Add test for expired CRL

rustls · May 16, 2024 · 91a157c · 91a157c
1 parent f05e85b
commit 91a157c
Show file tree

Hide file tree

Showing 73 changed files with 208 additions and 3 deletions.
diff --git a/tests/client_auth_revocation.rs b/tests/client_auth_revocation.rs
@@ -1547,3 +1547,107 @@ fn ee_dp_invalid_owned() {
         Err(webpki::Error::UnknownRevocationStatus)
     );
 }
+
+#[test]
+fn expired_crl_ignore_expiration() {
+    let ee = include_bytes!("client_auth_revocation/no_ku_chain.ee.der");
+    let intermediates = &[
+        include_bytes!("client_auth_revocation/no_ku_chain.int.a.ca.der").as_slice(),
+        include_bytes!("client_auth_revocation/no_ku_chain.int.b.ca.der").as_slice(),
+    ];
+    let ca = include_bytes!("client_auth_revocation/no_ku_chain.root.ca.der");
+
+    let crls = &[&webpki::CertRevocationList::Borrowed(
+        webpki::BorrowedCertRevocationList::from_der(
+            include_bytes!("client_auth_revocation/expired_crl_ignore_expiration.crl.der")
+                .as_slice(),
+        )
+        .unwrap(),
+    )];
+    let builder = RevocationOptionsBuilder::new(crls).unwrap();
+
+    let builder = builder.with_status_policy(UnknownStatusPolicy::Allow);
+    let revocation = Some(builder.build());
+    assert_eq!(check_cert(ee, intermediates, ca, revocation), Ok(()));
+}
+
+#[cfg(feature = "alloc")]
+#[test]
+fn expired_crl_ignore_expiration_owned() {
+    let ee = include_bytes!("client_auth_revocation/no_ku_chain.ee.der");
+    let intermediates = &[
+        include_bytes!("client_auth_revocation/no_ku_chain.int.a.ca.der").as_slice(),
+        include_bytes!("client_auth_revocation/no_ku_chain.int.b.ca.der").as_slice(),
+    ];
+    let ca = include_bytes!("client_auth_revocation/no_ku_chain.root.ca.der");
+
+    let crls = &[&webpki::CertRevocationList::Owned(
+        webpki::OwnedCertRevocationList::from_der(
+            include_bytes!("client_auth_revocation/expired_crl_ignore_expiration.crl.der")
+                .as_slice(),
+        )
+        .unwrap(),
+    )];
+    let builder = RevocationOptionsBuilder::new(crls).unwrap();
+
+    let builder = builder.with_status_policy(UnknownStatusPolicy::Allow);
+    let revocation = Some(builder.build());
+    assert_eq!(check_cert(ee, intermediates, ca, revocation), Ok(()));
+}
+
+#[test]
+fn expired_crl_enforce_expiration() {
+    let ee = include_bytes!("client_auth_revocation/no_ku_chain.ee.der");
+    let intermediates = &[
+        include_bytes!("client_auth_revocation/no_ku_chain.int.a.ca.der").as_slice(),
+        include_bytes!("client_auth_revocation/no_ku_chain.int.b.ca.der").as_slice(),
+    ];
+    let ca = include_bytes!("client_auth_revocation/no_ku_chain.root.ca.der");
+
+    let crls = &[&webpki::CertRevocationList::Borrowed(
+        webpki::BorrowedCertRevocationList::from_der(
+            include_bytes!("client_auth_revocation/expired_crl_enforce_expiration.crl.der")
+                .as_slice(),
+        )
+        .unwrap(),
+    )];
+    let builder = RevocationOptionsBuilder::new(crls).unwrap();
+
+    let builder = builder.with_status_policy(UnknownStatusPolicy::Allow);
+
+    let builder = builder.with_expiration_policy(webpki::ExpirationPolicy::Enforce);
+    let revocation = Some(builder.build());
+    assert_eq!(
+        check_cert(ee, intermediates, ca, revocation),
+        Err(webpki::Error::CrlExpired)
+    );
+}
+
+#[cfg(feature = "alloc")]
+#[test]
+fn expired_crl_enforce_expiration_owned() {
+    let ee = include_bytes!("client_auth_revocation/no_ku_chain.ee.der");
