test: complete test for validate

Signed-off-by: Junjie Gao <[email protected]>
notaryproject · Nov 28, 2024 · 0b6179a · 0b6179a
1 parent 77b5972
commit 0b6179a
Show file tree

Hide file tree

Showing 4 changed files with 219 additions and 9 deletions.
diff --git a/revocation/crl/fetcher.go b/revocation/crl/fetcher.go
@@ -163,7 +163,7 @@ func (f *HTTPFetcher) processDeltaCRL(extensions *[]pkix.Extension) (*x509.Revoc
 		if ext.Id.Equal(oidFreshestCRL) {
 			cdp, err := parseFreshestCRL(ext)
 			if err != nil {
-				return nil, err
+				return nil, fmt.Errorf("failed to parse Freshest CRL extension: %w", err)
 			}
 			if len(cdp) == 0 {
 				return nil, nil

diff --git a/revocation/crl/fetcher_test.go b/revocation/crl/fetcher_test.go
@@ -394,7 +394,7 @@ func TestProcessDeltaCRL(t *testing.T) {
 		certPath := "testdata/certificateWithIncompleteFreshestCRL.cer"
 		extensions := loadExtentsion(certPath)
 		_, err := fetcher.processDeltaCRL(extensions)
-		expectedErrorMsg := "x509: invalid CRL distribution point"
+		expectedErrorMsg := "failed to parse Freshest CRL extension: x509: invalid CRL distribution point"
 		if err == nil || err.Error() != expectedErrorMsg {
 			t.Fatalf("expected error %q, got %v", expectedErrorMsg, err)
 		}
@@ -438,7 +438,7 @@ func TestProcessDeltaCRL(t *testing.T) {
 		certPath := "testdata/certificateWithIncompleteFreshestCRL.cer"
 		extensions := loadExtentsion(certPath)
 		_, err := fetcher.fetch(context.Background(), "http://localhost.test", extensions)
-		expectedErrorMsg := "x509: invalid CRL distribution point"
+		expectedErrorMsg := "failed to parse Freshest CRL extension: x509: invalid CRL distribution point"
 		if err == nil || err.Error() != expectedErrorMsg {
 			t.Fatalf("expected error %q, got %v", expectedErrorMsg, err)
 		}

diff --git a/revocation/internal/crl/crl.go b/revocation/internal/crl/crl.go
@@ -190,15 +190,15 @@ func validate(bundle *crl.Bundle, issuer *x509.Certificate) error {
 	// validate base CRL
 	baseCRL := bundle.BaseCRL
 	if err := validateCRL(baseCRL, issuer); err != nil {
-		return err
+		return fmt.Errorf("failed to validate base CRL: %w", err)
 	}
 
 	if bundle.DeltaCRL != nil {
 		// validate delta CRL
 		// RFC 5280, Section 5.2.4
 		deltaCRL := bundle.DeltaCRL
-		if err := validateCRL(bundle.DeltaCRL, issuer); err != nil {
-			return err
+		if err := validateCRL(deltaCRL, issuer); err != nil {
+			return fmt.Errorf("failed to validate delta CRL: %w", err)
 		}
 
 		if deltaCRL.Number.Cmp(baseCRL.Number) <= 0 {
@@ -213,6 +213,7 @@ func validate(bundle *crl.Bundle, issuer *x509.Certificate) error {
 				if !value.ReadASN1Integer(minimumBaseCRLNumber) {
 					return errors.New("failed to parse delta CRL indicator extension")
 				}
+				break
 			}
 		}
 		if minimumBaseCRLNumber == nil {
@@ -246,6 +247,8 @@ func validateCRL(crl *x509.RevocationList, issuer *x509.Certificate) error {
 			// IssuingDistributionPoint is a critical extension that identifies
 			// the scope of the CRL. Since we will check all the CRL
 			// distribution points, it is not necessary to check this extension.
+		case ext.Id.Equal(oidDeltaCRLIndicator):
+			// will be checked in validate()
 		default:
 			if ext.Critical {
 				// unsupported critical extensions is not allowed. (See RFC 5280, Section 5.2)
@@ -269,9 +272,9 @@ func checkRevocation(cert *x509.Certificate, b *crl.Bundle, signingTime time.Tim
 		return nil, errors.New("baseCRL cannot be nil")
 	}
 
-	entriesArray := []*[]x509.RevocationListEntry{&b.BaseCRL.RevokedCertificateEntries}
+	entriesBundle := []*[]x509.RevocationListEntry{&b.BaseCRL.RevokedCertificateEntries}
 	if b.DeltaCRL != nil {
-		entriesArray = append(entriesArray, &b.DeltaCRL.RevokedCertificateEntries)
+		entriesBundle = append(entriesBundle, &b.DeltaCRL.RevokedCertificateEntries)
 	}
 
