Commit 849a7e37 authored by Vincent Pelletier's avatar Vincent Pelletier

test: Consistently update post-shift user CA in testCACertRenewal.

parent edfe5b61
Pipeline #13461 passed with stage
in 0 seconds
......@@ -1468,18 +1468,17 @@ class CaucaseTest(unittest.TestCase):
for x in utils.getCertList(self._client_user_ca_crt)
]
self._stopServer()
# CA expires in 100 days: longer than one certificate life,
# CA expires in 100 days: longer than one certificate life (93 days),
# but shorter than two. A new CA must be generated and distributed,
# but not used for new signatures yet.
new_cau_crt_pem = self._setCACertificateRemainingLifeTime(
# As we will use this crt as trust anchor, we must make the client believe
# it knew it all along.
old_cau_pem = self._setCACertificateRemainingLifeTime(
'user',
cau_crt.serial_number,
datetime.timedelta(100, 0),
)
# As we will use this crt as trust anchor, we must make the client believe
# it knew it all along.
with open(self._client_user_ca_crt, 'wb') as client_user_ca_crt_file:
client_user_ca_crt_file.write(new_cau_crt_pem)
utils.saveCertList(self._client_user_ca_crt, [old_cau_pem])
self._startServer(timeout=20)
new_user_key = self._createAndApproveCertificate(
user_key_path,
......@@ -1503,11 +1502,17 @@ class CaucaseTest(unittest.TestCase):
self._stopServer()
# New CA now exists for 100 days: longer than one certificate life.
# It may (must) be used for new signatures.
utils.saveCertList(
self._client_user_ca_crt,
[
old_cau_pem,
self._setCACertificateRemainingLifeTime(
'user',
new_cau_crt.serial_number,
new_cau_crt.not_valid_after - new_cau_crt.not_valid_before -
datetime.timedelta(100, 0),
),
],
)
self._startServer()
# A user certificate signed by the old CA must still be accetped
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment