From 617d6c8a6cb089aa7b049c88710961c183ac474c Mon Sep 17 00:00:00 2001 From: Gregory Cooke Date: Thu, 1 Dec 2022 14:09:57 -0500 Subject: [PATCH] security/advancedtls: add test for crl cache expiration behavior (#5749) * Add test for cache reloading * cleanup * swap to using nil for no revoked certs * Add description for new test --- security/advancedtls/crl_test.go | 40 ++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) diff --git a/security/advancedtls/crl_test.go b/security/advancedtls/crl_test.go index 1f026b1d..153074a2 100644 --- a/security/advancedtls/crl_test.go +++ b/security/advancedtls/crl_test.go @@ -731,3 +731,43 @@ func TestIssuerNonPrintableString(t *testing.T) { t.Fatalf("fetchCRL failed: %s", err) } } + +// TestCRLCacheExpirationReloading tests the basic expiration and reloading of a +// cached CRL. The setup places an empty CRL in the cache, and a corresponding +// CRL with a revocation in the CRL directory. We then validate the certificate +// to verify that the certificate is not revoked. Then, we modify the +// NextUpdate time to be in the past so that when we next check for revocation, +// the existing cache entry should be seen as expired, and the CRL in the +// directory showing `revokedInt.pem` as revoked will be loaded, resulting in +// the check returning `RevocationRevoked`. +func TestCRLCacheExpirationReloading(t *testing.T) { + cache, err := lru.New(5) + if err != nil { + t.Fatalf("Creating cache failed") + } + + var certs = makeChain(t, testdata.Path("crl/revokedInt.pem")) + // Certs[1] has the same issuer as the revoked cert + rawIssuer := certs[1].RawIssuer + + // `3.crl`` revokes `revokedInt.pem` + crl := loadCRL(t, testdata.Path("crl/3.crl")) + // Modify the crl so that the cert is NOT revoked and add it to the cache + crl.CertList.TBSCertList.RevokedCertificates = nil + crl.CertList.TBSCertList.NextUpdate = time.Now().Add(time.Hour) + cache.Add(hex.EncodeToString(rawIssuer), crl) + var cfg = RevocationConfig{RootDir: testdata.Path("crl"), Cache: cache} + revocationStatus := checkChain(certs, cfg) + if revocationStatus != RevocationUnrevoked { + t.Fatalf("Certificate check should be RevocationUnrevoked, was %v", revocationStatus) + } + + // Modify the entry in the cache so that the cache will be refreshed + crl.CertList.TBSCertList.NextUpdate = time.Now() + cache.Add(hex.EncodeToString(rawIssuer), crl) + + revocationStatus = checkChain(certs, cfg) + if revocationStatus != RevocationRevoked { + t.Fatalf("A certificate should have been `RevocationRevoked` but was %v", revocationStatus) + } +}