Add a test case to check that the key creation time is correct

When getting a certificate's creation time, assert that the certificate's creation time (the Primary Key's creation time field) is used, not the active binding signature's creation time. See rpm-software-management#2004.
nwalfield · Apr 12, 2022 · f6d2847 · f6d2847
1 parent 29e5a26
commit f6d2847
Show file tree

Hide file tree

Showing 2 changed files with 62 additions and 0 deletions.
diff --git a/tests/Makefile.am b/tests/Makefile.am
@@ -123,6 +123,8 @@ EXTRA_DIST += data/keys/rpm.org-rsa-2048-test.secret
 EXTRA_DIST += data/keys/CVE-2021-3521-badbind.asc
 EXTRA_DIST += data/keys/CVE-2021-3521-nosubsig.asc
 EXTRA_DIST += data/keys/CVE-2021-3521-nosubsig-last.asc
+EXTRA_DIST += data/keys/different-creation-times.asc
+EXTRA_DIST += data/keys/different-creation-times.secret
 EXTRA_DIST += data/macros.testfile
 EXTRA_DIST += data/macros.debug
 EXTRA_DIST += data/t1.lua

diff --git a/tests/rpmsigdig.at b/tests/rpmsigdig.at
@@ -325,6 +325,66 @@ runroot rpmkeys --import /data/keys/CVE-2021-3521-nosubsig-last.asc
 )
 AT_CLEANUP
 
+# -----------------------------------------
+# Import a key where the binding signature's creation time is
+# different from the certificate's creation time.
+#
+# If the key is identified as gpg-pubkey-62837bea-62553ec1, then the
+# implementation is using the binding signature's creation time
+# instead of the key's creation time.
+AT_SETUP([rpmkeys --import different-creation-times])
+AT_KEYWORDS([rpmkeys import])
+RPMDB_INIT
+AT_CHECK([
+runroot rpmkeys --import /data/keys/different-creation-times.asc
+runroot rpm -qi gpg-pubkey-62837bea-62553e62|grep -v Date|grep -v Version:
+runroot rpm -q --provides gpg-pubkey
+],
+[0],
+[[Name        : gpg-pubkey
+Version     : 62837bea
+Release     : 62553e62
+Architecture: (none)
+Group       : Public Keys
+Size        : 0
+License     : pubkey
+Signature   : (none)
+Source RPM  : (none)
+Build Host  : localhost
+Packager    : Alice Lovelace <[email protected]>
+Summary     : Alice Lovelace <[email protected]> public key
+Description :
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQGNBGJVPmIBDADbcjK3GTdWRlzChFeT0NPjQCrKJrKwNfUWRQjgi5x1nhh+N0aG
+XGCZn3yDnR8su3ucOjvk4p7Bc35GSXHBJaTVCTBw8fHE6k+KxHlcnZVjf7oCuuIx
+IvWJCPJPondxW1srKGQptZ3JXwKDNuvvcPAcu7HUnStId8HrM2oIAH2Y1ZA/LdEZ
+JqdBWOtLAF3th8zu+mTIK+pmzsMc0VjvNxsZb91qmr19hl3Gpa3z2BqQDSlow14D
+Tqguzho9Y8VAVBN/A6WEXwWC9Vj/w4X0sZFAKSB7Na7jweASxGVYbbcApuB2WMwS
+cinVw+NNpII7mB4+YhCfcwT9aMLNhh6BNr4u29Bv+5kHyQ7OIT/DqUFkyI0XDKXQ
+K79f9pIAFP5uSixbOvec7TM7EB+0CRpOLIdIY+mIe8CswlcYTqBXf9Nud4rMsK0x
+WpA21ZyIce2ghJd0UkSq7pd8KZF8p2EJ4Iv2zFPd3BGY6u33jxbBbi9CngFYxP9x
+FY6Y63KESOSCSPMAEQEAAbQiQWxpY2UgTG92ZWxhY2UgPGFsaWNlQGV4YW1wbGUu
+b3JnPokBzgQTAQoAOBYhBC84kW9ed88wezOFlqcrfU9ig3vqBQJiVT7BAhsDBQsJ
+CAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEKcrfU9ig3vqrvYMAMXLnh99V6PhjXIS
+V4J/2aLYV1ECXbOgYVhyYUOlc1bIlV1GsSNr8pGODg1Q4+Nj9N3uawLGNu+FA9yl
+3G8k04Ro7GxEWty3Aw/RxBhxXLs+sZbPpQ3KOQYRkFVEYzU3BEsepsu8AW5IfbxO
+ozWIJifrKjzi4yzQjh6RD6y+fTCxzIMka2nZ2G1ChQb9tV1aZOoI4Q1NbE6AQdXm
+a0RG+iflpKF3hHxxABAHxrg1iq0qcqeKHMjWrIax9rscdKIHmIQcKWT6IwNZBTrU
+TGGYYBUoDrDvdWmOlX8GNW9V4pbzh8hsG0VZ2I6GxO3oWh8Swyv20s1RSLL6TfwE
+Zwh11+JmkomH4Bj6lKHS/ujBTR8SB6U6bsRdxpbVgltaMRcw8k7psDLB3+vEGjHZ
+i+xyTmDmO2F1Hahqt4JkkEdOUwKUrGOKqPhXamxwrLcd2HzVqJ+HHzeiUN7wyDS6
+AfWOO/Uikf26AHEXoaPWBqecM0pPehlX21lJ3ambpMB2T885Sg==
+=IEYU
+-----END PGP PUBLIC KEY BLOCK-----
+
+gpg(Alice Lovelace <[email protected]>) = 4:a72b7d4f62837bea-62553e62
+gpg(62837bea) = 4:a72b7d4f62837bea-62553e62
+gpg(a72b7d4f62837bea) = 4:a72b7d4f62837bea-62553e62
+]],
+[])
+AT_CLEANUP
+
 # ------------------------------
 # Test pre-built package verification
 AT_SETUP([rpmkeys -K <signed> 1])