Commit 849a7e37 authored by Vincent Pelletier's avatar Vincent Pelletier

test: Consistently update post-shift user CA in testCACertRenewal.

parent edfe5b61
...@@ -1468,18 +1468,17 @@ class CaucaseTest(unittest.TestCase): ...@@ -1468,18 +1468,17 @@ class CaucaseTest(unittest.TestCase):
for x in utils.getCertList(self._client_user_ca_crt) for x in utils.getCertList(self._client_user_ca_crt)
] ]
self._stopServer() self._stopServer()
# CA expires in 100 days: longer than one certificate life, # CA expires in 100 days: longer than one certificate life (93 days),
# but shorter than two. A new CA must be generated and distributed, # but shorter than two. A new CA must be generated and distributed,
# but not used for new signatures yet. # but not used for new signatures yet.
new_cau_crt_pem = self._setCACertificateRemainingLifeTime( # As we will use this crt as trust anchor, we must make the client believe
# it knew it all along.
old_cau_pem = self._setCACertificateRemainingLifeTime(
'user', 'user',
cau_crt.serial_number, cau_crt.serial_number,
datetime.timedelta(100, 0), datetime.timedelta(100, 0),
) )
# As we will use this crt as trust anchor, we must make the client believe utils.saveCertList(self._client_user_ca_crt, [old_cau_pem])
# it knew it all along.
with open(self._client_user_ca_crt, 'wb') as client_user_ca_crt_file:
client_user_ca_crt_file.write(new_cau_crt_pem)
self._startServer(timeout=20) self._startServer(timeout=20)
new_user_key = self._createAndApproveCertificate( new_user_key = self._createAndApproveCertificate(
user_key_path, user_key_path,
...@@ -1503,11 +1502,17 @@ class CaucaseTest(unittest.TestCase): ...@@ -1503,11 +1502,17 @@ class CaucaseTest(unittest.TestCase):
self._stopServer() self._stopServer()
# New CA now exists for 100 days: longer than one certificate life. # New CA now exists for 100 days: longer than one certificate life.
# It may (must) be used for new signatures. # It may (must) be used for new signatures.
self._setCACertificateRemainingLifeTime( utils.saveCertList(
'user', self._client_user_ca_crt,
new_cau_crt.serial_number, [
new_cau_crt.not_valid_after - new_cau_crt.not_valid_before - old_cau_pem,
datetime.timedelta(100, 0), self._setCACertificateRemainingLifeTime(
'user',
new_cau_crt.serial_number,
new_cau_crt.not_valid_after - new_cau_crt.not_valid_before -
datetime.timedelta(100, 0),
),
],
) )
self._startServer() self._startServer()
# A user certificate signed by the old CA must still be accetped # A user certificate signed by the old CA must still be accetped
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment