NASP/rpki
58
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rpki/tests/test_ca_instance_discovery.rs
yuyr 6e135b9d7a run tree from tal pass
2026-02-10 12:09:59 +08:00

65 lines
2.4 KiB
Rust
Raw Blame History

use rpki::data_model::manifest::ManifestObject;
use rpki::data_model::ta::TrustAnchor;
use rpki::data_model::tal::Tal;
use rpki::validation::ca_instance::{CaInstanceUrisError, ca_instance_uris_from_ca_certificate};
use url::Url;
fn load_tal_and_ta_fixture(tal_name: &str, ta_name: &str) -> TrustAnchor {
let tal_bytes =
std::fs::read(format!("tests/fixtures/tal/{tal_name}")).expect("read TAL fixture");
let tal = Tal::decode_bytes(&tal_bytes).expect("decode TAL");
let ta_der = std::fs::read(format!("tests/fixtures/ta/{ta_name}")).expect("read TA fixture");
let resolved = tal.ta_uris[0].clone();
TrustAnchor::bind_der(tal, &ta_der, Some(&resolved)).expect("bind TAL and TA")
}
#[test]
fn ca_instance_uris_are_discoverable_from_trust_anchor_certificates() {
let cases = [
("afrinic.tal", "afrinic-ta.cer"),
("apnic-rfc7730-https.tal", "apnic-ta.cer"),
("arin.tal", "arin-ta.cer"),
("lacnic.tal", "lacnic-ta.cer"),
("ripe-ncc.tal", "ripe-ncc-ta.cer"),
];
for (tal, ta) in cases {
let trust_anchor = load_tal_and_ta_fixture(tal, ta);
let uris = ca_instance_uris_from_ca_certificate(&trust_anchor.ta_certificate.rc_ca)
.expect("extract CA instance URIs");
assert!(uris.rsync_base_uri.starts_with("rsync://"));
assert!(uris.rsync_base_uri.ends_with('/'));
assert!(uris.publication_point_rsync_uri.starts_with("rsync://"));
assert!(uris.publication_point_rsync_uri.ends_with('/'));
assert!(uris.manifest_rsync_uri.starts_with("rsync://"));
assert!(
uris.manifest_rsync_uri.ends_with(".mft"),
"manifest URI should look like an mft: {}",
uris.manifest_rsync_uri
);
if let Some(n) = &uris.rrdp_notification_uri {
assert_eq!(Url::parse(n).unwrap().scheme(), "https");
}
}
}
#[test]
fn ca_instance_uris_rejects_ee_certificate() {
let mft_der = std::fs::read(
"tests/fixtures/repository/rpki.cernet.net/repo/cernet/0/05FC9C5B88506F7C0D3F862C8895BED67E9F8EBA.mft",
)
.expect("read manifest fixture");
let mft = ManifestObject::decode_der(&mft_der).expect("decode manifest");
let ee = &mft.signed_object.signed_data.certificates[0].resource_cert;
let err = ca_instance_uris_from_ca_certificate(ee).unwrap_err();
assert!(
matches!(err, CaInstanceUrisError::NotCa),
"expected NotCa, got: {err}"
);
}
Reference in New Issue View Git Blame Copy Permalink