From 0d23377c6575bd716448920269f8142a789097ca Mon Sep 17 00:00:00 2001 From: Nate Brown Date: Mon, 18 May 2026 11:10:30 -0500 Subject: [PATCH] Fix flakey cert tests (#1728) --- cert/helper_test.go | 14 ++++++++++---- cert_test/cert.go | 14 ++++++++++---- 2 files changed, 20 insertions(+), 8 deletions(-) diff --git a/cert/helper_test.go b/cert/helper_test.go index 1b72a0ff..9becfa5c 100644 --- a/cert/helper_test.go +++ b/cert/helper_test.go @@ -13,6 +13,12 @@ import ( "golang.org/x/crypto/ed25519" ) +// testCertNow is the reference "now" used to derive default before/after times +// in NewTestCaCert and NewTestCert. Holding it fixed for the lifetime of the +// test binary keeps CA and leaf defaults aligned at the same second, so a leaf +// signed with default times can never expire after its CA on a rounding race. +var testCertNow = time.Now().Round(time.Second) + // NewTestCaCert will create a new ca certificate func NewTestCaCert(version Version, curve Curve, before, after time.Time, networks, unsafeNetworks []netip.Prefix, groups []string) (Certificate, []byte, []byte, []byte) { var err error @@ -34,10 +40,10 @@ func NewTestCaCert(version Version, curve Curve, before, after time.Time, networ } if before.IsZero() { - before = time.Now().Add(time.Second * -60).Round(time.Second) + before = testCertNow.Add(time.Second * -60) } if after.IsZero() { - after = time.Now().Add(time.Second * 60).Round(time.Second) + after = testCertNow.Add(time.Second * 60) } t := &TBSCertificate{ @@ -70,11 +76,11 @@ func NewTestCaCert(version Version, curve Curve, before, after time.Time, networ // Expiry times are defaulted if you do not pass them in func NewTestCert(v Version, curve Curve, ca Certificate, key []byte, name string, before, after time.Time, networks, unsafeNetworks []netip.Prefix, groups []string) (Certificate, []byte, []byte, []byte) { if before.IsZero() { - before = time.Now().Add(time.Second * -60).Round(time.Second) + before = testCertNow.Add(time.Second * -60) } if after.IsZero() { - after = time.Now().Add(time.Second * 60).Round(time.Second) + after = testCertNow.Add(time.Second * 60) } if len(networks) == 0 { diff --git a/cert_test/cert.go b/cert_test/cert.go index c3759f12..4c440aff 100644 --- a/cert_test/cert.go +++ b/cert_test/cert.go @@ -14,6 +14,12 @@ import ( "golang.org/x/crypto/ed25519" ) +// testCertNow is the reference "now" used to derive default before/after times +// in NewTestCaCert and NewTestCert. Holding it fixed for the lifetime of the +// test binary keeps CA and leaf defaults aligned at the same second, so a leaf +// signed with default times can never expire after its CA on a rounding race. +var testCertNow = time.Now().Round(time.Second) + // NewTestCaCert will create a new ca certificate func NewTestCaCert(version cert.Version, curve cert.Curve, before, after time.Time, networks, unsafeNetworks []netip.Prefix, groups []string) (cert.Certificate, []byte, []byte, []byte) { var err error @@ -35,10 +41,10 @@ func NewTestCaCert(version cert.Version, curve cert.Curve, before, after time.Ti } if before.IsZero() { - before = time.Now().Add(time.Second * -60).Round(time.Second) + before = testCertNow.Add(time.Second * -60) } if after.IsZero() { - after = time.Now().Add(time.Second * 60).Round(time.Second) + after = testCertNow.Add(time.Second * 60) } t := &cert.TBSCertificate{ @@ -71,11 +77,11 @@ func NewTestCaCert(version cert.Version, curve cert.Curve, before, after time.Ti // Expiry times are defaulted if you do not pass them in func NewTestCert(v cert.Version, curve cert.Curve, ca cert.Certificate, key []byte, name string, before, after time.Time, networks, unsafeNetworks []netip.Prefix, groups []string) (cert.Certificate, []byte, []byte, []byte) { if before.IsZero() { - before = time.Now().Add(time.Second * -60).Round(time.Second) + before = testCertNow.Add(time.Second * -60) } if after.IsZero() { - after = time.Now().Add(time.Second * 60).Round(time.Second) + after = testCertNow.Add(time.Second * 60) } var pub, priv []byte