Implement proper support for CRLEntry extensions
This commit is contained in:
parent
474e7717cc
commit
057852ede6
1 changed files with 18 additions and 21 deletions
|
|
@ -27,7 +27,6 @@ import (
|
|||
"fmt"
|
||||
"math/big"
|
||||
"testing"
|
||||
"time"
|
||||
|
||||
"github.com/stretchr/testify/assert"
|
||||
"github.com/stretchr/testify/require"
|
||||
|
|
@ -37,7 +36,7 @@ import (
|
|||
|
||||
type testRepo struct {
|
||||
crlNumber *big.Int
|
||||
revoked []*big.Int
|
||||
revoked []pkix.RevokedCertificate
|
||||
}
|
||||
|
||||
func (t *testRepo) NextCRLNumber() (*big.Int, error) {
|
||||
|
|
@ -51,20 +50,15 @@ func (t *testRepo) NextCRLNumber() (*big.Int, error) {
|
|||
func (t *testRepo) RevokedCertificates() ([]pkix.RevokedCertificate, error) {
|
||||
result := make([]pkix.RevokedCertificate, len(t.revoked))
|
||||
|
||||
for i, s := range t.revoked {
|
||||
serialNumber := s
|
||||
|
||||
result[i] = pkix.RevokedCertificate{
|
||||
SerialNumber: serialNumber,
|
||||
RevocationTime: time.Now(),
|
||||
}
|
||||
for i, revoked := range t.revoked {
|
||||
result[i] = revoked
|
||||
}
|
||||
|
||||
return result, nil
|
||||
}
|
||||
|
||||
func (t *testRepo) StoreRevocation(revoked *pkix.RevokedCertificate) error {
|
||||
t.revoked = append(t.revoked, revoked.SerialNumber)
|
||||
t.revoked = append(t.revoked, *revoked)
|
||||
|
||||
return nil
|
||||
}
|
||||
|
|
@ -127,7 +121,7 @@ func randomSerial(t *testing.T) *big.Int {
|
|||
}
|
||||
|
||||
func TestX509Revoking_Revoke(t *testing.T) {
|
||||
testRepository := testRepo{revoked: make([]*big.Int, 0), crlNumber: big.NewInt(0)}
|
||||
testRepository := testRepo{revoked: make([]pkix.RevokedCertificate, 0), crlNumber: big.NewInt(0)}
|
||||
|
||||
caKey, caCertificate := prepareTestCA(t)
|
||||
|
||||
|
|
@ -144,7 +138,15 @@ func TestX509Revoking_Revoke(t *testing.T) {
|
|||
assert.Equal(t, revoking.CRLReasonKeyCompromise.BuildExtension(), revoke.Extensions[0])
|
||||
assert.Equal(t, serial, revoke.SerialNumber)
|
||||
|
||||
assert.Contains(t, testRepository.revoked, serial)
|
||||
var found bool
|
||||
|
||||
for _, r := range testRepository.revoked {
|
||||
if r.SerialNumber.Cmp(serial) == 0 {
|
||||
found = true
|
||||
}
|
||||
}
|
||||
|
||||
assert.True(t, found)
|
||||
}
|
||||
|
||||
func TestX509Revoking_Revoke_BrokenRepo(t *testing.T) {
|
||||
|
|
@ -168,7 +170,7 @@ func TestX509Revoking_CreateCRL(t *testing.T) {
|
|||
key, certificate := prepareTestCA(t)
|
||||
|
||||
r := revoking.NewX509Revoking(
|
||||
&testRepo{revoked: make([]*big.Int, 0), crlNumber: big.NewInt(0)},
|
||||
&testRepo{revoked: make([]pkix.RevokedCertificate, 0), crlNumber: big.NewInt(0)},
|
||||
x509.SHA256WithRSA,
|
||||
certificate,
|
||||
key,
|
||||
|
|
@ -198,14 +200,9 @@ func TestX509Revoking_CreateCRL(t *testing.T) {
|
|||
|
||||
for _, item := range parsedCRL.TBSCertList.RevokedCertificates {
|
||||
if item.SerialNumber.Cmp(serial) == 0 {
|
||||
// standard library x509.CreateRevocationList does not support
|
||||
// entry extensions according to RFC-5280 Section 5.3, therefore
|
||||
// item.Extensions always is empty.
|
||||
//
|
||||
// otherwise the following assert would be useful
|
||||
//
|
||||
// assert.Contains(t, item.Extensions, revoking.CRLReasonKeyCompromise.BuildExtension())
|
||||
found = true
|
||||
|
||||
assert.Contains(t, item.Extensions, revoking.CRLReasonKeyCompromise.BuildExtension())
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -256,7 +253,7 @@ func TestX509Revoking_CreateCRL_WrongAlgorithm(t *testing.T) {
|
|||
key, certificate := prepareTestCA(t)
|
||||
|
||||
r := revoking.NewX509Revoking(
|
||||
&testRepo{revoked: make([]*big.Int, 0), crlNumber: big.NewInt(0)},
|
||||
&testRepo{revoked: make([]pkix.RevokedCertificate, 0), crlNumber: big.NewInt(0)},
|
||||
x509.ECDSAWithSHA256,
|
||||
certificate,
|
||||
key,
|
||||
|
|
|
|||
Loading…
Reference in a new issue