Do not OCSP-check expired cert in test

digipost · Dec 12, 2022 · b00afec · b00afec
1 parent b8bad00
commit b00afec
Showing 1 changed file with 6 additions and 3 deletions.
diff --git a/src/test/java/no/digipost/security/cert/RealOCSPCertificateValidatorTest.java b/src/test/java/no/digipost/security/cert/RealOCSPCertificateValidatorTest.java
@@ -22,14 +22,14 @@
 import org.junit.jupiter.api.Test;
 
 import java.security.cert.X509Certificate;
-import java.time.Clock;
 import java.time.LocalDateTime;
 import java.util.Optional;
 
 import static java.time.ZoneOffset.UTC;
 import static no.digipost.security.cert.CertStatus.OK;
 import static no.digipost.security.cert.CertStatus.UNDECIDED;
 import static no.digipost.security.cert.CertStatus.UNTRUSTED;
+import static no.digipost.security.cert.OcspPolicy.NEVER_DO_OCSP_LOOKUP;
 import static org.hamcrest.MatcherAssert.assertThat;
 import static org.hamcrest.Matchers.is;
 
@@ -61,10 +61,13 @@ public void unknown_ocsprespone_gir_undecided_for_nytt_commfides_sertifikat() {
     @Test
     public void godtar_nytt_commfides_test_sertifikat() {
         CertificateValidator validatorQaEnv = new CertificateValidator(
-                CertificateValidatorConfig.MOST_STRICT.allowOcspResults(UNDECIDED),
-                new TrustFactory(Clock.systemUTC()).seid1.buypassAndCommfidesTestEnterpriseCertificates(),
+                CertificateValidatorConfig.MOST_STRICT.withOcspPolicy(NEVER_DO_OCSP_LOOKUP),
+                new TrustFactory(clock).seid1.buypassAndCommfidesTestEnterpriseCertificates(),
                 HttpClient.create());
 
+        clock.doWithTimeAdjusted(
+                clock -> clock.set(EBOKS_COMMFIDES_TEST.getNotAfter().toInstant().plusSeconds(600)),
+                now -> assertThat(validatorQaEnv.validateCert(EBOKS_COMMFIDES_TEST), is(UNTRUSTED)));
         assertThat(validatorQaEnv.validateCert(EBOKS_COMMFIDES_TEST), is(OK));
     }