From 83e548a06848d923eada1ac66d1a912735b67e79 Mon Sep 17 00:00:00 2001 From: Daniel McCarney Date: Thu, 6 Jul 2023 14:06:33 -0400 Subject: [PATCH] tests: update botan tests to include CRL support. This commit updates the `botan-rs` test suite to include support for parsing a CRL generated by `rcgen`, as well as checking a revoked certificate is present in the CRL contents. The `botan-rs` lib doesn't yet support using CRLs when validating a certificate chain, or verifying the signature over a CRL, pending updates to the underlying C++ `botan` lib. --- Cargo.lock | 86 +++++++++++++++++++++++++------------------------- tests/botan.rs | 54 +++++++++++++++++++++++++++++++ 2 files changed, 97 insertions(+), 43 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 83b5e4f2..3440587a 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -67,24 +67,24 @@ checksum = "bef38d45163c2f1dde094a7dfd33ccf595c92905c8f8f4fdc18d06fb1037718a" [[package]] name = "botan" -version = "0.10.3" +version = "0.10.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "892c489ddae46dd4748fff8b41ad1fb17d405892fb6978ef470441eddb2df4ef" +checksum = "9728e14ac65b5b40061c56abdbc3c2ac13e8caca19ac117f26e6caa0932a1175" dependencies = [ "botan-sys", ] [[package]] name = "botan-src" -version = "0.21903.1" +version = "0.30101.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "beb7bc6140fe563408b7ac7593897bbd589a284887a1d7a55f106df008a5d0a5" +checksum = "a7694cfea31433b099f0f2b50cf18f4962befcb12c7b2b54beb1d93128e8119f" [[package]] name = "botan-sys" -version = "0.10.3" +version = "0.10.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c8f94a43f34344aabf27d50838a2b38aa8aad7c7d1e941e8abb015f608c972b1" +checksum = "03c5689645c1dc8445b5a0d1fdd0764a96d00b6ee90504e551417a425669853f" dependencies = [ "botan-src", ] @@ -115,9 +115,9 @@ checksum = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd" [[package]] name = "const-oid" -version = "0.9.2" +version = "0.9.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "520fbf3c07483f94e3e3ca9d0cfd913d7718ef2483d2cfd91c0d9e91474ab913" +checksum = "6340df57935414636969091153f35f68d9f00bbc8fb4a9c6054706c213e6c6bc" [[package]] name = "crypto-common" @@ -137,9 +137,9 @@ checksum = "c2e66c9d817f1720209181c316d28635c050fa304f9c79e47a520882661b7308" [[package]] name = "der" -version = "0.7.6" +version = "0.7.7" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "56acb310e15652100da43d130af8d97b509e95af61aab1c5a7939ef24337ee17" +checksum = "0c7ed52955ce76b1554f509074bb357d3fb8ac9b51288a65a3fd480d1dfba946" dependencies = [ "const-oid", "pem-rfc7468", @@ -178,7 +178,7 @@ checksum = "487585f4d0c6655fe74905e2504d8ad6908e4db67f744eb140876906c2f3175d" dependencies = [ "proc-macro2", "quote", - "syn 2.0.18", + "syn 2.0.23", ] [[package]] @@ -219,9 +219,9 @@ dependencies = [ [[package]] name = "itoa" -version = "1.0.6" +version = "1.0.8" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "453ad9f582a441959e5f0d088b02ce04cfe8d51a8eaf077f12ac6d3e94164ca6" +checksum = "62b02a5381cc465bd3041d84623d0fa3b66738b52b8e2fc3bab8ad63ab032f4a" [[package]] name = "js-sys" @@ -243,9 +243,9 @@ dependencies = [ [[package]] name = "libc" -version = "0.2.146" +version = "0.2.147" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f92be4933c13fd498862a9e02a3055f8a8d9c039ce33db97306fd5a6caa7f29b" +checksum = "b4668fb0ea861c1df094127ac5f1da3409a82116a4ba74fca2e58ef927159bb3" [[package]] name = "libm" @@ -294,9 +294,9 @@ dependencies = [ [[package]] name = "num-bigint-dig" -version = "0.8.2" +version = "0.8.