Add unit tests for CRL

elonen · Aug 23, 2024 · 623c311 · 623c311
1 parent 62650d7
commit 623c311
Show file tree

Hide file tree

Showing 2 changed files with 64 additions and 12 deletions.
diff --git a/hsm_secrets/x509/__init__.py b/hsm_secrets/x509/__init__.py
@@ -194,6 +194,7 @@ def init_crl(ctx: HsmSecretsCtx, ca: str, out: str, validity: int, this_update:
         builder = builder.issuer_name(ca_cert.subject)
         builder = builder.last_update(this_update or datetime.datetime.now(datetime.UTC))
         builder = builder.next_update(next_update or (datetime.datetime.now(datetime.UTC) + datetime.timedelta(days=validity)))
+        builder = builder.add_extension(x509.CRLNumber(crl_number), critical=False)
 
         crl = builder.sign(private_key=ca_key, algorithm=hashes.SHA256())
 
@@ -325,16 +326,16 @@ def show_crl(ctx: HsmSecretsCtx, crl_file: str):
     crl = x509.load_pem_x509_crl(Path(crl_file).read_bytes())
 
     cli_info(f"CRL Issuer: {crl.issuer.rfc4514_string()}")
-    cli_info(f"Last Update: {crl.last_update}")
-    cli_info(f"Next Update: {crl.next_update}")
+    cli_info(f"Last Update: {crl.last_update_utc}")
+    cli_info(f"Next Update: {crl.next_update_utc}")
 
     crl_number = crl.extensions.get_extension_for_class(x509.CRLNumber).value.crl_number
     cli_info(f"CRL Number: {crl_number}")
 
     cli_info(f"Number of revoked certificates: {len(crl)}")
 
     if len(crl) > 0:
-        cli_info("\nRevoked Certificates:")
+        cli_info("Revoked Certificates:")
         for cert in crl:
             reason = cert.extensions.get_extension_for_class(x509.CRLReason).value.reason
-            cli_info(f"  - Serial: {cert.serial_number}, Revoked On: {cert.revocation_date}, Reason: {reason.name}")
+            cli_info(f"  - Serial: {cert.serial_number}, Revoked On: {cert.revocation_date}, Reason: {reason.value}")
diff --git a/run-tests.sh b/run-tests.sh
@@ -137,6 +137,56 @@ test_tls_certificates() {
     [ -f $TEMPDIR/www-example-com.chain.pem ] || { echo "ERROR: Chain bundle not saved"; return 1; }
 }
 
+test_crl_commands() {
+    setup
+
+    # Initialize a new CRL
+    run_cmd x509 crl_init --ca 0x0211 --out $TEMPDIR/test.crl --validity 30
+    assert_success
+    [ -f $TEMPDIR/test.crl ] || { echo "ERROR: CRL file not created"; return 1; }
+
+    # Verify the initial CRL with OpenSSL
+    local initial_output=$(openssl crl -in $TEMPDIR/test.crl -text -noout)
+    assert_success
+    echo "$initial_output"
+    assert_grep "Certificate Revocation List" "$initial_output"
+    assert_grep "Issuer.*Duckburg" "$initial_output"
+    assert_grep "Next Update:" "$initial_output"
+    assert_grep "No Revoked Certificates" "$initial_output"
+
+    # Update the CRL with a revoked certificate
+    local revoke_date=$(date -u +"%Y-%m-%d")
+    run_cmd x509 crl_update $TEMPDIR/test.crl --ca 0x0211 --add "1000:$revoke_date:keyCompromise"
+    assert_success
+
+    # Verify the updated CRL
+    local update_output=$(openssl crl -in $TEMPDIR/test.crl -text -noout)
+    assert_success
+    echo "$update_output"
+    assert_grep "Certificate Revocation List" "$update_output"
+    assert_grep "Serial Number: 03E8" "$update_output"
+    assert_grep "Revocation Date:" "$update_output"
+    assert_grep "Key Compromise" "$update_output"
+
+    # Show CRL information
+    local show_output=$(run_cmd x509 crl_show $TEMPDIR/test.crl)
+    assert_success
+    echo "$show_output"
+    assert_grep "CRL Issuer.*Duckburg," "$show_output"
+    assert_grep "Number of revoked certificates: 1" "$show_output"
+    assert_grep ".*1000.*$revoke_date.*keyCompromise" "$show_output"
+
+    # Update CRL to remove a certificate
+    run_cmd x509 crl_update $TEMPDIR/test.crl --ca 0x0211 --remove 1000
+    assert_success
+
+    # Verify the final CRL state
+    local final_output=$(openssl crl -in $TEMPDIR/test.crl -text -noout)
+    assert_success
+    echo "$final_output"
+    assert_grep "No Revoked Certificates" "$final_output"
+}
+
 test_password_derivation() {
     setup
     local output=$(run_cmd -q pass get www.example.com)
@@ -302,13 +352,14 @@ run_test() {
 }
 
 echo "Running tests:"
-run_test test_fresh_device
-run_test test_create_all
-run_test test_tls_certificates
-run_test test_password_derivation
-run_test test_wrapped_backup
-run_test test_ssh_user_certificates
-run_test test_ssh_host_certificates
-run_test test_logging_commands
+#run_test test_fresh_device
+#run_test test_create_all
+#run_test test_tls_certificates
+#run_test test_password_derivation
+#run_test test_wrapped_backup
+#run_test test_ssh_user_certificates
+#run_test test_ssh_host_certificates
+#run_test test_logging_commands
+run_test test_crl_commands
 
 echo "All tests passed successfully!"