+    let intermediates = &[
+        include_bytes!("client_auth_revocation/no_ku_chain.int.a.ca.der").as_slice(),
+        include_bytes!("client_auth_revocation/no_ku_chain.int.b.ca.der").as_slice(),
+    ];
+    let ca = include_bytes!("client_auth_revocation/no_ku_chain.root.ca.der");
+
+    let crls = &[&webpki::CertRevocationList::Owned(
+        webpki::OwnedCertRevocationList::from_der(
+            include_bytes!("client_auth_revocation/expired_crl_enforce_expiration.crl.der")
+                .as_slice(),
+        )
+        .unwrap(),
+    )];
+    let builder = RevocationOptionsBuilder::new(crls).unwrap();
+
+    let builder = builder.with_status_policy(UnknownStatusPolicy::Allow);
+
+    let builder = builder.with_expiration_policy(webpki::ExpirationPolicy::Enforce);
+    let revocation = Some(builder.build());
+    assert_eq!(
+        check_cert(ee, intermediates, ca, revocation),
+        Err(webpki::Error::CrlExpired)
+    );
+}
diff --git a/tests/client_auth_revocation/dp_chain.ee.der b/tests/client_auth_revocation/dp_chain.ee.der
diff --git a/tests/client_auth_revocation/dp_chain.int.a.ca.der b/tests/client_auth_revocation/dp_chain.int.a.ca.der
diff --git a/tests/client_auth_revocation/dp_chain.int.b.ca.der b/tests/client_auth_revocation/dp_chain.int.b.ca.der
diff --git a/tests/client_auth_revocation/dp_chain.root.ca.der b/tests/client_auth_revocation/dp_chain.root.ca.der
diff --git a/tests/client_auth_revocation/dp_chain.topbit.ee.der b/tests/client_auth_revocation/dp_chain.topbit.ee.der
diff --git a/tests/client_auth_revocation/ee_crl_mismatched_idp_unknown_status.crl.der b/tests/client_auth_revocation/ee_crl_mismatched_idp_unknown_status.crl.der
diff --git a/tests/client_auth_revocation/ee_crl_no_idp_unknown_status.crl.der b/tests/client_auth_revocation/ee_crl_no_idp_unknown_status.crl.der
diff --git a/tests/client_auth_revocation/ee_dp_idp_match.crl.der b/tests/client_auth_revocation/ee_dp_idp_match.crl.der
diff --git a/tests/client_auth_revocation/ee_dp_invalid.crl.der b/tests/client_auth_revocation/ee_dp_invalid.crl.der
diff --git a/tests/client_auth_revocation/ee_indirect_dp_unknown_status.crl.der b/tests/client_auth_revocation/ee_indirect_dp_unknown_status.crl.der
diff --git a/tests/client_auth_revocation/ee_no_dp_crl_idp.crl.der b/tests/client_auth_revocation/ee_no_dp_crl_idp.crl.der
diff --git a/tests/client_auth_revocation/ee_nofullname_dp_unknown_status.crl.der b/tests/client_auth_revocation/ee_nofullname_dp_unknown_status.crl.der
diff --git a/tests/client_auth_revocation/ee_not_revoked_chain_depth.crl.der b/tests/client_auth_revocation/ee_not_revoked_chain_depth.crl.der
diff --git a/tests/client_auth_revocation/ee_not_revoked_ee_depth.crl.der b/tests/client_auth_revocation/ee_not_revoked_ee_depth.crl.der
diff --git a/tests/client_auth_revocation/ee_not_revoked_wrong_ku_ee_depth.crl.der b/tests/client_auth_revocation/ee_not_revoked_wrong_ku_ee_depth.crl.der
diff --git a/tests/client_auth_revocation/ee_reasons_dp_unknown_status.crl.der b/tests/client_auth_revocation/ee_reasons_dp_unknown_status.crl.der
diff --git a/tests/client_auth_revocation/ee_revoked_badsig_ee_depth.crl.der b/tests/client_auth_revocation/ee_revoked_badsig_ee_depth.crl.der
diff --git a/tests/client_auth_revocation/ee_revoked_chain_depth.crl.der b/tests/client_auth_revocation/ee_revoked_chain_depth.crl.der
diff --git a/tests/client_auth_revocation/ee_revoked_crl_ku_ee_depth.crl.der b/tests/client_auth_revocation/ee_revoked_crl_ku_ee_depth.crl.der