 	// latestTempRevokedEntry contains the most recent revocation entry with
@@ -283,7 +286,7 @@ func checkRevocation(cert *x509.Certificate, b *crl.Bundle, signingTime time.Tim
 	var latestTempRevokedEntry *x509.RevocationListEntry
 
 	// iterate over all the entries in the base and delta CRLs
-	for _, entries := range entriesArray {
+	for _, entries := range entriesBundle {
 		for i, revocationEntry := range *entries {
 			if revocationEntry.SerialNumber.Cmp(cert.SerialNumber) == 0 {
 				extensions, err := parseEntryExtensions(revocationEntry)

diff --git a/revocation/internal/crl/crl_test.go b/revocation/internal/crl/crl_test.go
@@ -391,6 +391,213 @@ func TestValidate(t *testing.T) {
 			t.Fatal(err)
 		}
 	})
+
+	chain := testhelper.GetRevokableRSAChainWithRevocations(1, false, true)
+	issuerCert := chain[0].Cert
+	issuerKey := chain[0].PrivateKey
+
+	crlBytes, err := x509.CreateRevocationList(rand.Reader, &x509.RevocationList{
+		NextUpdate: time.Now().Add(time.Hour),
+		Number:     big.NewInt(20240720),
+	}, issuerCert, issuerKey)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	crl, err := x509.ParseRevocationList(crlBytes)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	t.Run("valid crl and delta crl", func(t *testing.T) {
+		deltaCRLIndicator := big.NewInt(20240720)
+		deltaCRLIndicatorBytes, err := asn1.Marshal(deltaCRLIndicator)
+		if err != nil {
+			t.Fatal(err)
+		}
+		deltaCRLBytes, err := x509.CreateRevocationList(rand.Reader, &x509.RevocationList{
+			NextUpdate: time.Now().Add(time.Hour),
+			Number:     big.NewInt(20240721),
+			ExtraExtensions: []pkix.Extension{
+				{
+					Id:       oidDeltaCRLIndicator,
+					Critical: true,
+					Value:    deltaCRLIndicatorBytes,
+				},
+			},
+		}, issuerCert, issuerKey)
+		if err != nil {
+			t.Fatal(err)
+		}
+		deltaCRL, err := x509.ParseRevocationList(deltaCRLBytes)
+		if err != nil {
+			t.Fatal(err)
+		}
+		bundle := &crlutils.Bundle{
+			BaseCRL:  crl,
+			DeltaCRL: deltaCRL,
+		}
+		if err := validate(bundle, issuerCert); err != nil {
+			t.Fatal(err)
+		}
+	})
+
+	t.Run("invalid delta crl", func(t *testing.T) {
+		deltaCRLIndicator := big.NewInt(20240720)
+		deltaCRLIndicatorBytes, err := asn1.Marshal(deltaCRLIndicator)
+		if err != nil {
+			t.Fatal(err)
+		}
+		deltaCRLBytes, err := x509.CreateRevocationList(rand.Reader, &x509.RevocationList{
+			Number: big.NewInt(20240721),
+			ExtraExtensions: []pkix.Extension{
+				{
+					Id:       oidDeltaCRLIndicator,
+					Critical: true,
+					Value:    deltaCRLIndicatorBytes,
+				},
+			},
+		}, issuerCert, issuerKey)
+		if err != nil {
+			t.Fatal(err)
+		}
+		deltaCRL, err := x509.ParseRevocationList(deltaCRLBytes)
+		if err != nil {
+			t.Fatal(err)
+		}
+		bundle := &crlutils.Bundle{
+			BaseCRL:  crl,
+			DeltaCRL: deltaCRL,
+		}
+		err = validate(bundle, issuerCert)
+		expectedErrorMsg := "failed to validate delta CRL: CRL NextUpdate is not set"
+		if err == nil || err.Error() != expectedErrorMsg {
+			t.Fatalf("expected error %q, got %v", expectedErrorMsg, err)
+		}
+	})
+
+	t.Run("invalid delta crl number", func(t *testing.T) {
+		deltaCRLIndicator := big.NewInt(20240720)
+		deltaCRLIndicatorBytes, err := asn1.Marshal(deltaCRLIndicator)
+		if err != nil {
+			t.Fatal(err)
+		}
+		deltaCRLBytes, err := x509.CreateRevocationList(rand.Reader, &x509.RevocationList{
+			NextUpdate: time.Now().Add(time.Hour),
+			Number:     big.NewInt(20240719),
