NASP/rpki
54
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rpki/tests/test_crl_decode.rs
yuyr 5e474fffd2 add crl data model
2026-01-27 10:33:31 +08:00

69 lines
2.4 KiB
Rust
Raw Permalink Blame History

use std::path::PathBuf;
use rpki::data_model::crl::RpkixCrl;
use rpki::data_model::crl::Asn1TimeEncoding;
#[test]
fn decode_and_validate_crl_fixture() {
let path = PathBuf::from("tests/fixtures/05FC9C5B88506F7C0D3F862C8895BED67E9F8EBA.crl");
let der = std::fs::read(&path).expect("read CRL fixture");
let crl = RpkixCrl::decode_der(&der).expect("decode CRL");
assert_eq!(crl.version, 2);
assert_eq!(crl.signature_algorithm_oid, "1.2.840.113549.1.1.11");
assert_eq!(crl.this_update.encoding, Asn1TimeEncoding::UtcTime);
assert_eq!(crl.next_update.encoding, Asn1TimeEncoding::UtcTime);
assert_eq!(
hex::encode_upper(&crl.extensions.authority_key_identifier),
"05FC9C5B88506F7C0D3F862C8895BED67E9F8EBA"
);
assert_eq!(crl.extensions.crl_number.bytes_be, vec![12]);
assert!(crl.revoked_certs.is_empty());
println!("{crl:#?}");
}
#[test]
fn crl_signature_verification_succeeds_with_issuer_cert() {
let crl_der = std::fs::read(
"tests/fixtures/repository/rpki.cernet.net/repo/cernet/0/05FC9C5B88506F7C0D3F862C8895BED67E9F8EBA.crl",
)
.expect("read CRL fixture");
let issuer_cert_der = std::fs::read(
"tests/fixtures/repository/rpki.apnic.net/repository/B527EF581D6611E2BB468F7C72FD1FF2/BfycW4hQb3wNP4YsiJW-1n6fjro.cer",
)
.expect("read issuer certificate fixture");
let crl = RpkixCrl::decode_der(&crl_der).expect("decode CRL");
crl.verify_signature_with_issuer_certificate_der(&issuer_cert_der)
.expect("CRL signature must verify with issuer certificate");
}
#[test]
fn decode_crl_with_revoked_entries() {
let der =
std::fs::read("tests/fixtures/0099DEAB073EFD74C250C0A382B25012B5082AEE.crl")
.expect("read CRL fixture with revoked entries");
let crl = RpkixCrl::decode_der(&der).expect("decode CRL");
assert_eq!(crl.revoked_certs.len(), 21);
for entry in &crl.revoked_certs {
assert!(!entry.serial_number.bytes_be.is_empty());
// 0 should be encoded as [0], otherwise no leading zero bytes.
if entry.serial_number.bytes_be.len() > 1 {
assert_ne!(entry.serial_number.bytes_be[0], 0);
}
let year = entry.revocation_date.utc.year();
let expected = if year <= 2049 {
Asn1TimeEncoding::UtcTime
} else {
Asn1TimeEncoding::GeneralizedTime
};
assert_eq!(entry.revocation_date.encoding, expected);
}
println!("{crl:#?}");
}
Reference in New Issue View Git Blame Copy Permalink