|
|
@ -27,7 +27,6 @@ import (
|
|
|
|
"fmt"
|
|
|
|
"fmt"
|
|
|
|
"math/big"
|
|
|
|
"math/big"
|
|
|
|
"testing"
|
|
|
|
"testing"
|
|
|
|
"time"
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
"github.com/stretchr/testify/assert"
|
|
|
|
"github.com/stretchr/testify/assert"
|
|
|
|
"github.com/stretchr/testify/require"
|
|
|
|
"github.com/stretchr/testify/require"
|
|
|
@ -37,7 +36,7 @@ import (
|
|
|
|
|
|
|
|
|
|
|
|
type testRepo struct {
|
|
|
|
type testRepo struct {
|
|
|
|
crlNumber *big.Int
|
|
|
|
crlNumber *big.Int
|
|
|
|
revoked []*big.Int
|
|
|
|
revoked []pkix.RevokedCertificate
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
func (t *testRepo) NextCRLNumber() (*big.Int, error) {
|
|
|
|
func (t *testRepo) NextCRLNumber() (*big.Int, error) {
|
|
|
@ -51,20 +50,15 @@ func (t *testRepo) NextCRLNumber() (*big.Int, error) {
|
|
|
|
func (t *testRepo) RevokedCertificates() ([]pkix.RevokedCertificate, error) {
|
|
|
|
func (t *testRepo) RevokedCertificates() ([]pkix.RevokedCertificate, error) {
|
|
|
|
result := make([]pkix.RevokedCertificate, len(t.revoked))
|
|
|
|
result := make([]pkix.RevokedCertificate, len(t.revoked))
|
|
|
|
|
|
|
|
|
|
|
|
for i, s := range t.revoked {
|
|
|
|
for i, revoked := range t.revoked {
|
|
|
|
serialNumber := s
|
|
|
|
result[i] = revoked
|
|
|
|
|
|
|
|
|
|
|
|
result[i] = pkix.RevokedCertificate{
|
|
|
|
|
|
|
|
SerialNumber: serialNumber,
|
|
|
|
|
|
|
|
RevocationTime: time.Now(),
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
return result, nil
|
|
|
|
return result, nil
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
func (t *testRepo) StoreRevocation(revoked *pkix.RevokedCertificate) error {
|
|
|
|
func (t *testRepo) StoreRevocation(revoked *pkix.RevokedCertificate) error {
|
|
|
|
t.revoked = append(t.revoked, revoked.SerialNumber)
|
|
|
|
t.revoked = append(t.revoked, *revoked)
|
|
|
|
|
|
|
|
|
|
|
|
return nil
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
}
|
|
|
@ -127,7 +121,7 @@ func randomSerial(t *testing.T) *big.Int {
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
func TestX509Revoking_Revoke(t *testing.T) {
|
|
|
|
func TestX509Revoking_Revoke(t *testing.T) {
|
|
|
|
testRepository := testRepo{revoked: make([]*big.Int, 0), crlNumber: big.NewInt(0)}
|
|
|
|
testRepository := testRepo{revoked: make([]pkix.RevokedCertificate, 0), crlNumber: big.NewInt(0)}
|
|
|
|
|
|
|
|
|
|
|
|
caKey, caCertificate := prepareTestCA(t)
|
|
|
|
caKey, caCertificate := prepareTestCA(t)
|
|
|
|
|
|
|
|
|
|
|
@ -144,7 +138,15 @@ func TestX509Revoking_Revoke(t *testing.T) {
|
|
|
|
assert.Equal(t, revoking.CRLReasonKeyCompromise.BuildExtension(), revoke.Extensions[0])
|
|
|
|
assert.Equal(t, revoking.CRLReasonKeyCompromise.BuildExtension(), revoke.Extensions[0])
|
|
|
|
assert.Equal(t, serial, revoke.SerialNumber)
|
|
|
|
assert.Equal(t, serial, revoke.SerialNumber)
|
|
|
|
|
|
|
|
|
|
|
|
assert.Contains(t, testRepository.revoked, serial)
|
|
|
|
var found bool
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
for _, r := range testRepository.revoked {
|
|
|
|
|
|
|
|
if r.SerialNumber.Cmp(serial) == 0 {
|
|
|
|
|
|
|
|
found = true
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
assert.True(t, found)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
func TestX509Revoking_Revoke_BrokenRepo(t *testing.T) {
|
|
|
|
func TestX509Revoking_Revoke_BrokenRepo(t *testing.T) {
|
|
|
@ -168,7 +170,7 @@ func TestX509Revoking_CreateCRL(t *testing.T) {
|
|
|
|
key, certificate := prepareTestCA(t)
|
|
|
|
key, certificate := prepareTestCA(t)
|
|
|
|
|
|
|
|
|
|
|
|
r := revoking.NewX509Revoking(
|
|
|
|
r := revoking.NewX509Revoking(
|
|
|
|
&testRepo{revoked: make([]*big.Int, 0), crlNumber: big.NewInt(0)},
|
|
|
|
&testRepo{revoked: make([]pkix.RevokedCertificate, 0), crlNumber: big.NewInt(0)},
|
|
|
|
x509.SHA256WithRSA,
|
|
|
|
x509.SHA256WithRSA,
|
|
|
|
certificate,
|
|
|
|
certificate,
|
|
|
|
key,
|
|
|
|
key,
|
|
|
@ -198,14 +200,9 @@ func TestX509Revoking_CreateCRL(t *testing.T) {
|
|
|
|
|
|
|
|
|
|
|
|
for _, item := range parsedCRL.TBSCertList.RevokedCertificates {
|
|
|
|
for _, item := range parsedCRL.TBSCertList.RevokedCertificates {
|
|
|
|
if item.SerialNumber.Cmp(serial) == 0 {
|
|
|
|
if item.SerialNumber.Cmp(serial) == 0 {
|
|
|
|
// standard library x509.CreateRevocationList does not support
|
|
|
|
|
|
|
|
// entry extensions according to RFC-5280 Section 5.3, therefore
|
|
|
|
|
|
|
|
// item.Extensions always is empty.
|
|
|
|
|
|
|
|
//
|
|
|
|
|
|
|
|
// otherwise the following assert would be useful
|
|
|
|
|
|
|
|
//
|
|
|
|
|
|
|
|
// assert.Contains(t, item.Extensions, revoking.CRLReasonKeyCompromise.BuildExtension())
|
|
|
|
|
|
|
|
found = true
|
|
|
|
found = true
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
assert.Contains(t, item.Extensions, revoking.CRLReasonKeyCompromise.BuildExtension())
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
@ -256,7 +253,7 @@ func TestX509Revoking_CreateCRL_WrongAlgorithm(t *testing.T) {
|
|
|
|
key, certificate := prepareTestCA(t)
|
|
|
|
key, certificate := prepareTestCA(t)
|
|
|
|
|
|
|
|
|
|
|
|
r := revoking.NewX509Revoking(
|
|
|
|
r := revoking.NewX509Revoking(
|
|
|
|
&testRepo{revoked: make([]*big.Int, 0), crlNumber: big.NewInt(0)},
|
|
|
|
&testRepo{revoked: make([]pkix.RevokedCertificate, 0), crlNumber: big.NewInt(0)},
|
|
|
|
x509.ECDSAWithSHA256,
|
|
|
|
x509.ECDSAWithSHA256,
|
|
|
|
certificate,
|
|
|
|
certificate,
|
|
|
|
key,
|
|
|
|
key,
|
|
|
|