crl_test.go 3.5 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150
  1. package crl
  2. import (
  3. "crypto/x509"
  4. "encoding/base64"
  5. "encoding/json"
  6. "io/ioutil"
  7. "net/http"
  8. "net/http/httptest"
  9. "testing"
  10. "time"
  11. "github.com/cloudflare/cfssl/api"
  12. "github.com/cloudflare/cfssl/certdb"
  13. "github.com/cloudflare/cfssl/certdb/sql"
  14. "github.com/cloudflare/cfssl/certdb/testdb"
  15. "github.com/cloudflare/cfssl/helpers"
  16. )
  17. const (
  18. fakeAKI = "fake aki"
  19. testCaFile = "../testdata/ca.pem"
  20. testCaKeyFile = "../testdata/ca_key.pem"
  21. )
  22. func prepDB() (certdb.Accessor, error) {
  23. db := testdb.SQLiteDB("../../certdb/testdb/certstore_development.db")
  24. expirationTime := time.Now().AddDate(1, 0, 0)
  25. var cert = certdb.CertificateRecord{
  26. Serial: "1",
  27. AKI: fakeAKI,
  28. Expiry: expirationTime,
  29. PEM: "revoked cert",
  30. Status: "revoked",
  31. RevokedAt: time.Now(),
  32. Reason: 4,
  33. }
  34. dbAccessor := sql.NewAccessor(db)
  35. err := dbAccessor.InsertCertificate(cert)
  36. if err != nil {
  37. return nil, err
  38. }
  39. return dbAccessor, nil
  40. }
  41. func testGetCRL(t *testing.T, dbAccessor certdb.Accessor, expiry string) (resp *http.Response, body []byte) {
  42. handler, err := NewHandler(dbAccessor, testCaFile, testCaKeyFile)
  43. if err != nil {
  44. t.Fatal(err)
  45. }
  46. ts := httptest.NewServer(handler)
  47. defer ts.Close()
  48. if expiry != "" {
  49. resp, err = http.Get(ts.URL + "?expiry=" + expiry)
  50. } else {
  51. resp, err = http.Get(ts.URL)
  52. }
  53. if err != nil {
  54. t.Fatal(err)
  55. }
  56. body, err = ioutil.ReadAll(resp.Body)
  57. if err != nil {
  58. t.Fatal(err)
  59. }
  60. return
  61. }
  62. func TestCRLGeneration(t *testing.T) {
  63. dbAccessor, err := prepDB()
  64. if err != nil {
  65. t.Fatal(err)
  66. }
  67. resp, body := testGetCRL(t, dbAccessor, "")
  68. if resp.StatusCode != http.StatusOK {
  69. t.Fatal("unexpected HTTP status code; expected OK", string(body))
  70. }
  71. message := new(api.Response)
  72. err = json.Unmarshal(body, message)
  73. if err != nil {
  74. t.Fatalf("failed to read response body: %v", err)
  75. }
  76. crlBytes := message.Result.(string)
  77. crlBytesDER, err := base64.StdEncoding.DecodeString(crlBytes)
  78. if err != nil {
  79. t.Fatal("failed to decode certificate ", err)
  80. }
  81. parsedCrl, err := x509.ParseCRL(crlBytesDER)
  82. if err != nil {
  83. t.Fatal("failed to get certificate ", err)
  84. }
  85. if parsedCrl.HasExpired(time.Now().Add(5 * helpers.OneDay)) {
  86. t.Fatal("the request will expire after 5 days, this shouldn't happen")
  87. }
  88. certs := parsedCrl.TBSCertList.RevokedCertificates
  89. if len(certs) != 1 {
  90. t.Fatal("failed to get one certificate")
  91. }
  92. cert := certs[0]
  93. if cert.SerialNumber.String() != "1" {
  94. t.Fatal("cert was not correctly inserted in CRL, serial was ", cert.SerialNumber)
  95. }
  96. }
  97. func TestCRLGenerationWithExpiry(t *testing.T) {
  98. dbAccessor, err := prepDB()
  99. if err != nil {
  100. t.Fatal(err)
  101. }
  102. resp, body := testGetCRL(t, dbAccessor, "119h")
  103. if resp.StatusCode != http.StatusOK {
  104. t.Fatal("unexpected HTTP status code; expected OK", string(body))
  105. }
  106. message := new(api.Response)
  107. err = json.Unmarshal(body, message)
  108. if err != nil {
  109. t.Fatalf("failed to read response body: %v", err)
  110. }
  111. crlBytes := message.Result.(string)
  112. crlBytesDER, err := base64.StdEncoding.DecodeString(crlBytes)
  113. if err != nil {
  114. t.Fatal("failed to decode certificate ", err)
  115. }
  116. parsedCrl, err := x509.ParseCRL(crlBytesDER)
  117. if err != nil {
  118. t.Fatal("failed to get certificate ", err)
  119. }
  120. if !parsedCrl.HasExpired(time.Now().Add(5 * helpers.OneDay)) {
  121. t.Fatal("the request should have expired")
  122. }
  123. certs := parsedCrl.TBSCertList.RevokedCertificates
  124. if len(certs) != 1 {
  125. t.Fatal("failed to get one certificate")
  126. }
  127. cert := certs[0]
  128. if cert.SerialNumber.String() != "1" {
  129. t.Fatal("cert was not correctly inserted in CRL, serial was ", cert.SerialNumber)
  130. }
  131. }