From 2a2cc961666af1e41e127f043d571a93da800ef5 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Dec 19 2019 14:50:44 +0000 Subject: ipatests: add test for certinstall with notBefore in the future Part of: https://pagure.io/freeipa/issue/8142 Reviewed-By: Florence Blanc-Renaud --- diff --git a/ipatests/pytest_ipa/integration/create_caless_pki.py b/ipatests/pytest_ipa/integration/create_caless_pki.py index 36bb180..f2a98f5 100644 --- a/ipatests/pytest_ipa/integration/create_caless_pki.py +++ b/ipatests/pytest_ipa/integration/create_caless_pki.py @@ -409,6 +409,15 @@ def gen_server_certs(nick_base, hostname, org, ca=None): ]), ca, dns_name=hostname, warp=-2 * YEAR ) + gen_cert( + profile_server, nick_base + u'-not-yet-valid', + x509.Name([ + x509.NameAttribute(NameOID.ORGANIZATION_NAME, org), + x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u'Future'), + x509.NameAttribute(NameOID.COMMON_NAME, hostname), + ]), + ca, dns_name=hostname, warp=1 * DAY, + ) gen_cert(profile_server, nick_base + u'-badusage', x509.Name([ x509.NameAttribute(NameOID.ORGANIZATION_NAME, org), diff --git a/ipatests/test_integration/test_caless.py b/ipatests/test_integration/test_caless.py index 928f5cf..650cf29 100644 --- a/ipatests/test_integration/test_caless.py +++ b/ipatests/test_integration/test_caless.py @@ -1353,6 +1353,21 @@ class TestCertInstall(CALessBase): def test_expired_ds(self): self._test_expired_service_cert('d') + def _test_not_yet_valid_service_cert(self, w_or_d): + """Install new not-yet-valid HTTP/DS certificate.""" + result = self.certinstall(w_or_d, 'ca1/server-not-yet-valid') + pattern = re.compile( + r'The server certificate in server\.p12 is not valid: ' + '.*not valid before .* is in the future' + ) + assert_error(result, pattern) + + def test_not_yet_valid_http(self): + self._test_not_yet_valid_service_cert('w') + + def test_not_yet_valid_ds(self): + self._test_not_yet_valid_service_cert('d') + def test_http_bad_usage(self): "Install new HTTP certificate with invalid key usage"