From 057852ede6a55d3b5025d5efedddc8d5a5ec40be Mon Sep 17 00:00:00 2001 From: Jan Dittberner Date: Sun, 24 Apr 2022 15:18:42 +0200 Subject: [PATCH] Implement proper support for CRLEntry extensions --- pkg/x509/revoking/revoking_test.go | 39 ++++++++++++++---------------- 1 file changed, 18 insertions(+), 21 deletions(-) diff --git a/pkg/x509/revoking/revoking_test.go b/pkg/x509/revoking/revoking_test.go index 71a5536..723e519 100644 --- a/pkg/x509/revoking/revoking_test.go +++ b/pkg/x509/revoking/revoking_test.go @@ -27,7 +27,6 @@ import ( "fmt" "math/big" "testing" - "time" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" @@ -37,7 +36,7 @@ import ( type testRepo struct { crlNumber *big.Int - revoked []*big.Int + revoked []pkix.RevokedCertificate } func (t *testRepo) NextCRLNumber() (*big.Int, error) { @@ -51,20 +50,15 @@ func (t *testRepo) NextCRLNumber() (*big.Int, error) { func (t *testRepo) RevokedCertificates() ([]pkix.RevokedCertificate, error) { result := make([]pkix.RevokedCertificate, len(t.revoked)) - for i, s := range t.revoked { - serialNumber := s - - result[i] = pkix.RevokedCertificate{ - SerialNumber: serialNumber, - RevocationTime: time.Now(), - } + for i, revoked := range t.revoked { + result[i] = revoked } return result, nil } func (t *testRepo) StoreRevocation(revoked *pkix.RevokedCertificate) error { - t.revoked = append(t.revoked, revoked.SerialNumber) + t.revoked = append(t.revoked, *revoked) return nil } @@ -127,7 +121,7 @@ func randomSerial(t *testing.T) *big.Int { } func TestX509Revoking_Revoke(t *testing.T) { - testRepository := testRepo{revoked: make([]*big.Int, 0), crlNumber: big.NewInt(0)} + testRepository := testRepo{revoked: make([]pkix.RevokedCertificate, 0), crlNumber: big.NewInt(0)} caKey, caCertificate := prepareTestCA(t) @@ -144,7 +138,15 @@ func TestX509Revoking_Revoke(t *testing.T) { assert.Equal(t, revoking.CRLReasonKeyCompromise.BuildExtension(), revoke.Extensions[0]) assert.Equal(t, serial, revoke.SerialNumber) - assert.Contains(t, testRepository.revoked, serial) + var found bool + + for _, r := range testRepository.revoked { + if r.SerialNumber.Cmp(serial) == 0 { + found = true + } + } + + assert.True(t, found) } func TestX509Revoking_Revoke_BrokenRepo(t *testing.T) { @@ -168,7 +170,7 @@ func TestX509Revoking_CreateCRL(t *testing.T) { key, certificate := prepareTestCA(t) r := revoking.NewX509Revoking( - &testRepo{revoked: make([]*big.Int, 0), crlNumber: big.NewInt(0)}, + &testRepo{revoked: make([]pkix.RevokedCertificate, 0), crlNumber: big.NewInt(0)}, x509.SHA256WithRSA, certificate, key, @@ -198,14 +200,9 @@ func TestX509Revoking_CreateCRL(t *testing.T) { for _, item := range parsedCRL.TBSCertList.RevokedCertificates { if item.SerialNumber.Cmp(serial) == 0 { - // standard library x509.CreateRevocationList does not support - // entry extensions according to RFC-5280 Section 5.3, therefore - // item.Extensions always is empty. - // - // otherwise the following assert would be useful - // - // assert.Contains(t, item.Extensions, revoking.CRLReasonKeyCompromise.BuildExtension()) found = true + + assert.Contains(t, item.Extensions, revoking.CRLReasonKeyCompromise.BuildExtension()) } } @@ -256,7 +253,7 @@ func TestX509Revoking_CreateCRL_WrongAlgorithm(t *testing.T) { key, certificate := prepareTestCA(t) r := revoking.NewX509Revoking( - &testRepo{revoked: make([]*big.Int, 0), crlNumber: big.NewInt(0)}, + &testRepo{revoked: make([]pkix.RevokedCertificate, 0), crlNumber: big.NewInt(0)}, x509.ECDSAWithSHA256, certificate, key,