/**
* In this case, we have an app whose $appCertPem appears valid, and we have CRL
* whose $crlDistCertPem is signed, but the $crlDistCertPem has usage rules
* which do not allow signing CRLs.
*/
public function testCRL_SignedByNonDist()
{
// create CA
$caKeyPairPems = KeyPair::create();
$caCertPem = CA::create($caKeyPairPems, '/O=test');
$this->assertNotEmpty($caCertPem);
// create would-be CRL dist authority -- but not really authorized for signing CRLs.
// note createCSR() instead of createCrlDistCSR().
$crlDistKeyPairPems = KeyPair::create();
$crlDistCertPem = CA::signCSR($caKeyPairPems, $caCertPem, CA::createAppCSR($crlDistKeyPairPems, '/O=test'));
$this->assertNotEmpty($crlDistCertPem);
$certValidator = new DefaultCertificateValidator($caCertPem, NULL, NULL);
$certValidator->validateCert($crlDistCertPem);
// create CRL
$crlDistCertObj = X509Util::loadCert($crlDistCertPem, $crlDistKeyPairPems, $caCertPem);
$this->assertNotEmpty($crlDistCertObj);
$crlObj = new \File_X509();
$crlObj->setSerialNumber(1, 10);
$crlObj->setEndDate('+2 days');
$crlPem = $crlObj->saveCRL($crlObj->signCRL($crlDistCertObj, $crlObj));
$this->assertNotEmpty($crlPem);
$crlObj->loadCRL($crlPem);
// create cert
$appKeyPair = KeyPair::create();
$appCertPem = CA::signCSR($caKeyPairPems, $caCertPem, CA::createAppCSR($appKeyPair, '/O=Application Provider'), 4321);
// validate cert - fails due to improper CRL
try {
$certValidator = new DefaultCertificateValidator($caCertPem, $crlDistCertPem, $crlPem);
$certValidator->validateCert($appCertPem);
$this->fail('Expected InvalidCertException, but no exception was reported.');
} catch (InvalidCertException $e) {
$this->assertRegExp('/CRL-signing certificate is not a CRL-signing certificate/', $e->getMessage());
}
}
