opensource/grpc-go
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

security/advancedtls: add test for crl cache expiration behavior (#5749)

Browse Source 
* Add test for cache reloading

* cleanup

* swap to using nil for no revoked certs

* Add description for new test
This commit is contained in:
Gregory Cooke
2022-12-01 14:09:57 -05:00
committed by GitHub
parent ef51864f48
commit 617d6c8a6c
1 changed files with 40 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

40
security/advancedtls/crl_test.go
View File

@ -731,3 +731,43 @@ func TestIssuerNonPrintableString(t *testing.T) {
t.Fatalf("fetchCRL failed: %s", err)
}
}
// TestCRLCacheExpirationReloading tests the basic expiration and reloading of a
// cached CRL. The setup places an empty CRL in the cache, and a corresponding
// CRL with a revocation in the CRL directory. We then validate the certificate
// to verify that the certificate is not revoked. Then, we modify the
// NextUpdate time to be in the past so that when we next check for revocation,
// the existing cache entry should be seen as expired, and the CRL in the
// directory showing `revokedInt.pem` as revoked will be loaded, resulting in
// the check returning `RevocationRevoked`.
func TestCRLCacheExpirationReloading(t *testing.T) {
cache, err := lru.New(5)
if err != nil {
t.Fatalf("Creating cache failed")
}
var certs = makeChain(t, testdata.Path("crl/revokedInt.pem"))
// Certs[1] has the same issuer as the revoked cert
rawIssuer := certs[1].RawIssuer
// `3.crl`` revokes `revokedInt.pem`
crl := loadCRL(t, testdata.Path("crl/3.crl"))
// Modify the crl so that the cert is NOT revoked and add it to the cache
crl.CertList.TBSCertList.RevokedCertificates = nil
crl.CertList.TBSCertList.NextUpdate = time.Now().Add(time.Hour)
cache.Add(hex.EncodeToString(rawIssuer), crl)
var cfg = RevocationConfig{RootDir: testdata.Path("crl"), Cache: cache}
revocationStatus := checkChain(certs, cfg)
if revocationStatus != RevocationUnrevoked {
t.Fatalf("Certificate check should be RevocationUnrevoked, was %v", revocationStatus)
}
// Modify the entry in the cache so that the cache will be refreshed
crl.CertList.TBSCertList.NextUpdate = time.Now()
cache.Add(hex.EncodeToString(rawIssuer), crl)
revocationStatus = checkChain(certs, cfg)
if revocationStatus != RevocationRevoked {
t.Fatalf("A certificate should have been `RevocationRevoked` but was %v", revocationStatus)
}
}