Add test for CRL entry extensions

sfackler · Mar 28, 2023 · d8e655a · d8e655a
1 parent 3b25d11
commit d8e655a
Show file tree

Hide file tree

Showing 3 changed files with 50 additions and 2 deletions.
diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs
@@ -54,6 +54,7 @@ mod tests;
 ///
 /// # Safety
 /// The value of NID and Output must match those in OpenSSL so that
+/// `Output::from_ptr_opt(*_get_ext_d2i(*, NID, ...))` is valid.
 pub unsafe trait ExtensionType {
     const NID: Nid;
     type Output: ForeignType;

diff --git a/openssl/src/x509/tests.rs b/openssl/src/x509/tests.rs
@@ -1,4 +1,5 @@
 use std::cmp::Ordering;
+use std::convert::TryInto;
 
 use crate::asn1::Asn1Time;
 use crate::bn::{BigNum, MsbOption};
@@ -18,19 +19,21 @@ use crate::x509::store::X509Lookup;
 use crate::x509::store::X509StoreBuilder;
 #[cfg(any(ossl102, libressl261))]
 use crate::x509::verify::{X509VerifyFlags, X509VerifyParam};
-#[cfg(ossl110)]
-use crate::x509::X509Builder;
 #[cfg(ossl102)]
 use crate::x509::X509PurposeId;
 #[cfg(any(ossl102, libressl261))]
 use crate::x509::X509PurposeRef;
+#[cfg(ossl110)]
+use crate::x509::{CrlReason, X509Builder};
 use crate::x509::{
     CrlStatus, X509Crl, X509Extension, X509Name, X509Req, X509StoreContext, X509VerifyResult, X509,
 };
 use hex::{self, FromHex};
 #[cfg(any(ossl102, libressl261))]
 use libc::time_t;
 
+use super::{CertificateIssuer, ReasonCode};
+
 fn pkey() -> PKey<Private> {
     let rsa = Rsa::generate(2048).unwrap();
     PKey::from_rsa(rsa).unwrap()
@@ -611,6 +614,40 @@ fn test_load_crl() {
     );
 }
 
+#[test]
+fn test_crl_entry_extensions() {
+    let crl = include_bytes!("../../test/entry_extensions.crl");
+    let crl = X509Crl::from_pem(crl).unwrap();
+
+    let revoked_certs = crl.get_revoked().unwrap();
+    let entry = &revoked_certs[0];
+
+    let (critical, issuer) = entry
+        .extension::<CertificateIssuer>()
+        .unwrap()
+        .expect("Certificate issuer extension should be present");
+    assert!(critical, "Certificate issuer extension is critical");
+    assert_eq!(issuer.len(), 1, "Certificate issuer should have one entry");
+    let issuer = issuer[0]
+        .directory_name()
+        .expect("Issuer should be a directory name");
+    assert_eq!(
+        format!("{:?}", issuer),
+        r#"[countryName = "GB", commonName = "Test CA"]"#
+    );
+
+    let (critical, reason_code) = entry
+        .extension::<ReasonCode>()
+        .unwrap()
+        .expect("Reason code extension should be present");
+    assert!(!critical, "Reason code extension is not critical");
+    #[cfg(ossl110)]
+    assert_eq!(
+        CrlReason::KEY_COMPROMISE,
+        CrlReason::from_raw(reason_code.get_i64().unwrap().try_into().unwrap())
+    );
+}
+
 #[test]
 fn test_save_subject_der() {
     let cert = include_bytes!("../../test/cert.pem");

diff --git a/openssl/test/entry_extensions.crl b/openssl/test/entry_extensions.crl
@@ -0,0 +1,10 @@
+-----BEGIN X509 CRL-----
+MIIBXDCCAQICAQEwCgYIKoZIzj0EAwIwETEPMA0GA1UEAwwGQ1JMIENBFw0yMzAz
+MjgwOTQ5MThaFw0yMzA0MDQwOTUwMDdaMIGAMH4CFE+Y95/1pOqa6c9fUEJ8c04k
+xu2PFw0yMzAzMjgwOTQ3MzNaMFcwLwYDVR0dAQH/BCUwI6QhMB8xCzAJBgNVBAYT
+AkdCMRAwDgYDVQQDDAdUZXN0IENBMAoGA1UdFQQDCgEBMBgGA1UdGAQRGA8yMDIz
+MDMyODA5NDQ0MFqgPTA7MB8GA1UdIwQYMBaAFNX1GZ0RWuC+4gz1wuy5H32T2W+R
+MAoGA1UdFAQDAgEUMAwGA1UdHAQFMAOEAf8wCgYIKoZIzj0EAwIDSAAwRQIgbl7x
+W+WVAb+zlvKcJLmHVuC+gbqR4jqwGIHHgQl2J8kCIQCo/sAF5sDqy/cL+fbzBeUe
+YoY2h6lIkj9ENwU8ZCt03w==
+-----END X509 CRL-----