github.com/letsencrypt/boulder@v0.20251208.0/linter/lints/cabf_br/lint_crl_validity_period_test.go

github.com/letsencrypt/boulder@v0.20251208.0/linter/lints/cabf_br/lint_crl_validity_period_test.go (about)

     1  package cabfbr
     2  
     3  import (
     4  	"fmt"
     5  	"strings"
     6  	"testing"
     7  
     8  	"github.com/zmap/zlint/v3/lint"
     9  
    10  	"github.com/letsencrypt/boulder/linter/lints/test"
    11  )
    12  
    13  func TestCrlValidityPeriod(t *testing.T) {
    14  	t.Parallel()
    15  
    16  	testCases := []struct {
    17  		name       string
    18  		want       lint.LintStatus
    19  		wantSubStr string
    20  	}{
    21  		{
    22  			name: "good", // CRL for subscriber certs
    23  			want: lint.Pass,
    24  		},
    25  		{
    26  			name: "good_subordinate_ca",
    27  			want: lint.Pass,
    28  		},
    29  		{
    30  			name:       "idp_distributionPoint_and_onlyUser_and_onlyCA", // What type of CRL is it (besides horrible)?!!??!
    31  			want:       lint.Error,
    32  			wantSubStr: "IssuingDistributionPoint should not have both onlyContainsUserCerts: TRUE and onlyContainsCACerts: TRUE",
    33  		},
    34  		{
    35  			name:       "negative_validity",
    36  			want:       lint.Warn,
    37  			wantSubStr: "CRL missing IssuingDistributionPoint",
    38  		},
    39  		{
    40  			name:       "negative_validity_subscriber_cert",
    41  			want:       lint.Error,
    42  			wantSubStr: "at or before",
    43  		},
    44  		{
    45  			name:       "negative_validity_subordinate_ca",
    46  			want:       lint.Error,
    47  			wantSubStr: "at or before",
    48  		},
    49  		{
    50  			name:       "long_validity_subscriber_cert", // 10 days + 1 second
    51  			want:       lint.Error,
    52  			wantSubStr: "CRL has validity period greater than 10 days",
    53  		},
    54  		{
    55  			name:       "long_validity_subordinate_ca", // 1 year + 1 second
    56  			want:       lint.Error,
    57  			wantSubStr: "CRL has validity period greater than 365 days",
    58  		},
    59  		{
    60  			// Technically this CRL is incorrect because Let's Encrypt does not
    61  			// (yet) issue CRLs containing both the distributionPoint and
    62  			// optional onlyContainsCACerts boolean, but we're still parsing the
    63  			// correct BR validity in this lint.
    64  			name: "long_validity_distributionPoint_and_subordinate_ca",
    65  			want: lint.Pass,
    66  		},
    67  	}
    68  
    69  	for _, tc := range testCases {
    70  		t.Run(tc.name, func(t *testing.T) {
    71  			l := NewCrlValidityPeriod()
    72  			c := test.LoadPEMCRL(t, fmt.Sprintf("testdata/crl_%s.pem", tc.name))
    73  			r := l.Execute(c)
    74  
    75  			if r.Status != tc.want {
    76  				t.Errorf("expected %q, got %q", tc.want, r.Status)
    77  			}
    78  			if !strings.Contains(r.Details, tc.wantSubStr) {
    79  				t.Errorf("expected %q, got %q", tc.wantSubStr, r.Details)
    80  			}
    81  		})
    82  	}
    83  }