 additions and 35 deletions.
81 changes: 46 additions & 35 deletions tests/voucher/generate_test_certs.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,17 @@
#include "voucher/crypto.h"
#include "voucher/keyvalue.h"

const long SECONDS_IN_YEAR = 10 * 60 * 60 * 24 * 365;

// Default Root CA certificate "Not After" validity offset
const long CA_NOT_AFTER = 10 * SECONDS_IN_YEAR;
// Default Subordinate 1 CA certificate "Not After" validity offset
const long CA1_NOT_AFTER = 5 * SECONDS_IN_YEAR;
// Default Subordinate 2 CA certificate "Not After" validity offset
const long CA2_NOT_AFTER = 2 * SECONDS_IN_YEAR;
// Default end-entity certificate "Not After" validity offset
const long END_ENTITY_NOT_AFTER = 13 * SECONDS_IN_YEAR / 12; // 13 months

struct context {
/** The folder to store the certs and keys in */
const char *output_dir;
Expand Down Expand Up @@ -143,7 +154,7 @@ static void generate_ldevid_ca_cert(void **state) {

struct crypto_cert_meta ldevid_ca_meta = {.serial_number = 1,
.not_before = 0,
.not_after = 1234567,
.not_after = CA_NOT_AFTER,
.issuer = NULL,
.subject = NULL,
.basic_constraints =
Expand Down Expand Up @@ -177,7 +188,7 @@ static void generate_masa_tls_certs(void **state) {

struct crypto_cert_meta masa_tls_ca_meta = {.serial_number = 1,
.not_before = 0,
.not_after = 1234567,
.not_after = CA_NOT_AFTER,
.issuer = NULL,
.subject = NULL,
.basic_constraints =
Expand Down Expand Up @@ -205,7 +216,7 @@ static void generate_masa_tls_certs(void **state) {
{
struct crypto_cert_meta masa_tls_meta = {.serial_number = 12345,
.not_before = 0,
.not_after = 1234567,
.not_after = END_ENTITY_NOT_AFTER,
.issuer = NULL,
.subject = NULL,
.basic_constraints = "CA:false"};
Expand Down Expand Up @@ -249,7 +260,7 @@ static void generate_registrar_tls_certs(void **state) {

struct crypto_cert_meta registrar_tls_ca_meta = {.serial_number = 1,
.not_before = 0,
.not_after = 1234567,
.not_after = CA_NOT_AFTER,
.issuer = NULL,
.subject = NULL,
.basic_constraints =
Expand All @@ -270,13 +281,13 @@ static void generate_registrar_tls_certs(void **state) {
&registrar_tls_ca_meta, registrar_tls_ca_key.array,
registrar_tls_ca_key.length, &registrar_tls_ca_cert.array);

struct crypto_cert_meta registrar_tls_meta = {.serial_number = 12345,
.not_before = 0,
.not_after = 1234567,
.issuer = NULL,
.subject = NULL,
.basic_constraints =
"CA:false"};
struct crypto_cert_meta registrar_tls_meta = {
.serial_number = 12345,
.not_before = 0,
.not_after = END_ENTITY_NOT_AFTER,
.issuer = NULL,
.subject = NULL,
.basic_constraints = "CA:false"};

registrar_tls_meta.issuer = init_keyvalue_list();
registrar_tls_meta.subject = init_keyvalue_list();
Expand Down Expand Up @@ -351,7 +362,7 @@ static void generate_cms_certs(void **state) {

struct crypto_cert_meta cms_ca_meta = {.serial_number = 1,
.not_before = 0,
.not_after = 1234567,
.not_after = CA_NOT_AFTER,
.issuer = NULL,
.subject = NULL,
.basic_constraints =
Expand All @@ -376,7 +387,7 @@ static void generate_cms_certs(void **state) {
{
struct crypto_cert_meta int2_cms_meta = {.serial_number = 12345,
.not_before = 0,
.not_after = 1234567,
.not_after = CA1_NOT_AFTER,
.issuer = NULL,
.subject = NULL,
.basic_constraints = "CA:false"};
Expand Down Expand Up @@ -407,7 +418,7 @@ static void generate_cms_certs(void **state) {
{
struct crypto_cert_meta int1_cms_meta = {.serial_number = 12345,
.not_before = 0,
.not_after = 1234567,
.not_after = CA2_NOT_AFTER,
.issuer = NULL,
.subject = NULL,
.basic_constraints = "CA:false"};
Expand Down Expand Up @@ -436,13 +447,13 @@ static void generate_cms_certs(void **state) {
save_cert("int1-cms", context, &int1_cms_key, &int1_cms_cert), errno);

{
struct crypto_cert_meta pledge_cms_meta = {.serial_number = 1,
.not_before = 0,
.not_after = 1234567,
.issuer = NULL,
.subject = NULL,
.basic_constraints =
"CA:false"};
struct crypto_cert_meta pledge_cms_meta = {
.serial_number = 1,
.not_before = 0,
.not_after = END_ENTITY_NOT_AFTER,
.issuer = NULL,
.subject = NULL,
.basic_constraints = "CA:false"};

pledge_cms_meta.issuer = init_keyvalue_list();
pledge_cms_meta.subject = init_keyvalue_list();
Expand Down Expand Up @@ -476,13 +487,13 @@ static void generate_cms_certs(void **state) {
}

{
struct crypto_cert_meta registrar_cms_meta = {.serial_number = 1,
.not_before = 0,
.not_after = 1234567,
.issuer = NULL,
.subject = NULL,
.basic_constraints =
"CA:false"};
struct crypto_cert_meta registrar_cms_meta = {
.serial_number = 1,
.not_before = 0,
.not_after = END_ENTITY_NOT_AFTER,
.issuer = NULL,
.subject = NULL,
.basic_constraints = "CA:false"};

registrar_cms_meta.issuer = init_keyvalue_list();
registrar_cms_meta.subject = init_keyvalue_list();
Expand Down Expand Up @@ -517,13 +528,13 @@ static void generate_cms_certs(void **state) {
}

{
struct crypto_cert_meta masa_cms_meta = {.serial_number = 1,
.not_before = 0,
.not_after = 1234567,
.issuer = NULL,
.subject = NULL,
.basic_constraints =
"CA:false"};
struct crypto_cert_meta masa_cms_meta = {
.serial_number = 1,
.not_before = 0,
.not_after = END_ENTITY_NOT_AFTER,
.issuer = NULL,
.subject = NULL,
.basic_constraints = "CA:false"};

masa_cms_meta.issuer = init_keyvalue_list();
masa_cms_meta.subject = init_keyvalue_list();
Expand Down

0 comments on commit a7598b9

Please sign in to comment.