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2399c9463abc5f909349d8aa9ba080e0b88b3ce2885389b60b993f39b1a56905" +checksum = "dc84195820f291c7697304f3cbdadd1cb7199c0efc917ff5eafd71225c136151" dependencies = [ "byteorder", "lazy_static", @@ -357,9 +357,9 @@ checksum = "dd8b5dd2ae5ed71462c540258bedcb51965123ad7e7ccf4b9a8cafaa4a63576d" [[package]] name = "openssl" -version = "0.10.54" +version = "0.10.55" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "69b3f656a17a6cbc115b5c7a40c616947d213ba182135b014d6051b73ab6f019" +checksum = "345df152bc43501c5eb9e4654ff05f794effb78d4efe3d53abc158baddc0703d" dependencies = [ "bitflags", "cfg-if", @@ -378,14 +378,14 @@ checksum = "a948666b637a0f465e8564c73e89d4dde00d72d4d473cc972f390fc3dcee7d9c" dependencies = [ "proc-macro2", "quote", - "syn 2.0.18", + "syn 2.0.23", ] [[package]] name = "openssl-sys" -version = "0.9.88" +version = "0.9.90" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c2ce0f250f34a308dcfdbb351f511359857d4ed2134ba715a4eadd46e1ffd617" +checksum = "374533b0e45f3a7ced10fcaeccca020e66656bc03dac384f852e4e5a7a8104a6" dependencies = [ "cc", "libc", @@ -447,18 +447,18 @@ checksum = "5b40af805b3121feab8a3c29f04d8ad262fa8e0561883e7653e024ae4479e6de" [[package]] name = "proc-macro2" -version = "1.0.60" +version = "1.0.63" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "dec2b086b7a862cf4de201096214fa870344cf922b2b30c167badb3af3195406" +checksum = "7b368fba921b0dce7e60f5e04ec15e565b3303972b42bcfde1d0713b881959eb" dependencies = [ "unicode-ident", ] [[package]] name = "quote" -version = "1.0.28" +version = "1.0.29" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1b9ab9c7eadfd8df19006f1cf1a4aed13540ed5cbc047010ece5826e10825488" +checksum = "573015e8ab27661678357f27dc26460738fd2b6c86e46f386fde94cb5d913105" dependencies = [ "proc-macro2", ] @@ -558,9 +558,9 @@ dependencies = [ [[package]] name = "rustls-webpki" -version = "0.101.0" +version = "0.101.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "89efed4bd0af2a8de0feb22ba38030244c93db56112b8aa67d27022286852b1c" +checksum = "15f36a6828982f422756984e47912a7a51dcbc2a197aa791158f8ca61cd8204e" dependencies = [ "ring", "untrusted", @@ -568,9 +568,9 @@ dependencies = [ [[package]] name = "serde" -version = "1.0.164" +version = "1.0.166" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9e8c8cf938e98f769bc164923b06dce91cea1751522f46f8466461af04c9027d" +checksum = "d01b7404f9d441d3ad40e6a636a7782c377d2abdbe4fa2440e2edcc2f4f10db8" [[package]] name = "signature" @@ -584,9 +584,9 @@ dependencies = [ [[package]] name = "smallvec" -version = "1.10.0" +version = "1.11.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a507befe795404456341dfab10cef66ead4c041f62b8b11bbb92bffe5d0953e0" +checksum = "62bb4feee49fdd9f707ef802e22365a35de4b7b299de4763d44bfea899442ff9" [[package]] name = "spin" @@ -623,9 +623,9 @@ dependencies = [ [[package]] name = "syn" -version = "2.0.18" +version = "2.0.23" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "32d41677bcbe24c20c52e7c70b0d8db04134c5d1066bf98662e2871ad200ea3e" +checksum = "59fb7d6d8281a51045d62b8eb3a7d1ce347b76f312af50cd3dc0af39c87c1737" dependencies = [ "proc-macro2", "quote", @@ -646,22 +646,22 @@ dependencies = [ [[package]] name = "thiserror" -version = "1.0.40" +version = "1.0.41" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "978c9a314bd8dc99be594bc3c175faaa9794be04a5a5e153caba6915336cebac" +checksum = "c16a64ba9387ef3fdae4f9c1a7f07a0997fce91985c0336f1ddc1822b3b37802" dependencies = [ "thiserror-impl", ] [[package]] name = "thiserror-impl" -version = "1.0.40" +version = "1.0.41" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f9456a42c5b0d803c8cd86e73dd7cc9edd429499f37a3550d286d5e86720569f" +checksum = "d14928354b01c4d6a4f0e549069adef399a284e7995c7ccca94e8a07a5346c59" dependencies = [ "proc-macro2", "quote", - "syn 2.0.18", + "syn 2.0.23", ] [[package]] @@ -699,9 +699,9 @@ checksum = "497961ef93d974e23eb6f433eb5fe1b7930b659f06d12dec6fc44a8f554c0bba" [[package]] name = "unicode-ident" -version = "1.0.9" +version = "1.0.10" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b15811caf2415fb889178633e7724bad2509101cde276048e013b9def5e51fa0" +checksum = "22049a19f4a68748a168c0fc439f9516686aa045927ff767eca0a85101fb6e73" [[package]] name = "unicode-xid" @@ -754,7 +754,7 @@ dependencies = [ "once_cell", "proc-macro2", "quote", - "syn 2.0.18", + "syn 2.0.23", "wasm-bindgen-shared", ] @@ -776,7 +776,7 @@ checksum = "54681b18a46765f095758388f2d0cf16eb8d4169b639ab575a8f5693af210c7b" dependencies = [ "proc-macro2", "quote", - "syn 2.0.18", + "syn 2.0.23", "wasm-bindgen-backend", "wasm-bindgen-shared", ] diff --git a/tests/botan.rs b/tests/botan.rs index 4b0d2845..9c745166 100644 --- a/tests/botan.rs +++ b/tests/botan.rs @@ -1,6 +1,10 @@ #![cfg(all(feature = "x509-parser", not(windows)))] + +use time::{Duration, OffsetDateTime}; use rcgen::DnValue; use rcgen::{BasicConstraints, Certificate, CertificateParams, DnType, IsCa}; +use rcgen::{KeyUsagePurpose, SerialNumber}; +use rcgen::{CertificateRevocationList, CertificateRevocationListParams, RevokedCertParams, RevocationReason}; mod util; @@ -200,3 +204,53 @@ fn test_botan_imported_ca_with_printable_string() { check_cert_ca(&cert_der, &cert, &ca_cert_der); } + +#[test] +fn test_botan_crl_parse() { + // Create an issuer CA. + let alg = &rcgen::PKCS_ECDSA_P256_SHA256; + let mut issuer = util::default_params(); + issuer.is_ca = IsCa::Ca(BasicConstraints::Unconstrained); + issuer.key_usages = vec![KeyUsagePurpose::KeyCertSign, KeyUsagePurpose::DigitalSignature, KeyUsagePurpose::CrlSign]; + issuer.alg = alg; + let issuer = Certificate::from_params(issuer).unwrap(); + + // Create an end entity cert issued by the issuer. + let mut ee = util::default_params(); + ee.alg = alg; + ee.is_ca = IsCa::NoCa; + ee.serial_number = Some(SerialNumber::from(99999)); + // Botan has a sanity check that enforces a maximum expiration date + ee.not_after = rcgen::date_time_ymd(3016, 01, 01); + let ee = Certificate::from_params(ee).unwrap(); + let ee_der = ee.serialize_der_with_signer(&issuer).unwrap(); + let botan_ee = botan::Certificate::load(ee_der.as_ref()).unwrap(); + + // Generate a CRL with the issuer that revokes the EE cert. + let now = OffsetDateTime::now_utc(); + let crl = CertificateRevocationListParams{ + this_update: now, + next_update: now + Duration::weeks(1), + crl_number: rcgen::SerialNumber::from(1234), + revoked_certs: vec![RevokedCertParams{ + serial_number: ee.get_params().serial_number.clone().unwrap(), + revocation_time: now, + reason_code: Some(RevocationReason::KeyCompromise), + invalidity_date: None, + }], + key_identifier_method: rcgen::KeyIdMethod::Sha256, + alg, + }; + let crl = CertificateRevocationList::from_params(crl).unwrap(); + + // Serialize to both DER and PEM. + let crl_der = crl.serialize_der_with_signer(&issuer).unwrap(); + let crl_pem = crl.serialize_pem_with_signer(&issuer).unwrap(); + + // We should be able to load the CRL in both serializations. + botan::CRL::load(crl_pem.as_ref()).unwrap(); + let crl = botan::CRL::load(crl_der.as_ref()).unwrap(); + + // We should find the EE cert revoked. + assert!(crl.is_revoked(&botan_ee).unwrap()); +}