@@ -373,6 +373,9 @@ def test_set_custom_params
373373-----END CERTIFICATE-----
374374 EOF
375375
376+ require 'time'
377+ VERIFY_EXPIRED_TIME = Time . parse ( "2021/10/20 09:10:00" )
378+
376379 def test_cert_verify_expired1_lets_encrypt_cross_signed_root
377380 # reproducer for https://github.com/jruby/jruby-openssl/issues/236
378381 #
@@ -391,6 +394,7 @@ def test_cert_verify_expired1_lets_encrypt_cross_signed_root
391394 ]
392395
393396 cert_store = OpenSSL ::X509 ::Store . new
397+ cert_store . time = VERIFY_EXPIRED_TIME
394398 root_bundle . each { |cert | cert_store . add_cert cert }
395399
396400 # the endpoint will send the leaf node + these two intermediate certs
@@ -448,6 +452,7 @@ def test_cert_verify_expired2_lets_encrypt_cross_signed_intermediate
448452 ]
449453
450454 cert_store = OpenSSL ::X509 ::Store . new
455+ cert_store . time = VERIFY_EXPIRED_TIME
451456 root_bundle . each { |cert | cert_store . add_cert cert }
452457
453458 # cross-signed cert is sent from the server :
@@ -483,6 +488,7 @@ def test_cert_verify_expired0_lets_encrypt # base_line
483488 ]
484489
485490 cert_store = OpenSSL ::X509 ::Store . new
491+ cert_store . time = VERIFY_EXPIRED_TIME
486492 root_bundle . each { |cert | cert_store . add_cert cert }
487493
488494 chain = [
@@ -500,6 +506,16 @@ def test_cert_verify_expired0_lets_encrypt # base_line
500506 "/C=US/O=Let's Encrypt/CN=R3" ,
501507 "/C=US/O=Internet Security Research Group/CN=ISRG Root X1" ] ,
502508 cert_store . chain . map { |cert | cert . subject . to_s }
509+
510+ cert_store = OpenSSL ::X509 ::Store . new
511+ cert_store . time = VERIFY_EXPIRED_TIME
512+ cert_store . add_cert root_bundle [ 1 ] # only the expired one
513+
514+ ok = cert_store . verify ( LEAF_CERTIFICATE , chain )
515+
516+ assert !ok
517+ assert_equal 'unable to get issuer certificate' , cert_store . error_string
518+ end
503519 end
504520
505521 end
0 commit comments