1 package checker
2
3 import (
4 "crypto/rand"
5 "crypto/x509"
6 "encoding/pem"
7 "io"
8 "math/big"
9 "os"
10 "testing"
11 "time"
12
13 "github.com/letsencrypt/boulder/core"
14 "github.com/letsencrypt/boulder/issuance"
15 "github.com/letsencrypt/boulder/test"
16 )
17
18 func TestValidate(t *testing.T) {
19 crlFile, err := os.Open("../../test/hierarchy/int-e1.crl.pem")
20 test.AssertNotError(t, err, "opening test crl file")
21 crlPEM, err := io.ReadAll(crlFile)
22 test.AssertNotError(t, err, "reading test crl file")
23 crlDER, _ := pem.Decode(crlPEM)
24 crl, err := x509.ParseRevocationList(crlDER.Bytes)
25 test.AssertNotError(t, err, "parsing test crl")
26 issuer, err := core.LoadCert("../../test/hierarchy/int-e1.cert.pem")
27 test.AssertNotError(t, err, "loading test issuer")
28
29 err = Validate(crl, issuer, 100*365*24*time.Hour)
30 test.AssertNotError(t, err, "validating good crl")
31
32 err = Validate(crl, issuer, 0)
33 test.AssertError(t, err, "validating too-old crl")
34 test.AssertContains(t, err.Error(), "in the past")
35
36 issuer2, err := core.LoadCert("../../test/hierarchy/int-r3.cert.pem")
37 test.AssertNotError(t, err, "loading test issuer")
38 err = Validate(crl, issuer2, 100*365*24*time.Hour)
39 test.AssertError(t, err, "validating crl from wrong issuer")
40 test.AssertContains(t, err.Error(), "signature")
41
42 crlFile, err = os.Open("../../linter/lints/cabf_br/testdata/crl_long_validity.pem")
43 test.AssertNotError(t, err, "opening test crl file")
44 crlPEM, err = io.ReadAll(crlFile)
45 test.AssertNotError(t, err, "reading test crl file")
46 crlDER, _ = pem.Decode(crlPEM)
47 crl, err = x509.ParseRevocationList(crlDER.Bytes)
48 test.AssertNotError(t, err, "parsing test crl")
49 err = Validate(crl, issuer, 100*365*24*time.Hour)
50 test.AssertError(t, err, "validating crl with lint error")
51 test.AssertContains(t, err.Error(), "linting")
52 }
53
54 func TestDiff(t *testing.T) {
55 issuer, signer, err := issuance.LoadIssuer(issuance.IssuerLoc{
56 File: "../../test/hierarchy/int-e1.key.pem",
57 CertFile: "../../test/hierarchy/int-e1.cert.pem",
58 })
59 test.AssertNotError(t, err, "loading test issuer")
60
61 now := time.Now()
62 template := x509.RevocationList{
63 ThisUpdate: now,
64 NextUpdate: now.Add(24 * time.Hour),
65 Number: big.NewInt(1),
66 RevokedCertificateEntries: []x509.RevocationListEntry{
67 {
68 SerialNumber: big.NewInt(1),
69 RevocationTime: now.Add(-time.Hour),
70 },
71 {
72 SerialNumber: big.NewInt(2),
73 RevocationTime: now.Add(-time.Hour),
74 },
75 },
76 }
77
78 oldCRLDER, err := x509.CreateRevocationList(rand.Reader, &template, issuer.Certificate, signer)
79 test.AssertNotError(t, err, "creating old crl")
80 oldCRL, err := x509.ParseRevocationList(oldCRLDER)
81 test.AssertNotError(t, err, "parsing old crl")
82
83 now = now.Add(time.Hour)
84 template = x509.RevocationList{
85 ThisUpdate: now,
86 NextUpdate: now.Add(24 * time.Hour),
87 Number: big.NewInt(2),
88 RevokedCertificateEntries: []x509.RevocationListEntry{
89 {
90 SerialNumber: big.NewInt(1),
91 RevocationTime: now.Add(-2 * time.Hour),
92 },
93 {
94 SerialNumber: big.NewInt(3),
95 RevocationTime: now.Add(-time.Hour),
96 },
97 },
98 }
99
100 newCRLDER, err := x509.CreateRevocationList(rand.Reader, &template, issuer.Certificate, signer)
101 test.AssertNotError(t, err, "creating old crl")
102 newCRL, err := x509.ParseRevocationList(newCRLDER)
103 test.AssertNotError(t, err, "parsing old crl")
104
105 res, err := Diff(oldCRL, newCRL)
106 test.AssertNotError(t, err, "diffing crls")
107 test.AssertEquals(t, len(res.Added), 1)
108 test.AssertEquals(t, len(res.Removed), 1)
109 }
110
View as plain text