Skip to content

Commit

Permalink
Test manifest and crl invariants
Browse files Browse the repository at this point in the history
  • Loading branch information
ties committed Dec 14, 2023
1 parent f8b8d63 commit fa7af2f
Showing 1 changed file with 49 additions and 1 deletion.
Original file line number Diff line number Diff line change
Expand Up @@ -10,11 +10,14 @@
import net.ripe.rpki.ta.KeyStore;
import net.ripe.rpki.ta.Main;
import net.ripe.rpki.ta.TA;
import net.ripe.rpki.ta.config.Config;
import net.ripe.rpki.ta.config.Env;
import net.ripe.rpki.ta.config.EnvStub;
import net.ripe.rpki.ta.domain.TAState;
import net.ripe.rpki.ta.serializers.legacy.SignedManifest;
import net.ripe.rpki.ta.serializers.legacy.SignedObjectTracker;
import net.ripe.rpki.ta.serializers.legacy.SignedResourceCertificate;
import org.joda.time.*;
import org.junit.jupiter.api.AfterEach;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
Expand Down Expand Up @@ -148,6 +151,49 @@ public void test_process_request_revokes_manifest_ee_certificates() throws Excep
assertThat(manifestEE).allMatch(secondCrl::isRevoked);
}

/**
* Check the manifest and CRL invariants that should hold.
* * manifest and CRL validity period match
* * no CRL entries are after thisUpdate
* @param state
*/
private void validateManifestAndCrlInvariants(TAState state) {
// sanity check on config
assertThat(state.getConfig().getMinimumValidityPeriod().toDurationFrom(Instant.now()).toDuration()).isGreaterThan(Duration.standardDays(1));

var crl = state.getCrl();
if (crl != null) {
// Check CRL lifetime is at least the minimum period
assertThat(crl.getThisUpdateTime().plus(state.getConfig().getMinimumValidityPeriod())).isLessThanOrEqualTo(crl.getNextUpdateTime());
// check that CRL does not contain entries in the future
crl.getRevokedCertificates().forEach(revokedEntry -> {
assertThat(revokedEntry.getRevocationDateTime()).isLessThanOrEqualTo(crl.getThisUpdateTime());
});
}

/**
* Check the manifest(s) against CRL validity. There are two parts here:
* * Manifest thisUpdate/nextUpdate
* * EE cert validity
*/

// check manifest against CRL validity
state.getSignedManifests().forEach(manifestWrapper -> {
var manifest = manifestWrapper.getManifest();
assertThat(manifestWrapper.getNotValidAfter()).isEqualTo(manifest.getNotValidAfter());

// thisUpdate/nextUpdate
assertThat(manifest.getThisUpdateTime()).isEqualTo(crl.getThisUpdateTime());
assertThat(manifest.getNextUpdateTime()).isEqualTo(crl.getNextUpdateTime());

// EE validity
var eeValidityPeriod = manifest.getValidityPeriod();

assertThat(eeValidityPeriod.getNotValidBefore()).isEqualTo(crl.getThisUpdateTime());
assertThat(eeValidityPeriod.getNotValidAfter()).isEqualTo(crl.getNextUpdateTime());
});
}

@Test
public void test_process_request_reissue_revokes_old_cert() throws Exception {
assertThat(run("--initialise --env=test").exitCode).isZero();
Expand Down Expand Up @@ -360,6 +406,8 @@ private X509ResourceCertificate getTaCertificate(TAState taState) throws Excepti
}

private TAState reloadTaState() throws Exception {
return TA.load(EnvStub.test()).getState();
var state = TA.load(EnvStub.test()).getState();
validateManifestAndCrlInvariants(state);
return state;
}
}

0 comments on commit fa7af2f

Please sign in to comment.