96 lines
2.3 KiB
Go
96 lines
2.3 KiB
Go
package cpcps
|
|
|
|
import (
|
|
"fmt"
|
|
"strings"
|
|
"testing"
|
|
|
|
"github.com/zmap/zlint/v3/lint"
|
|
|
|
linttest "github.com/letsencrypt/boulder/linter/lints/test"
|
|
)
|
|
|
|
func TestCrlHasIDP(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
testCases := []struct {
|
|
name string
|
|
want lint.LintStatus
|
|
wantSubStr string
|
|
}{
|
|
{
|
|
name: "good", // CRL for subscriber certs
|
|
want: lint.Pass,
|
|
},
|
|
{
|
|
name: "good_subordinate_ca",
|
|
want: lint.Pass,
|
|
},
|
|
{
|
|
name: "no_idp",
|
|
want: lint.Warn,
|
|
wantSubStr: "CRL missing IssuingDistributionPoint",
|
|
},
|
|
{
|
|
name: "idp_no_dpn",
|
|
want: lint.Error,
|
|
wantSubStr: "User certificate CRLs MUST have at least one DistributionPointName FullName",
|
|
},
|
|
{
|
|
name: "idp_no_fullname",
|
|
want: lint.Error,
|
|
wantSubStr: "Failed to read IssuingDistributionPoint distributionPoint fullName",
|
|
},
|
|
{
|
|
name: "idp_no_uris",
|
|
want: lint.Error,
|
|
wantSubStr: "IssuingDistributionPoint FullName URI MUST be present",
|
|
},
|
|
{
|
|
name: "idp_two_uris",
|
|
want: lint.Notice,
|
|
wantSubStr: "IssuingDistributionPoint unexpectedly has more than one FullName",
|
|
},
|
|
{
|
|
name: "idp_https",
|
|
want: lint.Error,
|
|
wantSubStr: "IssuingDistributionPoint URI MUST use http scheme",
|
|
},
|
|
{
|
|
name: "idp_no_usercerts",
|
|
want: lint.Error,
|
|
wantSubStr: "Neither onlyContainsUserCerts nor onlyContainsCACerts was set",
|
|
},
|
|
{
|
|
name: "idp_some_reasons", // Subscriber cert
|
|
want: lint.Error,
|
|
wantSubStr: "Unexpected IssuingDistributionPoint fields were found",
|
|
},
|
|
{
|
|
name: "idp_distributionPoint_and_onlyCA",
|
|
want: lint.Error,
|
|
wantSubStr: "CA certificate CRLs SHOULD NOT have a DistributionPointName FullName",
|
|
},
|
|
{
|
|
name: "idp_distributionPoint_and_onlyUser_and_onlyCA",
|
|
want: lint.Error,
|
|
wantSubStr: "IssuingDistributionPoint should not have both onlyContainsUserCerts: TRUE and onlyContainsCACerts: TRUE",
|
|
},
|
|
}
|
|
|
|
for _, tc := range testCases {
|
|
t.Run(tc.name, func(t *testing.T) {
|
|
l := NewCrlHasIDP()
|
|
c := linttest.LoadPEMCRL(t, fmt.Sprintf("testdata/crl_%s.pem", tc.name))
|
|
r := l.Execute(c)
|
|
|
|
if r.Status != tc.want {
|
|
t.Errorf("expected %q, got %q", tc.want, r.Status)
|
|
}
|
|
if !strings.Contains(r.Details, tc.wantSubStr) {
|
|
t.Errorf("expected %q, got %q", tc.wantSubStr, r.Details)
|
|
}
|
|
})
|
|
}
|
|
}
|