Implement proper support for CRLEntry extensions

main
Jan Dittberner 2 years ago committed by Jan Dittberner
parent 474e7717cc
commit 057852ede6

@ -27,7 +27,6 @@ import (
"fmt"
"math/big"
"testing"
"time"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
@ -37,7 +36,7 @@ import (
type testRepo struct {
crlNumber *big.Int
revoked []*big.Int
revoked []pkix.RevokedCertificate
}
func (t *testRepo) NextCRLNumber() (*big.Int, error) {
@ -51,20 +50,15 @@ func (t *testRepo) NextCRLNumber() (*big.Int, error) {
func (t *testRepo) RevokedCertificates() ([]pkix.RevokedCertificate, error) {
result := make([]pkix.RevokedCertificate, len(t.revoked))
for i, s := range t.revoked {
serialNumber := s
result[i] = pkix.RevokedCertificate{
SerialNumber: serialNumber,
RevocationTime: time.Now(),
}
for i, revoked := range t.revoked {
result[i] = revoked
}
return result, nil
}
func (t *testRepo) StoreRevocation(revoked *pkix.RevokedCertificate) error {
t.revoked = append(t.revoked, revoked.SerialNumber)
t.revoked = append(t.revoked, *revoked)
return nil
}
@ -127,7 +121,7 @@ func randomSerial(t *testing.T) *big.Int {
}
func TestX509Revoking_Revoke(t *testing.T) {
testRepository := testRepo{revoked: make([]*big.Int, 0), crlNumber: big.NewInt(0)}
testRepository := testRepo{revoked: make([]pkix.RevokedCertificate, 0), crlNumber: big.NewInt(0)}
caKey, caCertificate := prepareTestCA(t)
@ -144,7 +138,15 @@ func TestX509Revoking_Revoke(t *testing.T) {
assert.Equal(t, revoking.CRLReasonKeyCompromise.BuildExtension(), revoke.Extensions[0])
assert.Equal(t, serial, revoke.SerialNumber)
assert.Contains(t, testRepository.revoked, serial)
var found bool
for _, r := range testRepository.revoked {
if r.SerialNumber.Cmp(serial) == 0 {
found = true
}
}
assert.True(t, found)
}
func TestX509Revoking_Revoke_BrokenRepo(t *testing.T) {
@ -168,7 +170,7 @@ func TestX509Revoking_CreateCRL(t *testing.T) {
key, certificate := prepareTestCA(t)
r := revoking.NewX509Revoking(
&testRepo{revoked: make([]*big.Int, 0), crlNumber: big.NewInt(0)},
&testRepo{revoked: make([]pkix.RevokedCertificate, 0), crlNumber: big.NewInt(0)},
x509.SHA256WithRSA,
certificate,
key,
@ -198,14 +200,9 @@ func TestX509Revoking_CreateCRL(t *testing.T) {
for _, item := range parsedCRL.TBSCertList.RevokedCertificates {
if item.SerialNumber.Cmp(serial) == 0 {
// standard library x509.CreateRevocationList does not support
// entry extensions according to RFC-5280 Section 5.3, therefore
// item.Extensions always is empty.
//
// otherwise the following assert would be useful
//
// assert.Contains(t, item.Extensions, revoking.CRLReasonKeyCompromise.BuildExtension())
found = true
assert.Contains(t, item.Extensions, revoking.CRLReasonKeyCompromise.BuildExtension())
}
}
@ -256,7 +253,7 @@ func TestX509Revoking_CreateCRL_WrongAlgorithm(t *testing.T) {
key, certificate := prepareTestCA(t)
r := revoking.NewX509Revoking(
&testRepo{revoked: make([]*big.Int, 0), crlNumber: big.NewInt(0)},
&testRepo{revoked: make([]pkix.RevokedCertificate, 0), crlNumber: big.NewInt(0)},
x509.ECDSAWithSHA256,
certificate,
key,

Loading…
Cancel
Save