1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
|
use x509_parser::prelude::*;
#[cfg(feature = "verify")]
#[test]
fn read_crl_verify() {
const CA_DATA: &[u8] = include_bytes!("../assets/ca_minimalcrl.der");
const CRL_DATA: &[u8] = include_bytes!("../assets/minimal.crl");
let (_, x509_ca) = X509Certificate::from_der(CA_DATA).expect("could not parse certificate");
let (_, crl) = parse_x509_crl(CRL_DATA).expect("could not parse revocation list");
let res = crl.verify_signature(&x509_ca.tbs_certificate.subject_pki);
eprintln!("Verification: {:?}", res);
assert!(res.is_ok());
}
fn crl_idp<'a>(crl: &'a CertificateRevocationList) -> &'a IssuingDistributionPoint<'a> {
let crl_idp = crl
.tbs_cert_list
.find_extension(&oid_registry::OID_X509_EXT_ISSUER_DISTRIBUTION_POINT)
.expect("missing IDP extension");
match crl_idp.parsed_extension() {
ParsedExtension::IssuingDistributionPoint(crl_idp) => crl_idp,
_ => panic!("wrong extension type"),
}
}
#[test]
fn read_minimal_crl_idp() {
const CRL_DATA: &[u8] = include_bytes!("../assets/crl-idp/minimal.der");
let (_, crl) = parse_x509_crl(CRL_DATA).expect("could not parse revocation list");
let crl_idp = crl_idp(&crl);
let dp = crl_idp
.distribution_point
.as_ref()
.expect("missing distribution point");
let full_name = match dp {
DistributionPointName::FullName(full_name) => full_name,
DistributionPointName::NameRelativeToCRLIssuer(_) => {
panic!("wrong distribution point name type")
}
};
assert_eq!(full_name.len(), 1);
let uri = match full_name.first().unwrap() {
GeneralName::URI(uri) => *uri,
_ => panic!("wrong general name type"),
};
assert_eq!(uri, "http://crl.trustcor.ca/sub/dv-ssl-rsa-s-0.crl");
assert!(!crl_idp.only_contains_user_certs);
assert!(!crl_idp.only_contains_ca_certs);
assert!(crl_idp.only_some_reasons.is_none());
assert!(!crl_idp.only_contains_attribute_certs);
}
#[test]
fn test_only_user_crl_idp() {
const CRL_DATA: &[u8] = include_bytes!("../assets/crl-idp/only_user_certs.der");
let (_, crl) = parse_x509_crl(CRL_DATA).expect("could not parse revocation list");
let crl_idp = crl_idp(&crl);
assert!(crl_idp.only_contains_user_certs);
assert!(!crl_idp.only_contains_ca_certs);
assert!(crl_idp.only_some_reasons.is_none());
assert!(!crl_idp.only_contains_attribute_certs);
}
#[test]
fn test_only_ca_crl_idp() {
const CRL_DATA: &[u8] = include_bytes!("../assets/crl-idp/only_ca_certs.der");
let (_, crl) = parse_x509_crl(CRL_DATA).expect("could not parse revocation list");
let crl_idp = crl_idp(&crl);
assert!(!crl_idp.only_contains_user_certs);
assert!(crl_idp.only_contains_ca_certs);
assert!(crl_idp.only_some_reasons.is_none());
assert!(!crl_idp.only_contains_attribute_certs);
}
#[test]
fn test_only_some_reasons_crl_idp() {
const CRL_DATA: &[u8] = include_bytes!("../assets/crl-idp/only_some_reasons.der");
let (_, crl) = parse_x509_crl(CRL_DATA).expect("could not parse revocation list");
let crl_idp = crl_idp(&crl);
assert!(!crl_idp.only_contains_user_certs);
assert!(!crl_idp.only_contains_ca_certs);
assert!(!crl_idp.only_contains_attribute_certs);
let reasons = crl_idp
.only_some_reasons
.as_ref()
.expect("missing only_some_reasons");
assert!(reasons.key_compromise());
assert!(reasons.affilation_changed());
}
#[test]
fn test_only_attribute_cers_crl_idp() {
const CRL_DATA: &[u8] = include_bytes!("../assets/crl-idp/only_attribute_certs.der");
let (_, crl) = parse_x509_crl(CRL_DATA).expect("could not parse revocation list");
let crl_idp = crl_idp(&crl);
assert!(!crl_idp.only_contains_user_certs);
assert!(!crl_idp.only_contains_ca_certs);
assert!(crl_idp.only_some_reasons.is_none());
assert!(crl_idp.only_contains_attribute_certs);
}
|