diff --git a/tests/client_auth_revocation/ee_revoked_no_ku_ee_depth.crl.der b/tests/client_auth_revocation/ee_revoked_no_ku_ee_depth.crl.der
diff --git a/tests/client_auth_revocation/ee_revoked_wrong_ku_ee_depth.crl.der b/tests/client_auth_revocation/ee_revoked_wrong_ku_ee_depth.crl.der
diff --git a/tests/client_auth_revocation/ee_with_top_bit_set_serial_revoked.crl.der b/tests/client_auth_revocation/ee_with_top_bit_set_serial_revoked.crl.der
diff --git a/tests/client_auth_revocation/expired_crl_enforce_expiration.crl.der b/tests/client_auth_revocation/expired_crl_enforce_expiration.crl.der
diff --git a/tests/client_auth_revocation/expired_crl_ignore_expiration.crl.der b/tests/client_auth_revocation/expired_crl_ignore_expiration.crl.der
diff --git a/tests/client_auth_revocation/indirect_dp_chain.ee.der b/tests/client_auth_revocation/indirect_dp_chain.ee.der
diff --git a/tests/client_auth_revocation/indirect_dp_chain.int.a.ca.der b/tests/client_auth_revocation/indirect_dp_chain.int.a.ca.der
diff --git a/tests/client_auth_revocation/indirect_dp_chain.int.b.ca.der b/tests/client_auth_revocation/indirect_dp_chain.int.b.ca.der
diff --git a/tests/client_auth_revocation/indirect_dp_chain.root.ca.der b/tests/client_auth_revocation/indirect_dp_chain.root.ca.der
diff --git a/tests/client_auth_revocation/indirect_dp_chain.topbit.ee.der b/tests/client_auth_revocation/indirect_dp_chain.topbit.ee.der
diff --git a/tests/client_auth_revocation/int_not_revoked_chain_depth.crl.der b/tests/client_auth_revocation/int_not_revoked_chain_depth.crl.der
diff --git a/tests/client_auth_revocation/int_not_revoked_chain_depth_forbid_unknown.crl.der b/tests/client_auth_revocation/int_not_revoked_chain_depth_forbid_unknown.crl.der
diff --git a/tests/client_auth_revocation/int_not_revoked_chain_depth_forbid_unknown_b.crl.der b/tests/client_auth_revocation/int_not_revoked_chain_depth_forbid_unknown_b.crl.der
diff --git a/tests/client_auth_revocation/int_not_revoked_chain_depth_forbid_unknown_ee.crl.der b/tests/client_auth_revocation/int_not_revoked_chain_depth_forbid_unknown_ee.crl.der
diff --git a/tests/client_auth_revocation/int_revoked_badsig_chain_depth.crl.der b/tests/client_auth_revocation/int_revoked_badsig_chain_depth.crl.der
diff --git a/tests/client_auth_revocation/int_revoked_crl_ku_chain_depth.crl.der b/tests/client_auth_revocation/int_revoked_crl_ku_chain_depth.crl.der
diff --git a/tests/client_auth_revocation/int_revoked_no_ku_chain_depth.crl.der b/tests/client_auth_revocation/int_revoked_no_ku_chain_depth.crl.der
diff --git a/tests/client_auth_revocation/int_revoked_wrong_ku_chain_depth.crl.der b/tests/client_auth_revocation/int_revoked_wrong_ku_chain_depth.crl.der
diff --git a/tests/client_auth_revocation/invalid_dp_chain.ee.der b/tests/client_auth_revocation/invalid_dp_chain.ee.der
diff --git a/tests/client_auth_revocation/invalid_dp_chain.int.a.ca.der b/tests/client_auth_revocation/invalid_dp_chain.int.a.ca.der
diff --git a/tests/client_auth_revocation/invalid_dp_chain.int.b.ca.der b/tests/client_auth_revocation/invalid_dp_chain.int.b.ca.der
diff --git a/tests/client_auth_revocation/invalid_dp_chain.root.ca.der b/tests/client_auth_revocation/invalid_dp_chain.root.ca.der
diff --git a/tests/client_auth_revocation/invalid_dp_chain.topbit.ee.der b/tests/client_auth_revocation/invalid_dp_chain.topbit.ee.der
diff --git a/tests/client_auth_revocation/ku_chain.ee.der b/tests/client_auth_revocation/ku_chain.ee.der
diff --git a/tests/client_auth_revocation/ku_chain.int.a.ca.der b/tests/client_auth_revocation/ku_chain.int.a.ca.der
