|
|
|
@ -1,5 +1,5 @@
|
|
|
|
|
/*
|
|
|
|
|
Copyright 2021-2022 CAcert Inc.
|
|
|
|
|
Copyright 2021-2023 CAcert Inc.
|
|
|
|
|
SPDX-License-Identifier: Apache-2.0
|
|
|
|
|
|
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
@ -53,7 +53,7 @@ type testRepo struct {
|
|
|
|
|
crlNumber *big.Int
|
|
|
|
|
crls map[string][]byte
|
|
|
|
|
current string
|
|
|
|
|
revoked []pkix.RevokedCertificate
|
|
|
|
|
revoked []x509.RevocationListEntry
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (t *testRepo) LoadCRL(b *big.Int) ([]byte, error) {
|
|
|
|
@ -89,15 +89,15 @@ func (t *testRepo) NextCRLNumber() (*big.Int, error) {
|
|
|
|
|
return t.crlNumber, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (t *testRepo) RevokedCertificates() ([]pkix.RevokedCertificate, error) {
|
|
|
|
|
result := make([]pkix.RevokedCertificate, len(t.revoked))
|
|
|
|
|
func (t *testRepo) RevokedCertificates() ([]x509.RevocationListEntry, error) {
|
|
|
|
|
result := make([]x509.RevocationListEntry, len(t.revoked))
|
|
|
|
|
|
|
|
|
|
copy(result, t.revoked)
|
|
|
|
|
|
|
|
|
|
return result, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (t *testRepo) StoreRevocation(revoked *pkix.RevokedCertificate) error {
|
|
|
|
|
func (t *testRepo) StoreRevocation(revoked *x509.RevocationListEntry) error {
|
|
|
|
|
t.revoked = append(t.revoked, *revoked)
|
|
|
|
|
|
|
|
|
|
return nil
|
|
|
|
@ -111,17 +111,17 @@ func (r *brokenRepo) NextCRLNumber() (*big.Int, error) {
|
|
|
|
|
return nil, errors.New("don't know")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (r *brokenRepo) RevokedCertificates() ([]pkix.RevokedCertificate, error) {
|
|
|
|
|
func (r *brokenRepo) RevokedCertificates() ([]x509.RevocationListEntry, error) {
|
|
|
|
|
return nil, errors.New("no revocations for you")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (*brokenRepo) StoreRevocation(_ *pkix.RevokedCertificate) error {
|
|
|
|
|
func (*brokenRepo) StoreRevocation(_ *x509.RevocationListEntry) error {
|
|
|
|
|
return errors.New("cannot store")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
type noStoreRepo struct{}
|
|
|
|
|
|
|
|
|
|
func (r noStoreRepo) StoreRevocation(_ *pkix.RevokedCertificate) error {
|
|
|
|
|
func (r noStoreRepo) StoreRevocation(_ *x509.RevocationListEntry) error {
|
|
|
|
|
// do nothing
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
@ -141,8 +141,8 @@ func (r noStoreRepo) StoreCRL(_ *big.Int, _ []byte) error {
|
|
|
|
|
|
|
|
|
|
func (r noStoreRepo) CleanUp() {}
|
|
|
|
|
|
|
|
|
|
func (b brokenRepoNoCrlNumber) RevokedCertificates() ([]pkix.RevokedCertificate, error) {
|
|
|
|
|
return make([]pkix.RevokedCertificate, 0), nil
|
|
|
|
|
func (b brokenRepoNoCrlNumber) RevokedCertificates() ([]x509.RevocationListEntry, error) {
|
|
|
|
|
return make([]x509.RevocationListEntry, 0), nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (b brokenRepoNoCrlNumber) NextCRLNumber() (*big.Int, error) {
