2021-08-23 18:53:43 +00:00
|
|
|
package openssl_test
|
|
|
|
|
|
|
|
import (
|
2022-04-21 18:01:35 +00:00
|
|
|
"crypto/rand"
|
|
|
|
"crypto/x509"
|
|
|
|
"crypto/x509/pkix"
|
|
|
|
"math/big"
|
|
|
|
"os"
|
2021-08-23 18:53:43 +00:00
|
|
|
"path"
|
2022-04-21 18:01:35 +00:00
|
|
|
"strings"
|
2021-08-23 18:53:43 +00:00
|
|
|
"testing"
|
2022-04-21 18:01:35 +00:00
|
|
|
"time"
|
2021-08-23 18:53:43 +00:00
|
|
|
|
2022-04-24 06:03:51 +00:00
|
|
|
"git.cacert.org/cacert-gosigner/pkg/x509/openssl"
|
|
|
|
"git.cacert.org/cacert-gosigner/pkg/x509/revoking"
|
2021-08-23 18:53:43 +00:00
|
|
|
"github.com/stretchr/testify/assert"
|
|
|
|
"github.com/stretchr/testify/require"
|
|
|
|
)
|
|
|
|
|
|
|
|
func TestStoreRevocation(t *testing.T) {
|
2022-04-21 18:01:35 +00:00
|
|
|
tempdir := t.TempDir()
|
|
|
|
|
|
|
|
fr, err := openssl.NewFileRepository(tempdir)
|
2021-08-23 18:53:43 +00:00
|
|
|
require.NoError(t, err)
|
|
|
|
|
2022-04-21 18:01:35 +00:00
|
|
|
serial, err := rand.Int(rand.Reader, new(big.Int).Lsh(big.NewInt(1), 128))
|
|
|
|
if err != nil {
|
|
|
|
t.Errorf("could not create random serial: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
notAfter := time.Now().UTC().Add(24 * time.Hour).UTC()
|
|
|
|
|
|
|
|
err = fr.StoreRevocation(&pkix.RevokedCertificate{
|
|
|
|
SerialNumber: serial,
|
|
|
|
RevocationTime: notAfter,
|
2022-04-23 17:37:42 +00:00
|
|
|
Extensions: []pkix.Extension{revoking.CRLReasonKeyCompromise.BuildExtension()},
|
2022-04-21 18:01:35 +00:00
|
|
|
})
|
|
|
|
|
|
|
|
assert.ErrorIs(t, err, openssl.CannotRevokeUnknown{Serial: serial})
|
|
|
|
|
|
|
|
err = os.WriteFile(path.Join(tempdir, "index.txt"), []byte(
|
|
|
|
strings.Join(
|
|
|
|
[]string{
|
|
|
|
"V",
|
|
|
|
notAfter.Format(openssl.TimeSpec),
|
|
|
|
"",
|
|
|
|
strings.ToUpper(serial.Text(16)),
|
|
|
|
"unknown",
|
|
|
|
pkix.Name{CommonName: "test.example.org"}.String(),
|
|
|
|
},
|
|
|
|
"\t",
|
|
|
|
)+"\n",
|
|
|
|
), 0o600)
|
|
|
|
assert.NoError(t, err)
|
|
|
|
|
|
|
|
err = fr.StoreRevocation(&pkix.RevokedCertificate{
|
|
|
|
SerialNumber: serial,
|
|
|
|
RevocationTime: time.Now(),
|
2022-04-23 17:37:42 +00:00
|
|
|
Extensions: []pkix.Extension{revoking.CRLReasonKeyCompromise.BuildExtension()},
|
2022-04-21 18:01:35 +00:00
|
|
|
})
|
2021-08-23 18:53:43 +00:00
|
|
|
assert.NoError(t, err)
|
|
|
|
|
2022-04-21 18:01:35 +00:00
|
|
|
assert.FileExists(t, path.Join(tempdir, "index.txt"))
|
2021-08-23 18:53:43 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
func TestStoreCertificate(t *testing.T) {
|
2022-04-21 18:01:35 +00:00
|
|
|
tempdir := t.TempDir()
|
|
|
|
|
|
|
|
fr, err := openssl.NewFileRepository(tempdir)
|
2021-08-23 18:53:43 +00:00
|
|
|
require.NoError(t, err)
|
|
|
|
|
2022-04-21 18:01:35 +00:00
|
|
|
serial, err := rand.Int(rand.Reader, new(big.Int).Lsh(big.NewInt(1), 128))
|
|
|
|
if err != nil {
|
|
|
|
t.Errorf("could not create random serial: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
err = fr.StoreCertificate(&x509.Certificate{
|
|
|
|
SerialNumber: serial,
|
|
|
|
Issuer: pkix.Name{
|
|
|
|
CommonName: "Test CA",
|
|
|
|
},
|
|
|
|
Subject: pkix.Name{
|
|
|
|
CommonName: "test.example.org",
|
|
|
|
},
|
|
|
|
NotBefore: time.Now().Add(-1 * time.Hour).UTC(),
|
|
|
|
NotAfter: time.Now().Add(24 * time.Hour).UTC(),
|
|
|
|
KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageKeyAgreement,
|
|
|
|
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
|
|
|
|
DNSNames: []string{"test.example.org"},
|
|
|
|
})
|
2021-08-23 18:53:43 +00:00
|
|
|
assert.NoError(t, err)
|
|
|
|
|
2022-04-21 18:01:35 +00:00
|
|
|
assert.FileExists(t, path.Join(tempdir, "index.txt"))
|
2021-08-23 18:53:43 +00:00
|
|
|
}
|