diff --git a/tests/client_auth_revocation/ku_chain.int.b.ca.der b/tests/client_auth_revocation/ku_chain.int.b.ca.der
diff --git a/tests/client_auth_revocation/ku_chain.root.ca.der b/tests/client_auth_revocation/ku_chain.root.ca.der
diff --git a/tests/client_auth_revocation/ku_chain.topbit.ee.der b/tests/client_auth_revocation/ku_chain.topbit.ee.der
diff --git a/tests/client_auth_revocation/no_crl_ku_chain.ee.der b/tests/client_auth_revocation/no_crl_ku_chain.ee.der
diff --git a/tests/client_auth_revocation/no_crl_ku_chain.int.a.ca.der b/tests/client_auth_revocation/no_crl_ku_chain.int.a.ca.der
diff --git a/tests/client_auth_revocation/no_crl_ku_chain.int.b.ca.der b/tests/client_auth_revocation/no_crl_ku_chain.int.b.ca.der
diff --git a/tests/client_auth_revocation/no_crl_ku_chain.root.ca.der b/tests/client_auth_revocation/no_crl_ku_chain.root.ca.der
diff --git a/tests/client_auth_revocation/no_crl_ku_chain.topbit.ee.der b/tests/client_auth_revocation/no_crl_ku_chain.topbit.ee.der
diff --git a/tests/client_auth_revocation/no_ku_chain.ee.der b/tests/client_auth_revocation/no_ku_chain.ee.der
diff --git a/tests/client_auth_revocation/no_ku_chain.int.a.ca.der b/tests/client_auth_revocation/no_ku_chain.int.a.ca.der
diff --git a/tests/client_auth_revocation/no_ku_chain.int.b.ca.der b/tests/client_auth_revocation/no_ku_chain.int.b.ca.der
diff --git a/tests/client_auth_revocation/no_ku_chain.root.ca.der b/tests/client_auth_revocation/no_ku_chain.root.ca.der
diff --git a/tests/client_auth_revocation/no_ku_chain.topbit.ee.der b/tests/client_auth_revocation/no_ku_chain.topbit.ee.der
diff --git a/tests/client_auth_revocation/no_relevant_crl_chain_depth_allow_unknown.crl.der b/tests/client_auth_revocation/no_relevant_crl_chain_depth_allow_unknown.crl.der
diff --git a/tests/client_auth_revocation/no_relevant_crl_chain_depth_forbid_unknown.crl.der b/tests/client_auth_revocation/no_relevant_crl_chain_depth_forbid_unknown.crl.der
diff --git a/tests/client_auth_revocation/no_relevant_crl_ee_depth_allow_unknown.crl.der b/tests/client_auth_revocation/no_relevant_crl_ee_depth_allow_unknown.crl.der
diff --git a/tests/client_auth_revocation/no_relevant_crl_ee_depth_forbid_unknown.crl.der b/tests/client_auth_revocation/no_relevant_crl_ee_depth_forbid_unknown.crl.der
diff --git a/tests/client_auth_revocation/nofullname_dp_chain.ee.der b/tests/client_auth_revocation/nofullname_dp_chain.ee.der
diff --git a/tests/client_auth_revocation/nofullname_dp_chain.int.a.ca.der b/tests/client_auth_revocation/nofullname_dp_chain.int.a.ca.der
diff --git a/tests/client_auth_revocation/nofullname_dp_chain.int.b.ca.der b/tests/client_auth_revocation/nofullname_dp_chain.int.b.ca.der
diff --git a/tests/client_auth_revocation/nofullname_dp_chain.root.ca.der b/tests/client_auth_revocation/nofullname_dp_chain.root.ca.der
diff --git a/tests/client_auth_revocation/nofullname_dp_chain.topbit.ee.der b/tests/client_auth_revocation/nofullname_dp_chain.topbit.ee.der
diff --git a/tests/client_auth_revocation/reasons_dp_chain.ee.der b/tests/client_auth_revocation/reasons_dp_chain.ee.der
diff --git a/tests/client_auth_revocation/reasons_dp_chain.int.a.ca.der b/tests/client_auth_revocation/reasons_dp_chain.int.a.ca.der
diff --git a/tests/client_auth_revocation/reasons_dp_chain.int.b.ca.der b/tests/client_auth_revocation/reasons_dp_chain.int.b.ca.der
diff --git a/tests/client_auth_revocation/reasons_dp_chain.root.ca.der b/tests/client_auth_revocation/reasons_dp_chain.root.ca.der
diff --git a/tests/client_auth_revocation/reasons_dp_chain.topbit.ee.der b/tests/client_auth_revocation/reasons_dp_chain.topbit.ee.der