github.com/letsencrypt/boulder@v0.20251208.0/crl/checker/checker_test.go (about) 1 package checker 2 3 import ( 4 "crypto/rand" 5 "crypto/x509" 6 "encoding/pem" 7 "io" 8 "math/big" 9 "os" 10 "testing" 11 "time" 12 13 "github.com/jmhodges/clock" 14 15 "github.com/letsencrypt/boulder/core" 16 "github.com/letsencrypt/boulder/issuance" 17 "github.com/letsencrypt/boulder/test" 18 ) 19 20 func TestValidate(t *testing.T) { 21 crlFile, err := os.Open("../../test/hierarchy/int-e1.crl.pem") 22 test.AssertNotError(t, err, "opening test crl file") 23 crlPEM, err := io.ReadAll(crlFile) 24 test.AssertNotError(t, err, "reading test crl file") 25 crlDER, _ := pem.Decode(crlPEM) 26 crl, err := x509.ParseRevocationList(crlDER.Bytes) 27 test.AssertNotError(t, err, "parsing test crl") 28 issuer, err := core.LoadCert("../../test/hierarchy/int-e1.cert.pem") 29 test.AssertNotError(t, err, "loading test issuer") 30 31 err = Validate(crl, issuer, 100*365*24*time.Hour) 32 test.AssertNotError(t, err, "validating good crl") 33 34 err = Validate(crl, issuer, 0) 35 test.AssertError(t, err, "validating too-old crl") 36 test.AssertContains(t, err.Error(), "in the past") 37 38 issuer2, err := core.LoadCert("../../test/hierarchy/int-r3.cert.pem") 39 test.AssertNotError(t, err, "loading test issuer") 40 err = Validate(crl, issuer2, 100*365*24*time.Hour) 41 test.AssertError(t, err, "validating crl from wrong issuer") 42 test.AssertContains(t, err.Error(), "signature") 43 44 crlFile, err = os.Open("../../linter/lints/cabf_br/testdata/crl_long_validity.pem") 45 test.AssertNotError(t, err, "opening test crl file") 46 crlPEM, err = io.ReadAll(crlFile) 47 test.AssertNotError(t, err, "reading test crl file") 48 crlDER, _ = pem.Decode(crlPEM) 49 crl, err = x509.ParseRevocationList(crlDER.Bytes) 50 test.AssertNotError(t, err, "parsing test crl") 51 err = Validate(crl, issuer, 100*365*24*time.Hour) 52 test.AssertError(t, err, "validating crl with lint error") 53 test.AssertContains(t, err.Error(), "linting") 54 } 55 56 func TestDiff(t *testing.T) { 57 issuer, err := issuance.LoadIssuer( 58 issuance.IssuerConfig{ 59 Location: issuance.IssuerLoc{ 60 File: "../../test/hierarchy/int-e1.key.pem", 61 CertFile: "../../test/hierarchy/int-e1.cert.pem", 62 }, 63 IssuerURL: "http://not-example.com/issuer-url", 64 CRLURLBase: "http://not-example.com/crl/", 65 CRLShards: 1, 66 }, clock.NewFake()) 67 test.AssertNotError(t, err, "loading test issuer") 68 69 now := time.Now() 70 template := x509.RevocationList{ 71 ThisUpdate: now, 72 NextUpdate: now.Add(24 * time.Hour), 73 Number: big.NewInt(1), 74 RevokedCertificateEntries: []x509.RevocationListEntry{ 75 { 76 SerialNumber: big.NewInt(1), 77 RevocationTime: now.Add(-time.Hour), 78 }, 79 { 80 SerialNumber: big.NewInt(2), 81 RevocationTime: now.Add(-time.Hour), 82 }, 83 }, 84 } 85 86 oldCRLDER, err := x509.CreateRevocationList(rand.Reader, &template, issuer.Cert.Certificate, issuer.Signer) 87 test.AssertNotError(t, err, "creating old crl") 88 oldCRL, err := x509.ParseRevocationList(oldCRLDER) 89 test.AssertNotError(t, err, "parsing old crl") 90 91 now = now.Add(time.Hour) 92 template = x509.RevocationList{ 93 ThisUpdate: now, 94 NextUpdate: now.Add(24 * time.Hour), 95 Number: big.NewInt(2), 96 RevokedCertificateEntries: []x509.RevocationListEntry{ 97 { 98 SerialNumber: big.NewInt(1), 99 RevocationTime: now.Add(-2 * time.Hour), 100 }, 101 { 102 SerialNumber: big.NewInt(3), 103 RevocationTime: now.Add(-time.Hour), 104 }, 105 }, 106 } 107 108 newCRLDER, err := x509.CreateRevocationList(rand.Reader, &template, issuer.Cert.Certificate, issuer.Signer) 109 test.AssertNotError(t, err, "creating old crl") 110 newCRL, err := x509.ParseRevocationList(newCRLDER) 111 test.AssertNotError(t, err, "parsing old crl") 112 113 res, err := Diff(oldCRL, newCRL) 114 test.AssertNotError(t, err, "diffing crls") 115 test.AssertEquals(t, len(res.Added), 1) 116 test.AssertEquals(t, len(res.Removed), 1) 117 }