Support for certificate revocation and checking connections on the server against the CRL

git-svn-id: https://reductivelabs.com/svn/puppet/trunk@1475 980ebf18-57e1-0310-9a29-db15c13687c0
author: lutter <lutter@980ebf18-57e1-0310-9a29-db15c13687c0> 2006-08-21 21:54:13 +0000
committer: lutter <lutter@980ebf18-57e1-0310-9a29-db15c13687c0> 2006-08-21 21:54:13 +0000
commit: 7ade561e75853116baef15f3750e3563e6a6faaf (patch)
tree: a64b6e3f1cb2038386f60fb2774bb5a191ebc24e /test/certmgr
parent: c6fc6c56cea381c7bdf15e8610a28a4c6924ecf5 (diff)
download: puppet-7ade561e75853116baef15f3750e3563e6a6faaf.tar.gz
puppet-7ade561e75853116baef15f3750e3563e6a6faaf.tar.xz
puppet-7ade561e75853116baef15f3750e3563e6a6faaf.zip
1 files changed, 55 insertions, 0 deletions
diff --git a/test/certmgr/certmgr.rb b/test/certmgr/certmgr.rb
index 8c88fe4d6..66376fcea 100755
--- a/test/certmgr/certmgr.rb
+++ b/test/certmgr/certmgr.rb
@@ -261,4 +261,59 @@ class TestCertMgr < Test::Unit::TestCase
         }
         assert_nil(cert)
     end
+
+    def test_crl
+        ca = mkCA()
+        h1 = mkSignedCert(ca, "host1.example.com")
+        h2 = mkSignedCert(ca, "host2.example.com")
+        
+        assert(ca.cert.verify(ca.cert.public_key))
+        assert(h1.verify(ca.cert.public_key))
+        assert(h2.verify(ca.cert.public_key))
+
+        crl = ca.crl
+        assert_not_nil(crl)
+        
+        store = mkStore(ca)
+        assert( store.verify(ca.cert))
+        assert( store.verify(h1, [ca.cert]))
+        assert( store.verify(h2, [ca.cert]))
+
+        ca.revoke(h1.serial)
+
+        # Recreate the CA from disk
+        ca = mkCA()
+        store = mkStore(ca)
+        assert( store.verify(ca.cert))
+        assert(!store.verify(h1, [ca.cert]))
+        assert( store.verify(h2, [ca.cert]))
+        
+        ca.revoke(h2.serial)
+        assert_equal(1, ca.crl.extensions.size)
+
+        File::open("/tmp/crl.pem", "w") { |f| f.write(ca.crl.to_pem) }
+        # Recreate the CA from disk
+        ca = mkCA()
+        store = mkStore(ca)
+        assert( store.verify(ca.cert))
+        assert(!store.verify(h1, [ca.cert]))
+        assert(!store.verify(h2, [ca.cert]))
+    end
+
+    def mkSignedCert(ca, host)
+        cert = mkcert(host)
+        assert_nothing_raised {
+            signedcert, cacert = ca.sign(cert.mkcsr)
+            return signedcert
+        }
+    end
+
+    def mkStore(ca)
+        store = OpenSSL::X509::Store.new
+        store.purpose = OpenSSL::X509::PURPOSE_SSL_CLIENT
+        store.flags = OpenSSL::X509::V_FLAG_CRL_CHECK
+        store.add_cert(ca.cert)
+        store.add_crl(ca.crl)
+        store
+    end
 end
author	lutter <lutter@980ebf18-57e1-0310-9a29-db15c13687c0>	2006-08-21 21:54:13 +0000
committer	lutter <lutter@980ebf18-57e1-0310-9a29-db15c13687c0>	2006-08-21 21:54:13 +0000
commit	7ade561e75853116baef15f3750e3563e6a6faaf (patch)
tree	a64b6e3f1cb2038386f60fb2774bb5a191ebc24e /test/certmgr
parent	c6fc6c56cea381c7bdf15e8610a28a4c6924ecf5 (diff)
download	puppet-7ade561e75853116baef15f3750e3563e6a6faaf.tar.gz puppet-7ade561e75853116baef15f3750e3563e6a6faaf.tar.xz puppet-7ade561e75853116baef15f3750e3563e6a6faaf.zip