| 266 | } |
| 267 | |
| 268 | func TestVerifyCrl(t *testing.T) { |
| 269 | tamperedSignature := loadCRL(t, testdata.Path("crl/1.crl")) |
| 270 | // Change the signature so it won't verify |
| 271 | tamperedSignature.certList.Signature[0]++ |
| 272 | tamperedContent := loadCRL(t, testdata.Path("crl/provider_crl_empty.pem")) |
| 273 | // Change the content so it won't find a match |
| 274 | tamperedContent.rawIssuer[0]++ |
| 275 | |
| 276 | verifyTests := []struct { |
| 277 | desc string |
| 278 | crl *CRL |
| 279 | certs []*x509.Certificate |
| 280 | cert *x509.Certificate |
| 281 | errWant string |
| 282 | }{ |
| 283 | { |
| 284 | desc: "Pass intermediate", |
| 285 | crl: loadCRL(t, testdata.Path("crl/1.crl")), |
| 286 | certs: makeChain(t, testdata.Path("crl/unrevoked.pem")), |
| 287 | cert: makeChain(t, testdata.Path("crl/unrevoked.pem"))[1], |
| 288 | errWant: "", |
| 289 | }, |
| 290 | { |
| 291 | desc: "Pass leaf", |
| 292 | crl: loadCRL(t, testdata.Path("crl/2.crl")), |
| 293 | certs: makeChain(t, testdata.Path("crl/unrevoked.pem")), |
| 294 | cert: makeChain(t, testdata.Path("crl/unrevoked.pem"))[2], |
| 295 | errWant: "", |
| 296 | }, |
| 297 | { |
| 298 | desc: "Fail wrong cert chain", |
| 299 | crl: loadCRL(t, testdata.Path("crl/3.crl")), |
| 300 | certs: makeChain(t, testdata.Path("crl/unrevoked.pem")), |
| 301 | cert: makeChain(t, testdata.Path("crl/revokedInt.pem"))[1], |
| 302 | errWant: "No certificates matched", |
| 303 | }, |
| 304 | { |
| 305 | desc: "Fail no certs", |
| 306 | crl: loadCRL(t, testdata.Path("crl/1.crl")), |
| 307 | certs: []*x509.Certificate{}, |
| 308 | cert: makeChain(t, testdata.Path("crl/unrevoked.pem"))[1], |
| 309 | errWant: "No certificates matched", |
| 310 | }, |
| 311 | { |
| 312 | desc: "Fail Tampered signature", |
| 313 | crl: tamperedSignature, |
| 314 | certs: makeChain(t, testdata.Path("crl/unrevoked.pem")), |
| 315 | cert: makeChain(t, testdata.Path("crl/unrevoked.pem"))[1], |
| 316 | errWant: "verification failure", |
| 317 | }, |
| 318 | { |
| 319 | desc: "Fail Tampered content", |
| 320 | crl: tamperedContent, |
| 321 | certs: makeChain(t, testdata.Path("crl/provider_client_trust_cert.pem")), |
| 322 | cert: makeChain(t, testdata.Path("crl/provider_client_trust_cert.pem"))[0], |
| 323 | errWant: "No certificates", |
| 324 | }, |
| 325 | { |