|
|
|
|
@ -153,7 +153,7 @@ type brokenRepoNoRevocations struct {
|
|
|
|
|
noStoreRepo
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (b brokenRepoNoRevocations) RevokedCertificates() ([]pkix.RevokedCertificate, error) {
|
|
|
|
|
func (b brokenRepoNoRevocations) RevokedCertificates() ([]x509.RevocationListEntry, error) {
|
|
|
|
|
return nil, errors.New("no revocations known")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
@ -163,7 +163,7 @@ func (b brokenRepoNoRevocations) NextCRLNumber() (*big.Int, error) {
|
|
|
|
|
|
|
|
|
|
func TestX509Revoking_Revoke(t *testing.T) {
|
|
|
|
|
testRepository := testRepo{
|
|
|
|
|
revoked: make([]pkix.RevokedCertificate, 0),
|
|
|
|
|
revoked: make([]x509.RevocationListEntry, 0),
|
|
|
|
|
crlNumber: big.NewInt(0),
|
|
|
|
|
crls: map[string][]byte{},
|
|
|
|
|
}
|
|
|
|
@ -180,7 +180,7 @@ func TestX509Revoking_Revoke(t *testing.T) {
|
|
|
|
|
revoke, err := r.Revoke(revoking.NewRevokeCertificate(serial, revoking.CRLReasonKeyCompromise))
|
|
|
|
|
assert.NoError(t, err)
|
|
|
|
|
|
|
|
|
|
assert.Equal(t, revoking.CRLReasonKeyCompromise.BuildExtension(), revoke.Extensions[0])
|
|
|
|
|
assert.Equal(t, int(revoking.CRLReasonKeyCompromise), revoke.ReasonCode)
|
|
|
|
|
assert.Equal(t, serial, revoke.SerialNumber)
|
|
|
|
|
|
|
|
|
|
var found bool
|
|
|
|
@ -218,7 +218,7 @@ func TestX509Revoking_CreateCRL(t *testing.T) {
|
|
|
|
|
logger.SetOutput(&bytes.Buffer{})
|
|
|
|
|
|
|
|
|
|
r := revoking.NewX509Revoking(
|
|
|
|
|
&testRepo{revoked: make([]pkix.RevokedCertificate, 0), crlNumber: big.NewInt(0), crls: map[string][]byte{}},
|
|
|
|
|
&testRepo{revoked: make([]x509.RevocationListEntry, 0), crlNumber: big.NewInt(0), crls: map[string][]byte{}},
|
|
|
|
|
x509.SHA256WithRSA, certificate, key, logger,
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
@ -241,11 +241,11 @@ func TestX509Revoking_CreateCRL(t *testing.T) {
|
|
|
|
|
|
|
|
|
|
var found bool
|
|
|
|
|
|
|
|
|
|
for _, item := range parsedCRL.RevokedCertificates {
|
|
|
|
|
for _, item := range parsedCRL.RevokedCertificateEntries {
|
|
|
|
|
if item.SerialNumber.Cmp(serial) == 0 {
|
|
|
|
|
found = true
|
|
|
|
|
|
|
|
|
|
assert.Contains(t, item.Extensions, revoking.CRLReasonKeyCompromise.BuildExtension())
|
|
|
|
|
assert.Equal(t, int(revoking.CRLReasonKeyCompromise), item.ReasonCode)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
@ -299,7 +299,7 @@ func TestX509Revoking_GetCRL_WrongAlgorithm(t *testing.T) {
|
|
|
|
|
logger.SetOutput(&bytes.Buffer{})
|
|
|
|
|
|
|
|
|
|
r := revoking.NewX509Revoking(
|
|
|
|
|
&testRepo{revoked: make([]pkix.RevokedCertificate, 0), crlNumber: big.NewInt(0), crls: map[string][]byte{}},
|
|
|
|
|
&testRepo{revoked: make([]x509.RevocationListEntry, 0), crlNumber: big.NewInt(0), crls: map[string][]byte{}},
|
|
|
|
|
x509.ECDSAWithSHA256, certificate, key, logger,
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|