162 lines
5.5 KiB
Rust
162 lines
5.5 KiB
Rust
use std::path::PathBuf;
|
|
|
|
use rpki::data_model::aspa::AspaEContent;
|
|
use rpki::data_model::aspa::AspaObject;
|
|
use rpki::data_model::crl::RpkixCrl;
|
|
use rpki::data_model::manifest::ManifestEContent;
|
|
use rpki::data_model::manifest::ManifestObject;
|
|
use rpki::data_model::rc::ResourceCertificate;
|
|
use rpki::data_model::roa::RoaEContent;
|
|
use rpki::data_model::roa::RoaObject;
|
|
use rpki::data_model::signed_object::RpkiSignedObject;
|
|
use rpki::data_model::ta::{TaCertificate, TrustAnchor};
|
|
use rpki::data_model::tal::Tal;
|
|
|
|
#[test]
|
|
fn scheme_a_layered_api_smoke() {
|
|
// TAL / TA / TrustAnchor
|
|
let tal_path = PathBuf::from("tests/fixtures/tal/ripe-ncc.tal");
|
|
let tal_bytes = std::fs::read(&tal_path).expect("read TAL fixture");
|
|
let tal = Tal::parse_bytes(&tal_bytes)
|
|
.expect("parse TAL")
|
|
.validate_profile()
|
|
.expect("validate TAL profile");
|
|
|
|
let ta_path = PathBuf::from("tests/fixtures/ta/ripe-ncc-ta.cer");
|
|
let ta_der = std::fs::read(&ta_path).expect("read TA cert fixture");
|
|
let ta = TaCertificate::parse_der(&ta_der)
|
|
.expect("parse TA cert")
|
|
.validate_profile()
|
|
.expect("validate TA constraints");
|
|
ta.verify_self_signature()
|
|
.expect("verify TA self-signature");
|
|
|
|
let resolved = tal
|
|
.ta_uris
|
|
.first()
|
|
.cloned()
|
|
.expect("TAL must include at least one TA URI");
|
|
let _ta = TrustAnchor::bind(tal, ta, Some(&resolved)).expect("bind trust anchor");
|
|
|
|
// A CA resource certificate fixture (used as issuer in other tests).
|
|
let ca_path = PathBuf::from(
|
|
"tests/fixtures/repository/rpki.apnic.net/repository/B527EF581D6611E2BB468F7C72FD1FF2/BfycW4hQb3wNP4YsiJW-1n6fjro.cer",
|
|
);
|
|
let ca_der = std::fs::read(&ca_path).expect("read CA cert fixture");
|
|
let ca_rc = ResourceCertificate::parse_der(&ca_der)
|
|
.expect("parse CA resource certificate")
|
|
.validate_profile()
|
|
.expect("validate CA resource certificate profile");
|
|
ca_rc
|
|
.validate_profile()
|
|
.expect("validate CA resource certificate profile");
|
|
|
|
// Signed object wrapper.
|
|
let mft_path = PathBuf::from(
|
|
"tests/fixtures/repository/rpki.cernet.net/repo/cernet/0/05FC9C5B88506F7C0D3F862C8895BED67E9F8EBA.mft",
|
|
);
|
|
let mft_der = std::fs::read(&mft_path).expect("read MFT fixture");
|
|
let so = RpkiSignedObject::parse_der(&mft_der)
|
|
.expect("parse signed object")
|
|
.validate_profile()
|
|
.expect("validate signed object profile");
|
|
so.verify().expect("verify CMS signature");
|
|
|
|
// Manifest object.
|
|
let mft_obj = ManifestObject::parse_der(&mft_der)
|
|
.expect("parse manifest")
|
|
.validate_profile()
|
|
.expect("validate manifest profile");
|
|
mft_obj
|
|
.validate_profile()
|
|
.expect("validate manifest profile");
|
|
mft_obj
|
|
.validate_embedded_ee_cert()
|
|
.expect("validate manifest EE resources");
|
|
mft_obj
|
|
.signed_object
|
|
.verify()
|
|
.expect("verify manifest CMS signature");
|
|
let mft_ec = ManifestEContent::parse_der(
|
|
&mft_obj
|
|
.signed_object
|
|
.signed_data
|
|
.encap_content_info
|
|
.econtent,
|
|
)
|
|
.expect("parse MFT eContent")
|
|
.validate_profile()
|
|
.expect("validate MFT eContent profile");
|
|
mft_ec
|
|
.validate_profile()
|
|
.expect("validate MFT eContent profile");
|
|
|
|
// ROA object.
|
|
let roa_path =
|
|
PathBuf::from("tests/fixtures/repository/rpki.cernet.net/repo/cernet/0/AS4538.roa");
|
|
let roa_der = std::fs::read(&roa_path).expect("read ROA fixture");
|
|
let roa_obj = RoaObject::parse_der(&roa_der)
|
|
.expect("parse ROA")
|
|
.validate_profile()
|
|
.expect("validate ROA profile");
|
|
roa_obj
|
|
.validate_embedded_ee_cert()
|
|
.expect("validate ROA EE resources");
|
|
roa_obj
|
|
.signed_object
|
|
.verify()
|
|
.expect("verify ROA CMS signature");
|
|
let roa_ec = RoaEContent::parse_der(
|
|
&roa_obj
|
|
.signed_object
|
|
.signed_data
|
|
.encap_content_info
|
|
.econtent,
|
|
)
|
|
.expect("parse ROA eContent")
|
|
.validate_profile()
|
|
.expect("validate ROA eContent profile");
|
|
roa_ec
|
|
.validate_profile()
|
|
.expect("validate ROA eContent profile");
|
|
|
|
// ASPA object.
|
|
let aspa_path = PathBuf::from(
|
|
"tests/fixtures/repository/chloe.sobornost.net/rpki/RIPE-nljobsnijders/5m80fwYws_3FiFD7JiQjAqZ1RYQ.asa",
|
|
);
|
|
let aspa_der = std::fs::read(&aspa_path).expect("read ASPA fixture");
|
|
let aspa_obj = AspaObject::parse_der(&aspa_der)
|
|
.expect("parse ASPA")
|
|
.validate_profile()
|
|
.expect("validate ASPA profile");
|
|
aspa_obj
|
|
.validate_embedded_ee_cert()
|
|
.expect("validate ASPA EE resources");
|
|
aspa_obj
|
|
.signed_object
|
|
.verify()
|
|
.expect("verify ASPA CMS signature");
|
|
let aspa_ec = AspaEContent::parse_der(
|
|
&aspa_obj
|
|
.signed_object
|
|
.signed_data
|
|
.encap_content_info
|
|
.econtent,
|
|
)
|
|
.expect("parse ASPA eContent")
|
|
.validate_profile()
|
|
.expect("validate ASPA eContent profile");
|
|
aspa_ec
|
|
.validate_profile()
|
|
.expect("validate ASPA eContent profile");
|
|
|
|
// CRL object.
|
|
let crl_path = PathBuf::from("tests/fixtures/0099DEAB073EFD74C250C0A382B25012B5082AEE.crl");
|
|
let crl_der = std::fs::read(&crl_path).expect("read CRL fixture with revoked entries");
|
|
let crl = RpkixCrl::parse_der(&crl_der)
|
|
.expect("parse CRL")
|
|
.validate_profile()
|
|
.expect("validate CRL profile");
|
|
crl.validate_profile().expect("validate CRL profile");
|
|
}
|