+			ExtraExtensions: []pkix.Extension{
+				{
+					Id:       oidDeltaCRLIndicator,
+					Critical: true,
+					Value:    deltaCRLIndicatorBytes,
+				},
+			},
+		}, issuerCert, issuerKey)
+		if err != nil {
+			t.Fatal(err)
+		}
+		deltaCRL, err := x509.ParseRevocationList(deltaCRLBytes)
+		if err != nil {
+			t.Fatal(err)
+		}
+		bundle := &crlutils.Bundle{
+			BaseCRL:  crl,
+			DeltaCRL: deltaCRL,
+		}
+		err = validate(bundle, issuerCert)
+		expectedErrorMsg := "delta CRL number 20240719 is not greater than the base CRL number 20240720"
+		if err == nil || err.Error() != expectedErrorMsg {
+			t.Fatalf("expected error %q, got %v", expectedErrorMsg, err)
+		}
+	})
+
+	t.Run("delta crl without delta crl indicator", func(t *testing.T) {
+		deltaCRLBytes, err := x509.CreateRevocationList(rand.Reader, &x509.RevocationList{
+			NextUpdate: time.Now().Add(time.Hour),
+			Number:     big.NewInt(20240721),
+		}, issuerCert, issuerKey)
+		if err != nil {
+			t.Fatal(err)
+		}
+		deltaCRL, err := x509.ParseRevocationList(deltaCRLBytes)
+		if err != nil {
+			t.Fatal(err)
+		}
+		bundle := &crlutils.Bundle{
+			BaseCRL:  crl,
+			DeltaCRL: deltaCRL,
+		}
+		err = validate(bundle, issuerCert)
+		expectedErrorMsg := "delta CRL indicator extension is not found"
+		if err == nil || err.Error() != expectedErrorMsg {
+			t.Fatalf("expected error %q, got %v", expectedErrorMsg, err)
+		}
+	})
+
+	t.Run("delta crl minimum base crl number is greater than base crl", func(t *testing.T) {
+		deltaCRLIndicator := big.NewInt(20240721)
+		deltaCRLIndicatorBytes, err := asn1.Marshal(deltaCRLIndicator)
+		if err != nil {
+			t.Fatal(err)
+		}
+		deltaCRLBytes, err := x509.CreateRevocationList(rand.Reader, &x509.RevocationList{
+			NextUpdate: time.Now().Add(time.Hour),
+			Number:     big.NewInt(20240722),
+			ExtraExtensions: []pkix.Extension{
+				{
+					Id:       oidDeltaCRLIndicator,
+					Critical: true,
+					Value:    deltaCRLIndicatorBytes,
+				},
+			},
+		}, issuerCert, issuerKey)
+		if err != nil {
+			t.Fatal(err)
+		}
+		deltaCRL, err := x509.ParseRevocationList(deltaCRLBytes)
+		if err != nil {
+			t.Fatal(err)
+		}
+		bundle := &crlutils.Bundle{
+			BaseCRL:  crl,
+			DeltaCRL: deltaCRL,
+		}
+		err = validate(bundle, issuerCert)
+		expectedErrorMsg := "delta CRL indicator 20240721 is not less than or equal to the base CRL number 20240720"
+		if err == nil || err.Error() != expectedErrorMsg {
+			t.Fatalf("expected error %q, got %v", expectedErrorMsg, err)
+		}
+	})
+
+	t.Run("delta crl with invalid delta indicator extension", func(t *testing.T) {
+		deltaCRLBytes, err := x509.CreateRevocationList(rand.Reader, &x509.RevocationList{
+			NextUpdate: time.Now().Add(time.Hour),
+			Number:     big.NewInt(20240722),
+			ExtraExtensions: []pkix.Extension{
+				{
+					Id:       oidDeltaCRLIndicator,
+					Critical: true,
+					Value:    []byte("invalid"),
+				},
+			},
+		}, issuerCert, issuerKey)
+		if err != nil {
+			t.Fatal(err)
+		}
+		deltaCRL, err := x509.ParseRevocationList(deltaCRLBytes)
+		if err != nil {
+			t.Fatal(err)
+		}
+		bundle := &crlutils.Bundle{
+			BaseCRL:  crl,
+			DeltaCRL: deltaCRL,
+		}
+		err = validate(bundle, issuerCert)
+		expectedErrorMsg := "failed to parse delta CRL indicator extension"
+		if err == nil || err.Error() != expectedErrorMsg {
+			t.Fatalf("expected error %q, got %v", expectedErrorMsg, err)
+		}
+	})
 }
 
 func TestCheckRevocation(t *testing.T) {