Unverified Commit 95680c81 authored by Jack Rickard's avatar Jack Rickard
Browse files

Add test for CRL entry extensions

parent 3b25d115

openssl/src/x509/mod.rs

+1 −0
Original line number Diff line number Diff line
@@ -54,6 +54,7 @@ mod tests; 
///

/// # Safety

/// The value of NID and Output must match those in OpenSSL so that

/// `Output::from_ptr_opt(*_get_ext_d2i(*, NID, ...))` is valid.

pub unsafe trait ExtensionType {

    const NID: Nid;

    type Output: ForeignType;

openssl/src/x509/tests.rs

+40 −2
Original line number Diff line number Diff line
@@ -18,12 +18,12 @@ use crate::x509::store::X509Lookup; 
use crate::x509::store::X509StoreBuilder;

#[cfg(any(ossl102, libressl261))]

use crate::x509::verify::{X509VerifyFlags, X509VerifyParam};

#[cfg(ossl110)]

use crate::x509::X509Builder;

#[cfg(ossl102)]

use crate::x509::X509PurposeId;

#[cfg(any(ossl102, libressl261))]

use crate::x509::X509PurposeRef;

#[cfg(ossl110)]

use crate::x509::{CrlReason, X509Builder};

use crate::x509::{

    CrlStatus, X509Crl, X509Extension, X509Name, X509Req, X509StoreContext, X509VerifyResult, X509,

};
@@ -31,6 +31,8 @@ use hex::{self, FromHex}; 
#[cfg(any(ossl102, libressl261))]

use libc::time_t;



use super::{CertificateIssuer, ReasonCode};



fn pkey() -> PKey<Private> {

    let rsa = Rsa::generate(2048).unwrap();

    PKey::from_rsa(rsa).unwrap()
@@ -611,6 +613,42 @@ fn test_load_crl() { 
    );

}



#[test]

fn test_crl_entry_extensions() {

    let crl = include_bytes!("../../test/entry_extensions.crl");

    let crl = X509Crl::from_pem(crl).unwrap();



    let revoked_certs = crl.get_revoked().unwrap();

    let entry = &revoked_certs[0];



    let (critical, issuer) = entry

        .extension::<CertificateIssuer>()

        .unwrap()

        .expect("Certificate issuer extension should be present");

    assert!(critical, "Certificate issuer extension is critical");

    assert_eq!(issuer.len(), 1, "Certificate issuer should have one entry");

    let issuer = issuer[0]

        .directory_name()

        .expect("Issuer should be a directory name");

    assert_eq!(

        format!("{:?}", issuer),

        r#"[countryName = "GB", commonName = "Test CA"]"#

    );



    // reason_code can't be inspected without ossl110

    #[allow(unused_variables)]

    let (critical, reason_code) = entry

        .extension::<ReasonCode>()

        .unwrap()

        .expect("Reason code extension should be present");

    assert!(!critical, "Reason code extension is not critical");

    #[cfg(ossl110)]

    assert_eq!(

        CrlReason::KEY_COMPROMISE,

        CrlReason::from_raw(reason_code.get_i64().unwrap() as ffi::c_int)

    );

}



#[test]

fn test_save_subject_der() {

    let cert = include_bytes!("../../test/cert.pem");

openssl/test/entry_extensions.crl

0 → 100644
+10 −0
Original line number Diff line number Diff line 
-----BEGIN X509 CRL-----

MIIBXDCCAQICAQEwCgYIKoZIzj0EAwIwETEPMA0GA1UEAwwGQ1JMIENBFw0yMzAz

MjgwOTQ5MThaFw0yMzA0MDQwOTUwMDdaMIGAMH4CFE+Y95/1pOqa6c9fUEJ8c04k

xu2PFw0yMzAzMjgwOTQ3MzNaMFcwLwYDVR0dAQH/BCUwI6QhMB8xCzAJBgNVBAYT

AkdCMRAwDgYDVQQDDAdUZXN0IENBMAoGA1UdFQQDCgEBMBgGA1UdGAQRGA8yMDIz

MDMyODA5NDQ0MFqgPTA7MB8GA1UdIwQYMBaAFNX1GZ0RWuC+4gz1wuy5H32T2W+R

MAoGA1UdFAQDAgEUMAwGA1UdHAQFMAOEAf8wCgYIKoZIzj0EAwIDSAAwRQIgbl7x

W+WVAb+zlvKcJLmHVuC+gbqR4jqwGIHHgQl2J8kCIQCo/sAF5sDqy/cL+fbzBeUe

YoY2h6lIkj9ENwU8ZCt03w==

-----END X509 CRL-----